Restrict user account

Question

Dear all,&nbsp;Can I check with you guys, when we use the user account to enrol a new laptop/desktop, the system will auto put the user account into the 'Administrator group' Thus, the user will get the admin privilege.&nbsp;In this case, is there have a way something like self creates a restricted configuration profile in Intune, to restrict the user self install software or run cmd as admin?&nbsp;Will be grateful for any help you can provide.Thank you.&nbsp; 😃

rudy_ooms_mvp · Answer

You will need applocker, but when using applocker you will need to make sure the user doesn't has admin permission... Also there is no security when being local admin 🙂

SO https://call4cloud.nl/2021/04/dude-wheres-my-admin/ --> admin

And Applocker
https://call4cloud.nl/2020/06/applocker-a-la-minute/

michael_moshkovich · Answer

Hi,I'll suggest to use Autopilot to enroll new devices, in which you can define a profile that will make the enrolling user a standard user and not an admin.for existing devices you can create a Policy CSP - LocalUsersAndGroups in Intune to modify the members on the local administrators group (Starting from Windows 10, version 20H2)https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroupshope this helps.

sk-73 · Answer

Hi&nbsp;Rudy_Ooms_MVP&nbsp;I hope you are doing fine. I will try. Thanks!

sk-73 · Answer

Hi&nbsp;michael_moshkovich,Thank you for your kind suggestion. I will try later. Thanks!

Forum Discussion

Restrict user account

Resources