90% of the weak points exploited in Windows 10 could be avoided if end users used standard accounts instead of using accounts with local administrator rights.
Every person who works in the area of digital workplace or modern management, which refers to it, would agree on how important it is to refuse the authorizations of the local administration to end users.
The above is preserved fromMicrosoft 2021 weakness report.
However, it is easier to revoke local user administrative rights than doing so.But is it really?
Let's take a quick look at the different forms, through which we can manage local administrative accounts at modern endpoints of Windows 10 with Intune.
Table of Contents
Various options for managing local Windows 10 administration accounts with intuit
In the discussion of theLocal administrator account for Windows 10 endpoints, which are managed by MEM/Intune, We mustConsider the two union statesso that the device can be.
- Azure ad se Union, y
- Ad Azure United Hybrid
Regardless of the state of the Union, theUser account that the union of the group of local administrators is addedAt the end point.This is according to design.
The above applies to hybrid transition via the Windows autopilot, unless you have configured the autopilot profile so that you provide standard accounts.
For security reasons, you can have the idea of the idea to ensure local administrator rights to end users.
How can you prevent your end users from receiving local administrative rights in your work stations?
As an intune administrator you canAvoid that end users receive local administrators with the Windows autopilotProvision of devices that allow them todeterminationtheFinal user accountAt the end point asStandardkonto.
Note thatControl of local administrator rights through automatic pilot work only for the supply of new devices.
What about Azure Ad /Hybrid Azure ad /Azure ad /hybrid ad -Non -Autor pilot?
These devices have the user account that the union of the group of local administrators at the end added.However, you can use the PowerShell Script -Scriptation of an Intune script to remove the final user account of the group of local administrators at the end point at the end point.
To useGroup Group Administrator "Azure ad \ User UPN" /AD "Instead ofAdd -Localgroupmember groups "Administrators" -Member "Azuuread \ Userupn"Like the latter problems when running at distant endpoints.
Is the work with the elimination of the local administrative rights of end users?
Not really.
You should consider how an IT service engineer should receive a high privilege on the last points for service inquiries, problem solutions or break-fix scenario if necessary.
So we go to the main purpose of this blog post.
Method 1- Enable
To theAzure ad se UnionDevices, from design, theSecurity directorsvonGlobal administratoryAzure announcement United Local Device Administrator(previously appointedDevice administrator))It is addedopposite toThe local administratorGroup at the end point.
Therefore, anyone who plays the role of global administration or the announcement of Azure together with the local local administration device can register at the end point and receive local administrator rights.
But because of the obvious fact that thatThe role of global administration is the most privileged roleavailable,It should not be used for this purpose.
That leaves us with himAzure AD has joined the local administrative role of the deviceThat we can get the local administrator rights of the IT aid team at the final points.
As you can see in the previous complement, you can assign the role of individual members or a group directly.
The with the assigned accountsGlobal administrator/Azure Administrator Administrator of the deviceThe role will receive local administrator rights at all managed final points from Windows 10 in the area.
Method no. 2- Configure the additional local administrator via the device setting in Azure
What we have just done can also be configured in the following form.
Hisse they were.Your portalPresent
- NavigateDevices
- ChooseDevice settings
- Click onManage additional local administrators on all Azure ad united devicesShortcut.
- Click onAdd tasks
- Choose requiredUSET (s)ÖGrupo (s)Add.
This functionality is a premium functionality and is only available in Azure -AD tenants with at least one Azure ad -Premium -p1- and/or azure ad ad ad pres premium p2 license.
Both methods as before are a configuration of the entire tenant.This cannot achieve this at the device level.
What happens if you have the requirement to manage local administrative accounts at the device level?
This leads us to the next method that enables usSpecific accounts or groups that are defined as a member of the group of local administrators at the end point.
You can configure this through Intune as a personalized grandma-UMA-URI configuration directive and therefore receive control over the implementation.This enables the configuration of various administrators for various devices.
Method no. 3-Configuring the local administrator via Intune with custom grandma-URI guidelines
Depending on the Windows 10 version you can use the two different onesConfiguration services supplierfor this purpose.
To use CSP -limited groups vonWindows 10 1803untilWindows 10 2004
You couldCreate a personalized grandma uri profile in IntuneUse the details below
| Oma -Uri: | ./Device/vendor/msft/policy/config/restrictedgroups/configureGroupMembership |
| Type of data: | Link |
| Bravery: | <Xml> content> |
<Group Member Ship> <Accessgroup Desc = "Administrator"> <Members
If a guideline is used by restricted groups, a current member of a restricted group that is not in the list of members is currently a member of the restricted group.A list of empty members means that the limited group has no members.The membership configuration is based on SMSI.Therefore, these built -in groups do not affect the storage of this special membership.MS documentation.
Note thatLimited groups/configuration group membersPoliticalhas notamember ofFunctionality
To use Local user and groups CSP startingWindows 10 20H2
You couldCreate a personalized grandma uri profile in IntuneUse the details below
| Oma -Uri: | ./Device/vendor/msft/policy/config/localusersandgroups/configure |
| Type of data: | Link |
| Bravery: | <Xml> content> |
<GroupConfiguration> <AccessGroup Desc = "Administratoren"> <Group Action = "U"/> <add member = "azuread \ userUpn"/> <add member = "<sid von Azure ad Group Para Agregar>"/> <//AccessGroup> </GroupConfiguration>
To add user accounts, you must use the following format: "AzureAd \ Userupn".To add Azure ads, you must specify the Azure SID advertisement group.MS documentation.
Do you think about how you can get the SID value for a user/a group in Azure?Checkit is Blog input from mvpOliver Kieselbach.
If you configure local administrative accounts with guidelines CSP - configureLocal users and groupsMake sure you know the language of the operating system at the end point.
losNamedefined in the<AccessGroup>labelYou have to be the exact namevonLocal groupat the end.This is becauseIn some languages, theThe name of the administrator account is locatedTherefore, try to refer to the "Administrator" account.document.
Would you like to add a user of non -domain as a local administrator for a certain device group?
We can do that with thatCSP -KontenaCreate a local Windows accountPresent
| Oma -Uri: | ./Device/vendor/msft/accounts/users/<Local Nombre de la Cuenta>/Contraseña |
| Type of data: | Link |
| Value: (password for account) | <Your password here> |
And soIncrease the account as a local administrator at the end pointUse another grandma uri, as shown below.
| Oma -Uri: | ./Device/vendor/msft/accounts/users/localuser/localusergroup |
| Type of data: | All |
| Bravery: | 2 |
We can also achieve the same through a PowerShell script -implementation of Intune.However, I will not respond to the details here.
If you are followed, you have successfully configured accounts or groups of certain users, which are added to the group of local administrators at the final points.
But that brings me to the next question ...
Is it a good practice to build local administrative accounts?Managed in the modern final points of Windows 10?
Since the same account is configured on several devices than local administration account, it is invited to the risk of a lateral movement attack in the obligation of the account.
In order to avoid this, a strict and aggressive guideline for rotation policy must be adopted for these accounts.
In a hybrid scenario in which local domain contains, which were synchronized with the cloud, local administration accounts are configured at the final points, this can easily be done by implementing rounds.
However, Microsoft has no solution for an environment in the cloud.
You can argue that Azure AD already hasPrivileged identity management(PIM),But take too much time to be usable.
Most of the time, the end users approach the AU -Aid Service.The obvious expectation is to receive immediate support!
There is aArticle 10aAdd Mem IntuneAnd while I write this publication, it already contains 3246 votes.If you believe that this is worth continuing and coordinating.
Don't be much excited when you see that the curves for the administrative templates are added to Intune.
As I understand from the different sources and my tests, it is important for hybrid scenarios in which you have already provided and instead of using GPO, you can use these ADMX templates from Intune.
Hence,Waiting for the native round version continues...
If you want a solution that offers a functionality that resembles the rounds in an environment only from Cloud, take a look at
- Implementation of rounds without a serverfrom mvpHermie -Team.
- Implementation of curves with proactive renovationfrom mvpRudy Ooms.
- Solution of light rounds for intuitthroughIt's Lisbon
And recently MVPNickolaj AndersonHe announced that he works on something exciting in this special topic.Necessary monitorhttp://msendpointmgr.comTo start the solution to learn more about it.
Additional considerations (if available, there are many ...)
There are also some other things that need your consideration!
Remember that your organization has to extend in several regions and have to plan a solution so that the local IT support of each region has local administrator rights at the work stations that only belong to the specific region.What does this local support from you do not have in region A have local administrator rights in work stations in region B and vice versa.
How will the requirement meet?
Thinking about the use of PowerShell's implementation of intuit again, something that contains commands like,
- Localnet group administrator /add "azure ad \ <server upn>" "throughOnly with cloudsAccount, or
- Local group administrators Net /Add "Datrio> \ Username"throughsynchronizedInvoice.
But this requires you haveunique device groupsCreated in Azure AD for different regions.
To theAzure ad se UnionDevices,You cannot simply create a dynamic group that contains the region -based devices, Due to the fact thatAAD device object does not have the location propertyAs an AAD user object.
You can stillCreate assigned device groupsIn blue, butThis requires a lot of manual effortSince you (or the equipment) have to check the position of each device manually and then add to the required group.
How do you manually carry it out at an end point?
Neither a practical option is not possibleSince we have already revoked local administrative permissions from end users, the final points do not have a local administrative account with which a high PS session can be created to carry out the previous commands.
How about a global administration account and then with the execution of the PS commands?
This is also something that isStill practical, not really recommendedI haven't seen that yet!
In addition, there can be scenarios in which local administration permissions are required so that an application or a process works properly.In addition, some extended users may need a high level of justification to do certain tasks.
How would the end user need an increased privilege from just companies?
This requires a self -service model with which the end users can request and maintain a self -supplied privilege in good time without affecting security, limiting the session or working up with exam functions for such applications.
Although this is not possible by Intune, it can be achieved with an investment in third partiesPrivileged access managementSolutions likeAdministrative.
Take a look at the posts of my blog, how easy you canGo on request without administration with administratorwithout affecting the user experience.1. Cover the local administrator with the administrator on request2. Administrator by request version 7 Explore what is new?3. Know the support support at the administrator on request
In addition, as an alternative you can consult theOpen SourcesolutionMake me administratorHowever, standard user accounts can temporarily be high at the administrator levelImplementing this user will definitely not be a good idea!
To involve
So we end this with the same question with which we with this blog post with ...
Revoping local user administration rights is easier to say.But is it really?
I would like to listen to your contributions.There is a comment.
At the moment it's all for today.
Jayamalaya Basu Roy(Senior Consultant - Architekt))
Jayalalalaya Basu Roy East in InderIt is professionally with around 6.5 years of professional experience for support and IT software services.After completing his B.Tech in computer science and engineering in 2015, HmiHe is 30 years old from 2022, ethnolinguistic a Bengali and comes from the Indian city of Kolkata, Westbengalen.haoraAssociated with ATOS as a senior consultant: Architects works on T&T projects at the digital workplace, which leads the compilation and implementation, introduction and support of Microsoft Intuit in Greenfield/Brownfield environments for Android/iOS/Windows.The honor of being recognized as a MVP by Microsoft for business mobility: 2021 and 2022-23.
Other articles you like
FAQs
How do I add a local admin in Intune? ›
- Sign-in to the Endpoint Manager admin center.
- Browse to Devices – Windows.
- On the Configurations profiles tab click + Create profile.
This behavior is expected. Local administrative privileges are required when enrolling an already configured Windows 10 device in Intune.
How to manage local administrators on Azure AD joined devices? ›Sign in to the Azure portal as a Global Administrator. Browse to Azure Active Directory > Devices > Device settings. Select Manage Additional local administrators on all Azure AD joined devices. Select Add assignments then choose the other administrators you want to add and select Add.
Which activity Cannot be carried out by Intune MDM administrators? ›Intune admins can't see phone call history, web surfing history, location information (except for iOS 9.3 and later devices when the device is in Lost Mode), email and text messages, contacts, passwords, calendar, and cameral roll. So, is it as simple as that? Not really.
How do I manage local users and Groups? ›Open Computer Management - a quick way to do it is to simultaneously press Win + X on your keyboard and select Computer Management from the menu. In Computer Management, select “Local Users and Groups” on the left panel. An alternative way to open Local Users and Groups is to run the lusrmgr. msc command.
How do I grant local admin? ›- Select Start > Settings > Accounts .
- Under Family & other users, select the account owner name (you should see "Local account" below the name), then select Change account type. ...
- Under Account type, select Administrator, and then select OK.
- Sign in with the new administrator account.
Sign into Windows as a Local Administrator
In the bottom-left corner of the sign-in screen, click on Other User. Enter “. \Administrator” as the username, enter your local admin password, and press Enter.
Intune Service Administrator
In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles. On the Endpoint Manager roles - All roles blade, choose the built-in role you want to assign > Assignments > + Assign.
Local accounts with administrator privileges are considered necessary to be able to run system updates, software upgrades, and hardware usage. They are also helpful to gain local access to machines when the network goes down and when your organization faces some technical glitches.
How do I remove local admin rights from Intune? ›- Navigate to Devices.
- Navigate to Windows.
- Navigate to Configuration profiles.
- Chose Create profile.
- Platform: Windows 10 and later Profile Type: Settings catalog.
- Chose a Fitting name for your profile, I chose “Rename Local Administrator Account” but it doesn't matter.
- Chose Add Settings.
What is the role of Intune administrator? ›
Intune Role Administrator: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators.
How do I know if a domain user has local admin rights? ›- Select Start, and select Control Panel.
- In the Control Panel window, select User Accounts and Family Safety > User Accounts > Manage User Accounts.
- In the User Accounts window, select Properties and the Group Membership tab.
- Make sure Administrator is selected.
- Deploy the Powershell script with the following configuration:
- Restart the device and see the script is deployed successfully.
- login the device with the local account: User: .\admin. Password: The new password.
Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups. Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators.
What feature allows administrators to manage most Microsoft Intune settings? ›Custom profile
Custom settings let administrators assign device settings that aren't built in to Intune.
- Android 4.0 or later.
- iOS 4.0 or later.
- Windows Phone 8 or later.
- Windows 10 Laptops.
- macOS 10.7 or later.
- tvOS 7.0 or later.
- Android TVs - Android 4.4 and above.
- Chrome OS 57.0 or later.
MDM is device centric, so device features are configured based on who needs them. For example, you can configure a device to allow access to Wi-Fi, but only if the signed-in user is an organization account. In Intune, you create policies that configure features & settings and provide security & protection.
What is a local administrator account? ›The Administrator account is the first account that is created during the Windows installation. The Administrator account has full control of the files, directories, services, and other resources on the local device. The Administrator account can create other local users, assign user rights, and assign permissions.
Is local system account an administrator? ›The "Local System" is a built-in windows default admin on the Windows server.
What is the base command used to manage local users and Groups? ›Step 1: Open Command Prompt. Step 2: Type lusrmgr and press Enter. Way 5: Open Local Users and Groups in Windows PowerShell.
What are local admin privileges? ›
When users have local admin rights, they have the power to do almost anything they want to their workstations. They can download any application, use any program, and even ignore or undo anything IT administrators do to their devices.
How do I enable local admin account without admin rights? ›- Press Windows key + R to open the Run box. Type secpol. msc and hit Enter.
- When the Local Security Policy window opens, expand Local Policies > Security Options. In right-side pane, double-click on the policy “Accounts: Administrator account status” and set it to Enabled. Click Apply and then OK.
In an effort to prevent further brute force attacks, we are implementing account lockouts for Administrator accounts. Beginning in the October 11, 2022, or later Windows cumulative updates, a local policy will be available to enable built-in local Administrator account lockouts.
What is the difference between local admin and domain admin? ›You see, the limitation is that the Domain Administrator cannot do anything outside of the domain. A Local Administrator is already outside the domain and has the full power to do anything desired on the location machine, which IS PART of the domain.
How do I log into administrator privileges? ›- After clicking on the "Run as Administrator" option, a new popup window will appear. ...
- After clicking on the "YES" button, the Administrator command prompt will open.
- Press Win-r . In the dialog box, type compmgmt. msc , and then press Enter .
- Expand Local Users and Groups and select the Users folder.
- Right-click the Administrator account and select Password.
- Follow the on-screen instructions to complete the task.
Recap on How Intune MAM works
Note that each device can only have one Intune MAM container, meaning that someone cannot have two Microsoft 365 accounts on their device if both tenants require Intune MAM. Android Enterprise with Work Profile is an exception as it supports two user profiles running side by side.
Open a browser and sign in to the Microsoft Endpoint Manager admin center. If you are new to Intune, use your free trial subscription. When you open the Microsoft Endpoint Manager, the service is displayed in a pane of your browser.
How many devices can an Intune administrator enroll? ›Intune device limit restrictions set the maximum number of devices that a user can enroll (maximum setting is 15). To set a device limit restriction, sign in to Microsoft Endpoint Manager admin center. Then go to Devices > Enrollment restrictions. For more information, see Create a device limit restriction.
How do I access local admin group? ›Select the Groups folder. Double-click the Administrators group from the right pane. Look for the user name in the Members frame: If the user has administrator rights and is logged in locally, only his user name displays in the list.
How do you manage group admins? ›
...
- Open the WhatsApp group chat, then tap the group subject. Alternatively, swipe the group to the left in the Chats tab. Then, tap More > Group Info.
- Tap the admin you want to dismiss.
- Tap Dismiss As Admin.
Select Start, and select Control Panel. In the Control Panel window, select User Accounts and Family Safety > User Accounts > Manage User Accounts. In the User Accounts window, select Properties and the Group Membership tab. Make sure Administrator is selected.
How do I run as local administrator? ›Press and hold down the SHIFT key while you right-click the executable file or the icon for the application, and then select Run as. Select The following user. In the User name and Password boxes, type the administrator account and password, and then select OK.
How do I remove device managed by administrator? ›Go to SETTINGS->Location and Security-> Device Administrator and deselect the admin which you want to uninstall.
How do I disable local admin rights? ›Go to the Start menu (or press Windows key + X) and select Computer Management. Then expand to Local Users and Groups, then Users. Select the Administrator and then right-click and select Properties. Uncheck Account is disabled to enable it, or check it to disable it.
Should organizations remove local admin rights from standard Users? ›Removing local Admin rights will prevent many types of malware and attacks from ever starting in the first place, can minimize the impact of what malicious actors can do, and can make cleaning up a breach easier which is why it is one of the most cost effective security configurations you can implement.
What command allows you to access local users and Groups? ›Press the Windows key + R to open the Run dialog box, or open the Command Prompt. Next type lusmgr. msc and hit Enter. This will open the Local Users and Groups snap-in directly.
What command shows the local users? ›- Type net localgroup groupname, where groupname is the name of the group you want to list. For example, if the group name is Administrators, you would type net localgroup Administrators. Then press Enter.
- Observe the list of users in the local group.
Go to Start. Type Computer Management and hit ENTER. In the left pane of the Computer Management window, click Local Users and Groups.
Can Group Admins remove other admins? ›Click Group Settings > Edit group admins. Uncheck the admins you want to dismiss. Click the green check mark when you're finished.
Can you have 2 admins? ›
You can add as many administrators as you like to your page. If you have full managerial administrative rights to a business page created by someone else, you can also assign administrative rights to an additional person.
How do I change group admin settings? ›- Tap Group settings > Edit group info.
- Choose to allow All participants or Only admins to edit the group info.
- Tap OK.