Forum Discussion
Incorrect Identification of Local Admin in Defender for Endpoint
Hello everyone,
I am facing an issue with Microsoft Defender for Endpoint where a user is incorrectly identified as having local admin rights. In the Devices menu of the workstation in Defender, the user is tagged as a local admin. This is also confirmed when searching in Advanced Hunting with the following query:
DeviceLogonEvents | where LogonType == "Interactive" and IsLocalAdmin == true and AdditionalFields contains "\"IsLocalLogon\":true"
However, after checking the user's workstation, I found that the user is not part of the local or domain administrator group. The user cannot perform privilege escalation. It is worth noting that the user has another domain account with admin rights.
Additionally, the user's workstation has been AAD joined with his account, so he may have had admin rights on the computer at one time, but not anymore.
Has anyone encountered a similar issue or have any suggestions on how to resolve this?
Thank you!
7 Replies
Hi italicize_valiant , can you confirm Group is "Administrator" or Administratorer ? It looks like getting a different object class, what you can do is, go to computer management console and check the administrator group as per this screenshot and confirm or share the screenshot.
Hi,
Yes, I can confirm that “Administratorer” is the same as your image. Also, the same users and groups are present.
That why I don't understand how and why MDE is getting this information.It looks like your filtering options are different, As I told "Administratorer" has a spelling issue. Appreciate if you could share a screenshot. :)
Hi,
thanks for your comment.
Here are some screenshots:
In the Security device page, in red is the standard user account where local admin is seen.In Advanced hunting :
And this is on the device :Obviously, this is not a local user or in a domain group.
Hi italicize_valiant can you share some screenshots on this message, gray out some sensitive information.
Thanks
