MDM enrollment of AAD-registered device

Question

MDM enrollment of AAD-registered device

testuser7 286

Hello,

Is it possible to remove local-administrator from Azure-AD registered windows 10 device ??

I am planning to do Intune MDM-enrollment of one AAD-registered device. However, as we know, as long as the local-user remains admin of the device, we can not guarantee enforcement of the Intune policies. Hence I want to make that local user as STANDARD user.

Bear in mind, we are NOT talking about AAD-Joined or Hybrid-Joined windows device.

Thanks.

Rudy Ooms 701 Reputation points MVP

2023-11-28T09:54:36.5533333+00:00

As long as the AADR device gets intune enrolled, you can push a policy to it

https://call4cloud.nl/2021/08/the-battle-between-aadj-and-aadr/#part9

There are multiple options to remove all the users from the local admin group, one of them is just using a simple powershell script to do so

https://call4cloud.nl/2020/03/remove-all-local-admins/

Even when its not really part of the question but why do you prefer aadr above aadj?
testuser7 286 Reputation points

2023-11-28T13:46:19.7+00:00

Thanks @Rudy Ooms .... your blog was excellent !!!

Let's summarize a few points. So once device is AADR and MDM-enrolled, we can use power-shell to remove all the users from local "administrators" group.

Can not we use "LocalUsersAndGroups CSP" from Intune ?? OR Is this CSP applicable for AADJ and HAADJ devices only ??

Regardless of which way I use, let's say I remove all the users from LOCAL "administrators" group except built-in user called "administrator" as we have to keep this user in this group.

So if end-user knows the password of this built-in "administrator" then also the whole Intune policy enforcement can be jeopardized.

So we have to make sure that some LAPS solution is in place. And as we write, it is indeed possible to store and rotate the local-admin password in AAD

But the problem is, this LAPS is only for AADJ and HAADJ devices.

So again we are back to square one.

Am I thinking straight so far ?
Rudy Ooms 701 Reputation points MVP

2023-11-28T13:50:45.23+00:00

I assume you dont have an additional rmm tool? (we are using solarwinds.. which we use to retrieve the laps password (powershell driven solution)... something like this

https://call4cloud.nl/2021/05/the-laps-reloaded/
testuser7 286 Reputation points

2023-11-28T14:08:07.4133333+00:00

That's correct @Rudy Ooms ... we do not have solarwinds. We have to use built-in LAPS in win10/11 OS which will store the password in AAD in device object.

Also can I use "LocalUsersAndGroups CSP" on AAD-registered devices ?

You also ask me why we prefer AADR over AADJ

Actually we don't. But the situation is, we allow users' OWN devices to bring in the office. And if user is willing to surrender admin privileges, why not treat these devices as registered in our corporate AAD ?

Is there is major shortcoming that forces us to first AADJ such personal devices ?
Rudy Ooms 701 Reputation points MVP

2023-11-28T14:20:52.2+00:00

Mmm... in those kinds of situations i would rather offer those users a cloud PC that's adjoined... as touching the private devices... pfoeffff you don't know what you get yourself into if you wipe it by mistake :) (when they are aadj)...

We just don't allow byod, also for the above reason...we will give them a proper enrolled device which we can manage or a cloud PC (which is managed the same) but the user could login from his byod device...

I didn't looked at that LocalUsersAndGroups policy specifically when testing the settings catalog etc on a aadr device... but I would assume most of them should worrk
testuser7 286 Reputation points

2023-11-28T14:29:18.08+00:00

got it and all points noted :) yes, AVD or cloudPC are definitely good options.

We will think through it but at least technically we are are on the same page that if needed we can do AADR and Intune MDM

Thanks @Rudy Ooms for prompt discussion.

I will tag you on one totally different thread on Windows-hello where we are fighting with MS to add one important feature and let us allow create more than one user keypairs on enterprise side. Please have a look.
Rudy Ooms 701 Reputation points MVP

2023-11-28T14:32:58.3466667+00:00

No problem :)... tagging is always preferred... as there are a lot of forums i am active one

2 answers

Your answer

Rudy Ooms 701 Reputation points MVP

2023-11-28T09:54:36.5533333+00:00

As long as the AADR device gets intune enrolled, you can push a policy to it

https://call4cloud.nl/2021/08/the-battle-between-aadj-and-aadr/#part9

There are multiple options to remove all the users from the local admin group, one of them is just using a simple powershell script to do so

https://call4cloud.nl/2020/03/remove-all-local-admins/

Even when its not really part of the question but why do you prefer aadr above aadj?
testuser7 286 Reputation points

2023-11-28T13:46:19.7+00:00

Thanks @Rudy Ooms .... your blog was excellent !!!

Let's summarize a few points. So once device is AADR and MDM-enrolled, we can use power-shell to remove all the users from local "administrators" group.

Can not we use "LocalUsersAndGroups CSP" from Intune ?? OR Is this CSP applicable for AADJ and HAADJ devices only ??

Regardless of which way I use, let's say I remove all the users from LOCAL "administrators" group except built-in user called "administrator" as we have to keep this user in this group.

So if end-user knows the password of this built-in "administrator" then also the whole Intune policy enforcement can be jeopardized.

So we have to make sure that some LAPS solution is in place. And as we write, it is indeed possible to store and rotate the local-admin password in AAD

But the problem is, this LAPS is only for AADJ and HAADJ devices.

So again we are back to square one.

Am I thinking straight so far ?
Rudy Ooms 701 Reputation points MVP

2023-11-28T13:50:45.23+00:00

I assume you dont have an additional rmm tool? (we are using solarwinds.. which we use to retrieve the laps password (powershell driven solution)... something like this

https://call4cloud.nl/2021/05/the-laps-reloaded/
testuser7 286 Reputation points

2023-11-28T14:08:07.4133333+00:00

That's correct @Rudy Ooms ... we do not have solarwinds. We have to use built-in LAPS in win10/11 OS which will store the password in AAD in device object.

Also can I use "LocalUsersAndGroups CSP" on AAD-registered devices ?

You also ask me why we prefer AADR over AADJ

Actually we don't. But the situation is, we allow users' OWN devices to bring in the office. And if user is willing to surrender admin privileges, why not treat these devices as registered in our corporate AAD ?

Is there is major shortcoming that forces us to first AADJ such personal devices ?
Rudy Ooms 701 Reputation points MVP

2023-11-28T14:20:52.2+00:00

Mmm... in those kinds of situations i would rather offer those users a cloud PC that's adjoined... as touching the private devices... pfoeffff you don't know what you get yourself into if you wipe it by mistake :) (when they are aadj)...

We just don't allow byod, also for the above reason...we will give them a proper enrolled device which we can manage or a cloud PC (which is managed the same) but the user could login from his byod device...

I didn't looked at that LocalUsersAndGroups policy specifically when testing the settings catalog etc on a aadr device... but I would assume most of them should worrk
testuser7 286 Reputation points

2023-11-28T14:29:18.08+00:00

got it and all points noted :) yes, AVD or cloudPC are definitely good options.

We will think through it but at least technically we are are on the same page that if needed we can do AADR and Intune MDM

Thanks @Rudy Ooms for prompt discussion.

I will tag you on one totally different thread on Windows-hello where we are fighting with MS to add one important feature and let us allow create more than one user keypairs on enterprise side. Please have a look.
Rudy Ooms 701 Reputation points MVP

2023-11-28T14:32:58.3466667+00:00

No problem :)... tagging is always preferred... as there are a lot of forums i am active one

Answer 1

Directly demoting an existing local admin to a standard user through Intune is not straightforward because Intune primarily manages device settings rather than individual user account roles

You can manually Change User Role on the Device:

Log in as an Administrator: You need to be logged in as an administrator to change the roles of other users.
Open Settings: Go to Settings > Accounts > Family & other users.
Change Account Type: Find the user account you want to change. Select the account, click on Change account type. In the window that pops up, change the account type from Administrator to Standard User and then click OK.

Hope this helps,

If the information provided was helpful and answered your query, please feel free to accept the answer. If you have any more questions or need further clarification, don't hesitate to ask!

Answer 2

@testuser7,Thanks for posting in Q&A.

From your description, I know that you want to know whether it is possible to remove local administrator from AAD registered device to guarantee enforcement of the Intune policies.

Based on my researching, the local administrator is a Windows built-in account that cannot be removed from the administrator group. When you assign policies to Azure AD registered devices, you should assign them to device not the user, therefore the local-user's admin rights will have no effect on management of Intune.

However, if you still want to remove local-administrator on Azure AD registered devices, you can create a new admin account, then disable the local-administrator and login the device with the new admin account. After that, you can remove the user from the administrator group.

Hope this can be helpful.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2023-12-05T03:21:17.8666667+00:00

@testuser7,Hope things going well.

If there is any update, feel free to let me know.

Share via

MDM enrollment of AAD-registered device

2 answers

Your answer