New settings available to configure local user group membership in endpoint security

Hi,

I do not really know how to make use of this tool.

Initially after AutoPilot setup, the users are admins on their machines. We want to remove those admin rights. This already suggests that we have to use the Replace mode. Delete will not work, as all user accounts we will have to remove will be different.

At this point I'm wondering how we can grant individual users admin permissions on single devices without making them administrators in the entire company.

As soon we have Replace mode, I think there is no way to combine it with Add/Update - which, if it would work, could add certain groups or users to a smaller scope of devices.

But even then I guess there would still be a big problem left. It seems it's not possible to use any variables in the setup?

Right now with group policies we can add something like %computername%-Administrators to the local admins group, so there is only one rule. But without variables I would need to create an individual "Local user group membership" configuration for every single device and then set its target to that device to achieve the same?