Enroll device in intune in corporate status

Ismaele Giallombardo 0 Reputation points
2024-11-18T11:58:09.7166667+00:00

Hi experts,

(Sorry for my English)

I want to enroll Windows 11 Pro devices without wiping data.

These PCs have a local admin user, and I want to downgrade this user to a standard user (I did it with a PowerShell script), but there are some problems.

I want to enroll them as "corporate" devices, and the problem is that when I try to enroll them, it works, but I cannot log on with the local user(and this is ok no problem) . I want my users in my AD organization to be standard users and not admins. I want only Tenant admins to be able to make modifications to the system. What can I do?

PS. With autopilot the tenant admins is Admin of the system in the same configuration.

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,953 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,390 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,364 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 14,870 Reputation points Microsoft Vendor
    2024-11-19T01:51:56.3166667+00:00

    @Ismaele Giallombardo, Thanks for posting in Q&A.

    Based on my research, I find that autopilot is the only enrollment option to restrict user to become a local admin, that choose a standard user when assigning profile. To make devices as 'Corporate', you can try to enroll device using Windows automatic enrollment, but it will still let user to join local admin automatically.

    If you would like to restrict user as local admin, as a workaround, there's feature under Endpoint security > Account protection>Local user group membership to manage local user group membership. We can choose Remove (Update) if we want to remove specific user from local administrators group. Here is a link with more details for your reference.

    https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207

    As a note, removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure.

    https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups#what-happens-if-i-accidentally-remove-the-built-in-administrator-sid-from-the-administrators-group

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.