Forum Discussion
troubleshooting for standard user in windows autopilot
Hi experts, it's very straightforward. if we set the windows autopilot's profile and set the account type to "Standard User". How can we assist them when we need to do something on their device? sin...
Hi,
Your best optionis either add admins to device administrators group (which is added to Administrators on all devices) or if you want to be more specific if you have several countries or groups of administrators you can use the following CSP to add azure users or groups:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
You can add and remove users from the local Administrator group.
To add azure groups you will need the azure SID which can be found using graph explorer.
Regards,
Your best optionis either add admins to device administrators group (which is added to Administrators on all devices) or if you want to be more specific if you have several countries or groups of administrators you can use the following CSP to add azure users or groups:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
You can add and remove users from the local Administrator group.
To add azure groups you will need the azure SID which can be found using graph explorer.
Regards,
Hi gerardoamadeus,
From a security perspective add admin to a device administrator group is not save. If one of your admins are hacked they have local admin rights on al your Azure Ad Joined machines.
So, I agree with Rudy_Ooms_MVP. My advice is to use always a Local admin account to the specific device with LAPS and none of your device will have the same admin password.
Kind regards,
Rene