Intunes Setup

RIZKI RIVAI 20 Reputation points
2024-08-30T08:17:06.1166667+00:00

We are currently implementing intunes to manage our coorporate devices. All our users are in entra, we dont have onprem AD.

In default intunes configuration, when a user enrolled a device they automaticly become local admin on that devices. In traditional join domain world this is something risky and normally we would remove user to become local admin. Now, how do we handle this in intunes? Remove user as local admin or keep them as local admin but enforce some policy restriction ie, disallow for unenroll, disable installing app, etc

Anyone can share their experience, pros, cons? Or what is the best practices from microsoft?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,968 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 48,001 Reputation points Microsoft Vendor
    2024-08-30T08:44:45.5333333+00:00

    @RIZKI RIVAI, Thanks for posting in Q&A. For standard user, we suggest remove users from local admin group. You can configure Local user group membership profile and use Add (Replace): action for local administrators group to only include the admins you want.

    https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207

    For any new devices to enroll into Intune, we can consider using Autopilot enrollment method. In Autopilot enrollment profile, we can configure User account type with value Standard. Which means the enrolled user is only a standard user on the enrolled devices.

    https://learn.microsoft.com/en-us/autopilot/tutorial/user-driven/azure-ad-join-workflow

    https://learn.microsoft.com/en-us/autopilot/tutorial/user-driven/azure-ad-join-autopilot-profile

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.