Preventing user from having local admin access in Intune auto-enrollment

Nisk 30 Reputation points
2024-02-13T06:56:00.67+00:00

Is there a policy available in Intune that can prevent a user from receiving local admin access on their laptop during auto-enrollment? We have a client with auto-enrollment feature enabled for their tenant, but we'd like to set up their users with standard user access instead of local admin. Any suggestions or solutions would be appreciated. Thank you!

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,327 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 50,591 Reputation points Microsoft Vendor
    2024-02-13T08:20:19.5933333+00:00

    @Nisk, Thanks for posting in Q&A. To remove the local admin permission, you can create "Local user group membership" profile under Endpoint security > Account protection, choose Add (Replace) action to replace current membership of local administrators group or choose Remove (Update) action to remove users from local administrators group. Here is a link with more details:

    https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.