Intune - Local Admin Removal

karthik palani 1,016 Reputation points
2022-01-30T13:18:48.9+00:00

Dear All,

I have Azure AD joined devices in which all end-users are local admin now. I would like to remove the end-user from local admin role

Could you please suggest or share the steps to execute the same

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,706 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,241 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,293 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Reza-Ameri 16,826 Reputation points
    2022-01-31T16:37:32.653+00:00

    I have some good news, MEM team today announced they add a new feature call Account protection it is under Endpoint security which you could do exactly what you asked.
    Take a look at:
    https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207

    1 person found this answer helpful.
    0 comments No comments

  2. Reza-Ameri 16,826 Reputation points
    2022-01-30T16:09:04.4+00:00

    Currently , there is no out of the box policy to do it in Microsoft Intune, either you have to create a PowerShell script to do it or use custom setting , to create a custom setting , take a look at:
    https://learn.microsoft.com/en-us/mem/intune/configuration/custom-settings-windows-10
    In this case you may use RestrictedGroups policies , take a look at:
    https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups#restrictedgroups-configuregroupmembership

    0 comments No comments

  3. karthik palani 1,016 Reputation points
    2022-02-08T13:40:02.013+00:00

    Thanks Reza, as of now the account protection is supported for Windows 10 20H2. But i will give a try

    0 comments No comments

  4. karthik palani 1,016 Reputation points
    2022-02-10T12:58:23.747+00:00

    Dear All,

    Account protection is not working for version 1809/1909 as stated it is supported from 20H2. I tried the below XML and deployed custom profile as stated in below blog

    https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/

    My XML is below

    <groupmembership>
    <accessgroup desc = "Administrators">
    <member name = "Administrator"/>
    <member name = "S-1-12-1-XXXX"/>
    <member name = "S-1-12-1-XXXX"/>
    <member name = "AzureAD\XXXX@X .com"/>
    </accessgroup>
    </groupmembership>

    I am getting the below error in end-user PC, any thoughts on how to fix it wud be appreciated

    173146-xml2.jpg

    173097-xml1.jpg

    0 comments No comments