Restrict user account

Iron Contributor

Dear all,


Can I check with you guys, when we use the user account to enrol a new laptop/desktop, the system will auto put the user account into the 'Administrator group' Thus, the user will get the admin privilege.


In this case, is there have a way something like self creates a restricted configuration profile in Intune, to restrict the user self install software or run cmd as admin?


Will be grateful for any help you can provide.

Thank you.  =)

4 Replies
You will need applocker, but when using applocker you will need to make sure the user doesn't has admin permission... Also there is no security when being local admin :)

SO --> admin

And Applocker

I'll suggest to use Autopilot to enroll new devices, in which you can define a profile that will make the enrolling user a standard user and not an admin.

for existing devices you can create a Policy CSP - LocalUsersAndGroups in Intune to modify the members on the local administrators group (Starting from Windows 10, version 20H2)

hope this helps.

Hi @Rudy_Ooms_MVP 

I hope you are doing fine. I will try. Thanks!

Hi @michael_moshkovich,

Thank you for your kind suggestion. I will try later. Thanks!