A best practice to reduce your attack surface on Windows 10/11 devices is to not have any local device administrators. You can achieve this using things like Autopilot, however if devices are added manually to Azure AD by a user then that user becomes a local device administrator by default. You can manually go in and remove them from the local administrators group on the device but Endpoint Manager allows you to do this with a policy.
Navigate to https://endpoint.microsoft.com and login as a tenant administrator. Select Endpoint security from the left menu, then Account protection. Select to Create Policy. Select the option for Windows 10 and later as the platform and then Local user group membership for the profile as shown above. The select Create at the bottom of create the policy.
After you have given the policy a name you should see the options displayed above allowing to select which local group you want to work with.
At the moment, these are the groups you can work with. Here we’ll select Administrators.
and these are actions. Here we’ll select Remove (Update).
All you then need to do is select the users or groups from your Azure AD you wish this actioned on. Beware here, if you want select users removed then you will need to add those users individually not via a group like All users for example. The policy, at least in my experience, doesn’t enumerate a group to include all the users inside that group. Thus, if you select the group All users say, only that exact group will be actioned, not all the users who maybe part of that group. In short, the actions only apply to the unique object ID of the items you select here, not items that maybe contained within them.
You then continue with the policy creation process and assign the policy. With this, you’ll generally want to apply it to devices but you can do users or specific groups if desired as with any Endpoint policy.
Of course, you should test the impact of removing things like local device administration before you implement it widely across your whole environment. You may also want to consider some form of ‘break glass’ account if need be. That too can be done via a policy if you need to.
Once you have completed and save the policy it will be applied to your environment.
To verify the policy has been applied to a device, run the Computer Management utility as shown above. Expand Local Uses and Groups on the left and select Groups below this. Then on the right select Administrators and ensure the desired users don’t appear here.
Endpoint security policies in Endpoint Manager make it easy to configure the main local groups on your Windows 10 devices to help you be more secure.