Using Intune to enforce local administrator of workstations like Group Policy Preferences.

Question

How can I achieve the same thing with the Intune policy to enforce the local administrator of the workstation ?

• Remove any local administrator users, other than 'ITSupport'

Group Policy Preferences: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223

Answer 1

@EnterpriseArchitect, Thanks for posting in Q&A. To remove users from local administrators, we can configure it via Local user group membership (preview) profile. Add (Replace): Replace the members of the selected groups with the new members you specify for this action. Here is a link with more details:

https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy#manage-local-groups-on-windows-devices

But as remove the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. So we can only remove other users exclude built in administrator from local administrators.

https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups?WT.mc_id=Portal-fx#what-happens-if-i-accidentally-remove-the-built-in-administrator-sid-from-the-administrators-group

Hope the above information can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.