In one way or another, end-users sometimes find themselves as members of the built-in Administrators group on Windows. We can use Intune to clean that up, while retaining access for Global Administrator or Azure AD Joined Device Local Administrator roles so your IT admins can still do their jobs as expected.
The Goal
On a newly user-enrolled device, the local Administrator group looks like this:
We have the built-in Administrator account (disabled by default), and two Security Identifiers which correspond to Entra ID roles in your tenant:
- Global Administrator
- Azure AD Joined Device Local Administrator
In most scenarios, this is how we want the Administrators group to appear (without any additional user accounts).
Prerequisites
Make a note of the two SIDs in the local Administrators group on a computer enrolled to your tenant OR use PowerShell to:
- Connect-AzureAD
- Get-AzureADDirectoryRole
Convert the ObjectIds to SIDs using – https://erikengberg.com/azure-ad-object-id-to-sid/
Creating the Intune Policy
Go to Endpoint Security –> Account Protection –> Create
Create a Local user group membership policy and give it an appropriate name.
Change the fields to:
- Local Group: Administrators
- Group and user Action: Replace
- User selection type: Manual
Click “Users selected” and populate the fields with the SIDs you saved earlier:
Now save the policy and apply to devices of your choice.
NOTE: It is your responsibility to have sought permission to make this change in your environment BEFORE deploying to all devices
Result
Before/After (each time the device checks in, the group membership will correct itself as configured):
The task of clearing unwanted local admins is a continuous discussion between IT admins and security practitioners, save yourself the hassle by automating it when you’ve won the battle of taking local admin rights away in the first place!