A best practice to reduce your attack surface on Windows 10/11 devices is to not have any local device administrators. You can achieve this using things like Autopilot, however if devices are added manually to Azure AD by a user then that user becomes a local device administrator by default. You can manually go in and remove them from the local administrators group on the device but Endpoint Manager allows you to do this with a policy.
Navigate to https://endpoint.microsoft.com and login as a tenant administrator. Select Endpoint security from the left menu, then Account protection. Select to Create Policy. Select the option for Windows 10 and later as the platform and then Local user group membership for the profile as shown above. The select Create at the bottom of create the policy.
After you have given the policy a name you should see the options displayed above allowing to select which local group you want to work with.
At the moment, these are the groups you can work with. Here we’ll select Administrators.
and these are actions. Here we’ll select Remove (Update).
All you then need to do is select the users or groups from your Azure AD you wish this actioned on. Beware here, if you want select users removed then you will need to add those users individually not via a group like All users for example. The policy, at least in my experience, doesn’t enumerate a group to include all the users inside that group. Thus, if you select the group All users say, only that exact group will be actioned, not all the users who maybe part of that group. In short, the actions only apply to the unique object ID of the items you select here, not items that maybe contained within them.
You then continue with the policy creation process and assign the policy. With this, you’ll generally want to apply it to devices but you can do users or specific groups if desired as with any Endpoint policy.
Of course, you should test the impact of removing things like local device administration before you implement it widely across your whole environment. You may also want to consider some form of ‘break glass’ account if need be. That too can be done via a policy if you need to.
Once you have completed and save the policy it will be applied to your environment.
To verify the policy has been applied to a device, run the Computer Management utility as shown above. Expand Local Uses and Groups on the left and select Groups below this. Then on the right select Administrators and ensure the desired users don’t appear here.
Endpoint security policies in Endpoint Manager make it easy to configure the main local groups on your Windows 10 devices to help you be more secure.
9 thoughts on “Removing local device administrators using Endpoint Manager”
Its very helpful article.
I’ve set my policy to Remove the user who joined the device in Azure AD from the admin group so that they don’t have local admin permissions and in Intune I see the policy status as OK, even when I go to view the admin group in my devices, I no longer see the user I deleted with my policy, i.e. the user who enrolled the device should no longer have local admin permissions, is that correct? However, it still has the permissions and they are only changed when I log out or restart the device. Is this normal behavior? Will it only work after reboot or logout?
Once the policy is applied to the device it takes a reboot or logout event typically. It all depends as to how you have assigned that policy – by device or by user.
Hello, thank you very much for your answer. My policy is assigned to a user group, not devices, however it doesn’t take effect until I reboot or log out.
Once it is applied I assume it stays applied. Remember, policies are not applied immediately and can take quite a while to apply. Rebooting and logging out tend to make this happen quicker. Try forcing a refresh of the policy manually using the Settings | User Accounts | Access work or school | Info | Sync
I can’t get this to work. I assigned my policy from Intune and in a few minutes it already appeared as applied correctly, even when I checked the local administrators group on my device, I noticed that the policy applied correctly but when testing the user’s permissions, he is still an administrator on the device. I assigned the directive and tested it after two days and the user’s permissions do not change.
In the end you’ll need to troubleshoot back through policy to ensure applied to device and it is set correctly. It should work as I had no issues. Call MS if you need to but my guess is that it is a config issue you’ve overlooked.
Thank you very much for the help. One last question, do you recommend applying this policy to a group of users or devices?
Generally devices as users don’t shared machines. If they do, users.