![]() Choose required User(s) or Group(s) to add. ![]() Click on Manage Additional local administrators on all Azure AD joined devices link.Ĭonfigure additional local admin on Intune managed endpoints via Device settings in Azure.What we just did above can also be configured in the below way. Method #2 – Configure additional local admin via Device settings in Azure The accounts assigned with the Global administrator/ Azure AD joined device administrator role will get local admin rights on all the managed Windows 10 endpoints in the environment. Manage Windows 10 Local Admin account using Azure AD role.Īs you can see from the above snap, you can assign the role directly to individual members or to a group. This leaves us with the Azure AD joined device local admin role that we can use to get our IT helpdesk team local admin rights on the managed endpoints. Thus, anyone having either the Global admin role or the Azure AD joined device local admin role can sign in on the endpoint and get local admin rights.īut for the obvious fact that the Global admin role being the most privileged role available, it should not be used for this purpose. The security principals of the Global administrator and Azure AD joined device local administrator (previously named Device administrator) along with the end-user account performing the Azure AD join gets added to the local Administrators group on the endpoint. Method #1 – Allow local admin rights on Win 10 endpoints via Azure AD rolesįor Azure AD joined devices, by design, the security principals of the Global administrator and Azure AD joined device local administrator (previously named Device administrator) gets added to the local Administrators group on the endpoint. So let’s get to the main purpose of this blog post. You need to consider how an IT Helpdesk engineer is supposed to get elevated privilege on the endpoints if required for any service request, troubleshooting or break-fix scenario. Is the job done with the removal of local admin rights from the end-users? ![]() Use Net localgroup administrators “AzureAD\UserUPN” /add instead of Add-LocalGroupMember -Group “Administrators” -Member “AzureAD\UserUPN” as the latter has issues when run on remote endpoints. However, you can use a Powershell script deployment from Intune to remove the end-user account from the Local Administrators group on the endpoints. Those devices will have the user account which performed the join added to the Local Administrators group on the endpoint. What about existing non-autopilot provisioned Azure AD /Hybrid Azure AD joined devices? Note that controlling local admin rights via Autopilot works for new device provisioning only. How can you stop your end-users from gaining local admin rights on their workstations?Īs an Intune admin, you can prevent end-users from getting local admin privileges by using the Windows Autopilot device provisioning that allows you to provision the end-user account on the endpoint as a standard account. The above is true for Hybrid Join via Windows Autopilot unless you have configured the Autopilot profile to provision standard accounts.įrom a security perspective, you might be frowning at the thought of providing local administrator rights to the end-users. Irrespective of the join state, the user account performing the join is added to the local Administrators group on the endpoint. When discussing the local administrator account on MEM/Intune managed Windows 10 endpoints, we need to consider the two join states that the device can be in.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |