Remove admin rights from already joined intune devices

Copper Contributor


I am very new to intune and trying to fix a problem for my company, the person who created this is no longer working so i am very new to this and i am trying to help the team. 


We have 14 devices enrolled via intune and users were added as work or school and they have admin rights on the computer, we want to remove the admin rights of the user using the computer. How do achieve this ? Below screenshot is what i see under local user and groups.




Under Azure AD-->Devices-->Device settings-->Device administrator|Assignments we have security group created and 4 users are added to it we want only the users under this group to have admin rights for intune devices. 


Please help thank you.

4 Replies
Thanks Rudy for the resources, ill be honest i am a power platform developer so i have very little knowladge about intune, which will be the best option here, to remove admin rights from the devices and have only the users in security group to have admin rights



Thank you very much for the resources again i was able to figure it out and got it working. 

Here are the steps i followed if anyone in future wants help.

Endpoint security>account protection>create policy

1. Platform-> Windows 10 and later

2. Profile-> Local user group membership.

3. Gave Name and description as required

4. Administrators=>Add(Replace)=>Manual=>Add user(s)=>Enter th SID of the group or user you want to make admin.



To get the SID from Obect ID i followed this guide


5. Add scope tags if required

6. Assignments add the group which has the device in them. 

note: I created a security group added the test device to it and added it to assignments.


7. Review and create.

After all this i restarted the computer and it updated the administrator in users and groups. 










Great I used this to remove created administrators group membership in the past!


We use now
Manage Additional local administrators on all Microsoft Entra joined devices