Forum Discussion
Azure AD Joined device, without user is local administrator?
Hi,
If I reset af Windows 10 device to factory settings, and then after reset logs in using my Office 365 account (With an Enterprise Mobility + Security Licecense added), I then become local administrator.
Can we change this behavior somehow? I cant seem to find any valid solution.
Or should I enroll the devices using an existing user designed for "Local administrator", and then change user afterwards? Or should I go with a Enrollment manager?
6 Replies
I know one method that is to use Intune device configuration profiles or Endpoint Security policies to explicitly remove users from the local Administrators group or define who should be allowed.
Really really old topic, but may help someone that for some reason stumble upon this thread.
This is know possible to achieve by entering Entra ID > All Devices > Devices Settings and changing the option in "Local Administrator Settings".- Hi
The user who joins the device to AAD is an administrator by default. There is no setting to disable it.
The only way around it is to use Autopilot. That way you can configure if the user who joins the device becomes local admin or not.
Kind regards
Thijs- Hi.
Yes, I have been looking into the Autopilot option too. But as all devices are in use now, I dont have the Hardware ID's, and devices should not be formatted.
Currently I am testing using a Enrollment manager - so far working fine, by enrolling using that, and then "Change user". Other users are not Local administrators.
Is that an option on the long term?
I can see company portal is added on both accounts, and I can deploy software, as long as its on device level.- That's one way to do it.
But I would advise Autopilot, you can use it for existing devices too
