Forum Discussion

VinodS2020's avatar
VinodS2020
Brass Contributor
Oct 31, 2023

Why our users are getting local admin access on devices when the device runs through Autopilot profi

Why our users are getting local admin access on devices when the device runs through Autopilot profile and Azure AD joined devices even after we have selected Standard user in the Autopilot profile? 

 

 

 

 

  • J-D's avatar
    J-D
    Copper Contributor

    What enrollment method are you using ? Even if you create an Autopilot Profile, if you use autoenrollment your users will always end up Local Admin. You can check the enrollment method by it's profile assignment in the device once it is enrolled... (look at the Enrollment blade in the device details).

    Another solution would be to setup a "Local user group membership" profile in your Endpoint Security blade (Account Protection) to make sure that only the default groups have local administrative privileges.

  • 999 of the 1000 times its just that those devices didn't got the Autopilot profile 🙂
    Can you confirm if those newly wiped enrolled devices do have applied the device name template?

    Besides that autopilot profile, its always a smart thing to do to have a backup solution in place for when the user would still be admin..
    https://call4cloud.nl/2021/04/dude-wheres-my-admin/ (which also has a link to this one)
    https://call4cloud.nl/2020/03/remove-all-local-admins/

     

    But again... first make sure they did receive the profile 🙂

    • VinodS2020's avatar
      VinodS2020
      Brass Contributor

      Rudy_Ooms_MVP 

       

      Where I can check whether it has the template assigned on it as I have seen devices being enrolled via Autopilot profile and added in all the locations like Intune, Autopilot, Entra ID and Defender as well but this is what happening. 

      • Rudy_Ooms_MVP's avatar
        Rudy_Ooms_MVP
        MVP
        1. Check if the profile is assigned to the devices
        https://learn.microsoft.com/en-us/autopilot/profiles

        If the device is enrolled and the user isn't a regular user but admin... check if the device also has the same naming template you configured in the same autopilot profile. If the device didn't got the autopilot profile (due a lot of possible reasons) the user isn't admin and the device still has the old name
  • Are your users members of the local administrators group after deployment? Or did someone make them Device Administrator in Entra ID, perhaps?
    • VinodS2020's avatar
      VinodS2020
      Brass Contributor

      Harm_Veenstra 

       

      Thanks for your reply on this @Harm_Veenstra

      You mean this settings in Entra ID below

       

      It does shows "All" 

       

       

      This is what I am seeing so seems this is the one responsible for this but I am not sure.

       

       

       

       

       

       

      • Harm_Veenstra's avatar
        Harm_Veenstra
        MVP
        Yes, so this is not happening because someone added a group there. But Rudy is on the right path with this issue 🙂

Resources