Event banner

Windows Office Hours: August 15, 2024

Event Ended
Thursday, Aug 15, 2024, 08:00 AM PDT
Hybrid

Event details

Get answers to your questions about adopting Windows 11 and managing the Windows devices used by remote, onsite, and hybrid workers across your organization. Get tips on keeping devices up to date ef...
Heather_Poulsen
Updated Nov 19, 2024
Office Hours
ToddMasegian's avatar
ToddMasegian
Copper Contributor
Aug 15, 2024
Hello, Intune related question. I recently moved our organization to a Windows Autopilot/Intune deployment infrastructure and overall it has been a positive direction. One item that has been lost as part of this new environment has been related to local permissions on user’s laptops that I have not found a good solution and so I am curious if anyone has suggestions. For context, before we started deploying Windows laptops via Autopilot/Intune we would bind a laptop to an on-premise AD domain and then have the domain account run on the laptop as a standard account with non-administrator level permissions. This allowed us to have users effectively not have administrator level permissions over their laptop for day-to-day operations. However, our user base often has need to perform some tasks that requires administrator level permissions (install applications, make change to network adapters, copy/delete files in restricted folders, etc.) and our solution in the past was to have a second, separate domain account configured in the Administrators group under Computer Management. That way, when a user needed to perform a task that required administrator level permissions while they were running in a standard account, they could simply enter the credentials for this “admin” account when prompted and perform the task. This entire process worked very well. When we moved to Autopilot/Intune I could not find any solution that would replicate this form of permissions structure. We have a separate Jamf deployment infrastructure for our Apples devices (why we aren’t using Intune for that is a whole separate can of worms) and the Jamf MDM has the ability to run our macOS laptops as standard accounts with a push button ability to temporarily “elevate” an account to administrator for a set period of time (say 10 minutes) so that users can perform admin level tasks. I have been unable to find any form of solution on Windows that would allow for me to have my users operate day-to-day with only a standard user account and in some way either have a second local account that could have administrator level permissions or have some form of temporary account “elevation” capability like Jamf has. I would love suggestions/options/feedback if anyone has found solutions to this kind of problem.
  • Joe_Lurie's avatar
    Joe_Lurie
    Icon for Microsoft rankMicrosoft
    Aug 15, 2024

    Hi ToddMasegian thanks for the message. We don't recommend users ever having full admin rights on a desktop. Our solution for this is two-fold:

    1. Use Autopilot when you send the user the laptop. In the Autopilot configure the user as a standard user.
    2. Use Endpoint Privilege Management. EPM is part of the Microsoft Intune Suite, and instead of giving the user full-on admin rights, it gives them admin rights to a specific process.

    As a sidenote, we also have a Cloud LAPS solution that allows you to rotate the local admin password, as well as additional policies.

     

    Re: using JAMF for your macOS devices, Intune has come a very long way in managing macOS - it may be worth checking out again. Or at the very least joining our aka.ms/MacAdmins community. Our Cloud LAPS solution and EPM are Windows only today, but we are working with our mac team to get them integrated on macOS.

     

    Keep an eye on aka.ms/M365Roadmap and aka.ms/IntuneInDev for more information on when these might be available in the future.

     

    --Joe.

    • ToddMasegian's avatar
      ToddMasegian
      Copper Contributor
      Aug 15, 2024
      Hi @joelurie thank you for the response. I had heard about EPM before but at the time I was advised that it was limited to only certain operations such as software installs and the other tasks such as modifying an Ethernet adapter properties weren't supported. I will have to take a deeper look at whether that is actually true or if EPM would actually cover my needs. On the LAPS front, I have been using LAPS on my on-prem AD for several years, I didn't realize there was a cloud version as well.
  • nlmitchell's avatar
    nlmitchell
    Iron Contributor
    Aug 15, 2024

    Hi Todd, our engineers have separate _onprem admin accounts, however our users have 'standard' accounts. One thing we have been using for some time is Admin By Request. Any user that has the client installed and is enabled to use it can elevate permissions. They would have to give a reason and this is logged into the audit logs. Just a suggestion, might be other stuff out there that others are using.

     

    As an aside, you can also control what groups go into the local admin group on end user devices using Intune Configuration Profiles. We also use these and they work very well

    • ToddMasegian's avatar
      ToddMasegian
      Copper Contributor
      Aug 15, 2024
      Hi Nick, thank you for the suggestion with Admin By Request. I hadn't seen this before and the possibility of having logging for requests would be awesome.
Date and Time
Aug 15, 20248:00 AM - 9:00 AM PDT