MDM enrollment of AAD-registered device

testuser7 286 Reputation points
2023-11-27T18:30:35.98+00:00

Hello,

Is it possible to remove local-administrator from Azure-AD registered windows 10 device ??

I am planning to do Intune MDM-enrollment of one AAD-registered device. However, as we know, as long as the local-user remains admin of the device, we can not guarantee enforcement of the Intune policies. Hence I want to make that local user as STANDARD user.

Bear in mind, we are NOT talking about AAD-Joined or Hybrid-Joined windows device.

Thanks.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
{count} votes

2 answers

Sort by: Most helpful
  1. Carlos Solís Salazar 18,201 Reputation points MVP Volunteer Moderator
    2023-11-27T23:51:19.9933333+00:00

    Directly demoting an existing local admin to a standard user through Intune is not straightforward because Intune primarily manages device settings rather than individual user account roles

    You can manually Change User Role on the Device:

    1. Log in as an Administrator: You need to be logged in as an administrator to change the roles of other users.
    2. Open Settings: Go to Settings > Accounts > Family & other users.
    3. Change Account Type: Find the user account you want to change. Select the account, click on Change account type. In the window that pops up, change the account type from Administrator to Standard User and then click OK.

    Hope this helps,

    If the information provided was helpful and answered your query, please feel free to accept the answer. If you have any more questions or need further clarification, don't hesitate to ask!

    0 comments No comments

  2. ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
    2023-11-28T02:19:14.84+00:00

    @testuser7,Thanks for posting in Q&A.

    From your description, I know that you want to know whether it is possible to remove local administrator from AAD registered device to guarantee enforcement of the Intune policies.

    Based on my researching, the local administrator is a Windows built-in account that cannot be removed from the administrator group. When you assign policies to Azure AD registered devices, you should assign them to device not the user, therefore the local-user's admin rights will have no effect on management of Intune.

    However, if you still want to remove local-administrator on Azure AD registered devices, you can create a new admin account, then disable the local-administrator and login the device with the new admin account. After that, you can remove the user from the administrator group.

    Hope this can be helpful.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.