Forum Discussion

Michael Jensen's avatar
Michael Jensen
Brass Contributor
Nov 05, 2019

Azure AD Joined device, without user is local administrator?

Hi,

 

If I reset af Windows 10 device to factory settings, and then after reset logs in using my Office 365 account (With an Enterprise Mobility + Security Licecense added), I then become local administrator.

Can we change this behavior somehow? I cant seem to find any valid solution.

 

Or should I enroll the devices using an existing user designed for "Local administrator", and then change user afterwards? Or should I go with a Enrollment manager?

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Hi

    The user who joins the device to AAD is an administrator by default. There is no setting to disable it.
    The only way around it is to use Autopilot. That way you can configure if the user who joins the device becomes local admin or not.

    Kind regards
    Thijs
    • Michael Jensen's avatar
      Michael Jensen
      Brass Contributor
      Hi.
      Yes, I have been looking into the Autopilot option too. But as all devices are in use now, I dont have the Hardware ID's, and devices should not be formatted.
      Currently I am testing using a Enrollment manager - so far working fine, by enrolling using that, and then "Change user". Other users are not Local administrators.
      Is that an option on the long term?
      I can see company portal is added on both accounts, and I can deploy software, as long as its on device level.
      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor
        That's one way to do it.
        But I would advise Autopilot, you can use it for existing devices too

Resources