Dec 14 2021 12:15 AM
Dec 14 2021 12:15 AM
it's very straightforward. if we set the windows autopilot's profile and set the account type to "Standard User". How can we assist them when we need to do something on their device? since we cannot run as administrators.
Dec 14 2021 01:02 AM
Dec 14 2021 02:39 AM - edited Dec 14 2021 04:30 AM
I would go for the additional local admin like I am mentioning in this blog. because in my opinion using one azure ad account to manage each workstation ... mmm not my cup of tea. I would rather use a local admin and add LAPS to it..
(even while this blog is more about the remediation error it could give you :) )
Dec 14 2021 04:17 AM
Dec 14 2021 04:22 AM - edited Dec 14 2021 04:39 AM
Adding to @Adir_Moshe, for more granular configuration you can leverage the Policy CSP - LocalUsersAndGroups - Windows Client Management | Microsoft Docs, this will allow you to add specific user account to specific Local groups an specific managed devices.
Managing Local Admin account, although have it's benefits, has a lot of security and management disadvantages and I would not recommend that.
For remote control, the new tool from Microsoft does sound promising but still in preview and no cost estimation in sight, so you can fallback to a third party such as TeamViewer which in my opinion provides good integration, until Remote Help is GA.
Dec 21 2021 01:20 PM
From a security perspective add admin to a device administrator group is not save. If one of your admins are hacked they have local admin rights on al your Azure Ad Joined machines.
So, I agree with @Rudy_Ooms. My advice is to use always a Local admin account to the specific device with LAPS and none of your device will have the same admin password.
Dec 21 2021 01:29 PM
I think you have enabled the Microsoft Security Baseline or you have set it up in Endpoint Protection policy and now you are not able to Run as Administrator, right?
If so, you can change the following setting in the security baseline: "Standard user elevation prompt behavior" to Prompt for credentials on the secure desktop or change the setting "Elevation prompt for standard users" in your Endpoind Protection policy to Prompt for credentials on the secure desktop.
Dec 24 2021 08:12 AM
Did you already take a look at the following blog post: