Share via

Intune Autopilot making local admin on device in error

Jack Fields 125 Reputation points
2025-01-28T10:37:47.0133333+00:00

Hi,

I've tried searching the forums for this specific issue but, can't seem to find anything.

Our Intune Autopilot is automatically adding users to the local admin group on new devices we Intune, manually we are removing them from the local admin group but, this is an issue we need to resolve.

We used to sign into the new devices under our own profiles, meaning if we were made local admin we just assumed it's because we were set as Global admin in Azure.

The process has changed to where we no longer sign in using our own profiles, but as the new starter.

As part of the Intune process we have to use our Admin accounts to sync to the tenant but, that is the only time we use them.

User's image

Our current setup is showing as Standard user not Admin so, not sure why this issue has occured?

Attempted to look into 'Endpoint security Account protection policy' to see if this could resolve the issue but, I don't believe it's something that will impact Autopilot going forward e.g. a blocker on all current and future devices having local admin.

Please could someone review and give us an idea what could be going wrong?

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
494 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,514 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pavel yannara Mirochnitchenko 12,706 Reputation points MVP
    2025-01-28T22:08:44.22+00:00

    It seems that you are using Cloud only devices, so only Intune is effecting the configuration. I also would first point you to investigate the account protection objects, but you have already done it. Another idea is to re-create the Autopilot profile again if you don't find any other root causes.

    0 comments
  2. Crystal-MSFT 51,701 Reputation points Microsoft Vendor
    2025-01-29T02:18:42.1733333+00:00

    @Jack Fields, Thanks for posting in Q&A. From your description, it seems users in organizations will be added into local administrators group even though we configure "User account type" as standard.

    To fix our issue here are some suggestions you can try:

    1, If the affected device is a new device to enroll, we can check if the sign in user has granted The Microsoft Entra Joined Device Local Administrator . If yes, it will be added into local administrators group by default.

    https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin

    2, Check the Assigned devices under Autopilot profile to see if there's multiple Autopilot profiles assigned to this device. Only keep one and remove others.

    3, Remove this Autopilot profile and create a new one to see if the result will be different.

    4, If this is an already enrolled device, please ensure the enrolled user has changed to the user we use to sign in.

    Please try the above suggestion and if there's any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.