Forum Discussion
Windows 365 Business Cloud PC Local Admin
Hello, I have deployed Windows 365 Business and thus far it is working great. However, I was wondering if each user is required to have local admin privilege's? Thanks!
I have also asked myself this question. from a security point of view whether something can be changed. I simply created a new user in the computer administration and added this user to the administrators group. Then I took out my AD user. Afterwards you are always asked for increased rights in the UAC for installers and can enter the local admin. With this I think you have increased the security a bit.
If someone has a different opinion or would like to share some additional security advice with us, I would be very grateful.
Regards Sebastian
If someone has a different opinion or would like to share some additional security advice with us, I would be very grateful.
Regards Sebastian
EricOrman
Microsoft
MicrosoftWe are currently investigating capability to provisioning Business Cloud PC's without requiring users to be local admins, they would be standard users. There is problems with this because without MEM there will not be a way to perform elevated administration on these devices. More details to come as we continue our development/progress.
- EricOrman, is there an update to this? From a compliance point of view, a standard user cannot have local admin rights to the Win365 provisioned instance. We do not want users installing software. Or, is there a workaround to strip it later?
- ivaylo_ivanov
M_Titcombe we introduced functionality in late 2021 to give admins more granular control over account types.
Users who are assigned a Windows 365 Business Cloud PC have standard user permissions by default. This default can be changed in the Organization Settings available at windows365.microsoft.com. More information is available in our documentation: Change organizational default settings in Windows 365 Business | Microsoft Learn
In addition, you can also change the account type on an already-created Cloud PC: Remotely manage Windows 365 Business Cloud PCs | Microsoft Learn
- Hi Eric, okay what does this exactly mean? Now im standard user but i have no problem with Microsoft Endpoint Manager. For example i could onboard MDE via Endpoint Manager (applying condigs works) .Does my described workarround currently have a technical limitation for me or have I restricted any service with it? Thanks. Regards Sebastian
- EricOrmanmsmotto21, if we provision a Business Cloud PC for a user that is a standard user, that user will not have administrator access and therefore will not have ability to install and configure anything because they don't have permissions. If the device is MEM enrolled (customer would need to have auto enrollment enabled when the device performs AADJ) then MEM admin will be able to have full management capabilities.
- Thank you Eric. I bring this up as many MSPs have been asking how to remove the local admin for the user for Windows 365 Business Cloud PC and the current inability for them to do so is creating a barrier of entry for consuming the product. Thanks again!
Ryan
