This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 35%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
In Deployment profile OOBE I have set user account type Administrator. But post Autopilot provision completion sucessful I don't see user is added to Administrator group. How to troubleshoot why user is not added to Administrator group. Please explain me which MDM Diagnostic logs I need refer. I looked all the logs but I didn't get any trace. I checked couple of event viewer entry I got some info but it does not helped me. please suggest. Attached reference screenshot.
Keeping your issue aside, may I suggest that giving your end users admin rights is a very idea and you are potentially opening the attack surface area? Instead, you should look at implementing cloud LAPS.
Thanks for comment.I agreed with you but client still stick and wants user account type should be Administrator. LAPS we already implemented from entra site only for win 11. Please suggest how we can track and troubleshoot the User account type Administrator missing to add into administrator group.
What is the value of “Registering user is added as local administrator on the device during Microsoft Entra join” under Entra>Devices?
We ha
| Header 1 | Header 2 |
|---|---|
| Cell 1 | Cell 2 |
| Cell 3 | Cell 4 |
Is it getting conflict with OOBE user account type Administrator?
Please check below event viewer screenshot.IMG_20240708_130008973.jpg
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Imran Katike, Thanks for posting in Q&A. Based on my researching, there's a compatibility problem between the Windows Autopilot device preparation policy User account type setting and the Microsoft Entra ID Local administrator settings. I notice we want the user to be a local administrator user on the device. If so, please set the Microsoft Entra ID Local administrator settings is set to All.
Meanwhile, if it occurs in Windows Autopilot user-driven hybrid Microsoft Entra deployments and there's another user on the device that already has Administrator rights, it will also cause the issue. Please don't create another account until after the Windows Autopilot process is complete.
Please try the above suggestion and if there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
We have selected it to "All" for Registering users is added as local administrator on the device during Microsoft Entra join.Under Devices - Device settings
No other user account policy or script is enforced to add user into administrator account.
Is it getting conflict with any other Entra device settings Registering user set to All?
I got the below event viewer screenshot from Autopilot device. Please look out once and suggest. IMG_20240708_130008973.jpg
@Imran Katike, Thanks for the reply. After researching, I don't find other conflict setting. For the event, the disallow user to be admin is disabled. So it's OK. You can follow this link to see if you can find any more information on the issue.