In one way or another, end-users sometimes find themselves as members of the built-in Administrators group on Windows. We can use Intune to clean that up, while retaining access for Global Administrator or Azure AD Joined Device Local Administrator roles so your IT admins can still do their jobs as expected.

The Goal

On a newly user-enrolled device, the local Administrator group looks like this:

We have the built-in Administrator account (disabled by default), and two Security Identifiers which correspond to Entra ID roles in your tenant:

  • Global Administrator
  • Azure AD Joined Device Local Administrator

In most scenarios, this is how we want the Administrators group to appear (without any additional user accounts).


Make a note of the two SIDs in the local Administrators group on a computer enrolled to your tenant OR use PowerShell to:

  • Connect-AzureAD
  • Get-AzureADDirectoryRole

Convert the ObjectIds to SIDs using –

Creating the Intune Policy

Go to Endpoint Security –> Account Protection –> Create

Create a Local user group membership policy and give it an appropriate name.

Change the fields to:

  • Local Group: Administrators
  • Group and user Action: Replace
  • User selection type: Manual

Click “Users selected” and populate the fields with the SIDs you saved earlier:

Now save the policy and apply to devices of your choice.

NOTE: It is your responsibility to have sought permission to make this change in your environment BEFORE deploying to all devices


Before/After (each time the device checks in, the group membership will correct itself as configured):

The task of clearing unwanted local admins is a continuous discussion between IT admins and security practitioners, save yourself the hassle by automating it when you’ve won the battle of taking local admin rights away in the first place!