Windows 365 Business Cloud PC Local Admin

%3CLINGO-SUB%20id%3D%22lingo-sub-2612235%22%20slang%3D%22en-US%22%3EWindows%20365%20Business%20Cloud%20PC%20Local%20Admin%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2612235%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20deployed%20Windows%20365%20Business%20and%20thus%20far%20it%20is%20working%20great.%26nbsp%3B%20However%2C%20I%20was%20wondering%20if%20each%20user%20is%20required%20to%20have%20local%20admin%20privilege's%3F%26nbsp%3B%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2640267%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20365%20Business%20Cloud%20PC%20Local%20Admin%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2640267%22%20slang%3D%22en-US%22%3EI%20have%20also%20asked%20myself%20this%20question.%20from%20a%20security%20point%20of%20view%20whether%20something%20can%20be%20changed.%20I%20simply%20created%20a%20new%20user%20in%20the%20computer%20administration%20and%20added%20this%20user%20to%20the%20administrators%20group.%20Then%20I%20took%20out%20my%20AD%20user.%20Afterwards%20you%20are%20always%20asked%20for%20increased%20rights%20in%20the%20UAC%20for%20installers%20and%20can%20enter%20the%20local%20admin.%20With%20this%20I%20think%20you%20have%20increased%20the%20security%20a%20bit.%3CBR%20%2F%3EIf%20someone%20has%20a%20different%20opinion%20or%20would%20like%20to%20share%20some%20additional%20security%20advice%20with%20us%2C%20I%20would%20be%20very%20grateful.%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%20Sebastian%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2641109%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20365%20Business%20Cloud%20PC%20Local%20Admin%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2641109%22%20slang%3D%22en-US%22%3EWe%20are%20currently%20investigating%20capability%20to%20provisioning%20Business%20Cloud%20PC's%20without%20requiring%20users%20to%20be%20local%20admins%2C%20they%20would%20be%20standard%20users.%20There%20is%20problems%20with%20this%20because%20without%20MEM%20there%20will%20not%20be%20a%20way%20to%20perform%20elevated%20administration%20on%20these%20devices.%20More%20details%20to%20come%20as%20we%20continue%20our%20development%2Fprogress.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2617905%22%20slang%3D%22en-US%22%3ERE%3A%20Windows%20365%20Business%20Cloud%20PC%20Local%20Admin%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2617905%22%20slang%3D%22en-US%22%3EYes%2C%20all%20users%20are%20local%20admins%20in%20the%20Business%20option%20currently%20of%20Windows%20365%2C%20see%20the%20second%20paragraph%20here%20%3D%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fsetup%2Fget-started-windows-365-business%3Fview%3Do365-worldwide%23installing-apps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fsetup%2Fget-started-windows-365-business%3Fview%3Do365-worldwide%23installing-apps%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I have deployed Windows 365 Business and thus far it is working great.  However, I was wondering if each user is required to have local admin privilege's?  Thanks!

6 Replies
Yes, all users are local admins in the Business option currently of Windows 365, see the second paragraph here = https://docs.microsoft.com/en-us/microsoft-365/admin/setup/get-started-windows-365-business?view=o36...
I have also asked myself this question. from a security point of view whether something can be changed. I simply created a new user in the computer administration and added this user to the administrators group. Then I took out my AD user. Afterwards you are always asked for increased rights in the UAC for installers and can enter the local admin. With this I think you have increased the security a bit.
If someone has a different opinion or would like to share some additional security advice with us, I would be very grateful.

Regards Sebastian
We are currently investigating capability to provisioning Business Cloud PC's without requiring users to be local admins, they would be standard users. There is problems with this because without MEM there will not be a way to perform elevated administration on these devices. More details to come as we continue our development/progress.
Thank you Eric. I bring this up as many MSPs have been asking how to remove the local admin for the user for Windows 365 Business Cloud PC and the current inability for them to do so is creating a barrier of entry for consuming the product. Thanks again!

Ryan
Hi Eric, okay what does this exactly mean? Now im standard user but i have no problem with Microsoft Endpoint Manager. For example i could onboard MDE via Endpoint Manager (applying condigs works) .Does my described workarround currently have a technical limitation for me or have I restricted any service with it? Thanks. Regards Sebastian
@msmotto21, if we provision a Business Cloud PC for a user that is a standard user, that user will not have administrator access and therefore will not have ability to install and configure anything because they don't have permissions. If the device is MEM enrolled (customer would need to have auto enrollment enabled when the device performs AADJ) then MEM admin will be able to have full management capabilities.