By Laura Arrizza – Program Manager II | Microsoft Endpoint Manager – Intune
We are pleased to announce a new experience to configure local user group membership settings for Windows devices. Th...
Updated Nov 30, 2023
Version 11.0
Blog Post
4 MIN READ
New settings available to configure local user group membership in endpoint security
Hi,
I've tried the "Group and user action: Add (Replace)" and "Group and user action: Add (Update)" options, but finding that:
- I can assign a user to an Entra Group that the CSP gets applied to, and the user is added to the Local Admins group on the devices.
- But when I remove the same user from the the Entra Group, the user stays as a Local Admin on the devices.
Is this how it should work, or is there any additional setting that need to be done to allow the removal of the user from the Entra Group to filter through to the device and remove them from the Local Admin group?
So far, the only way I can get this to function as I want is to add the users in and out of the CSP Policy directly (not via a Group), but I need engineers in our team with lower permission levels to have a way to do this too. They do not have enough permission to add and remove direct assignment to the CSP Policies.
Thanks.