Forum Discussion

Copper Contributor

Dec 14, 2021

troubleshooting for standard user in windows autopilot

Hi experts, it's very straightforward. if we set the windows autopilot's profile and set the account type to "Standard User". How can we assist them when we need to do something on their device? sin...

Conditional Access

Mobile Application Management (MAM)

Mobile Device Management (MDM)

Software Management

MVP

Dec 14, 2021

Hi,

I would go for the additional local admin like I am mentioning in this blog. because in my opinion using one azure ad account to manage each workstation ... mmm not my cup of tea. I would rather use a local admin and add LAPS to it..

(even while this blog is more about the remediation error it could give you 🙂 )

https://call4cloud.nl/2021/12/i-kill-remediation-errors/

gerardoamadeus
Brass Contributor
Dec 14, 2021
Hi,
Your best optionis either add admins to device administrators group (which is added to Administrators on all devices) or if you want to be more specific if you have several countries or groups of administrators you can use the following CSP to add azure users or groups:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
You can add and remove users from the local Administrator group.
To add azure groups you will need the azure SID which can be found using graph explorer.
Regards,
- Mr_Helaas
  Steel Contributor
  Dec 21, 2021
  Hi gerardoamadeus,
  
  From a security perspective add admin to a device administrator group is not save. If one of your admins are hacked they have local admin rights on al your Azure Ad Joined machines.
  
  So, I agree with Rudy_Ooms_MVP. My advice is to use always a Local admin account to the specific device with LAPS and none of your device will have the same admin password.
  
  Kind regards,
  
  Rene

Share

Resources