Forum Discussion
Why our users are getting local admin access on devices when the device runs through Autopilot profi
Why our users are getting local admin access on devices when the device runs through Autopilot profile and Azure AD joined devices even after we have selected Standard user in the Autopilot profile?
- J-DCopper Contributor
What enrollment method are you using ? Even if you create an Autopilot Profile, if you use autoenrollment your users will always end up Local Admin. You can check the enrollment method by it's profile assignment in the device once it is enrolled... (look at the Enrollment blade in the device details).
Another solution would be to setup a "Local user group membership" profile in your Endpoint Security blade (Account Protection) to make sure that only the default groups have local administrative privileges. 999 of the 1000 times its just that those devices didn't got the Autopilot profile 🙂
Can you confirm if those newly wiped enrolled devices do have applied the device name template?
Besides that autopilot profile, its always a smart thing to do to have a backup solution in place for when the user would still be admin..
https://call4cloud.nl/2021/04/dude-wheres-my-admin/ (which also has a link to this one)
https://call4cloud.nl/2020/03/remove-all-local-admins/But again... first make sure they did receive the profile 🙂
- VinodS2020Brass Contributor
Where I can check whether it has the template assigned on it as I have seen devices being enrolled via Autopilot profile and added in all the locations like Intune, Autopilot, Entra ID and Defender as well but this is what happening.
- 1. Check if the profile is assigned to the devices
https://learn.microsoft.com/en-us/autopilot/profiles
If the device is enrolled and the user isn't a regular user but admin... check if the device also has the same naming template you configured in the same autopilot profile. If the device didn't got the autopilot profile (due a lot of possible reasons) the user isn't admin and the device still has the old name
- VinodS2020Brass Contributor
- Are your users members of the local administrators group after deployment? Or did someone make them Device Administrator in Entra ID, perhaps?
- VinodS2020Brass Contributor
Thanks for your reply on this @Harm_Veenstra
You mean this settings in Entra ID below
It does shows "All"
This is what I am seeing so seems this is the one responsible for this but I am not sure.
- Yes, so this is not happening because someone added a group there. But Rudy is on the right path with this issue 🙂