Managing the Administrators Group with Intune

Published by david on

Prerequisites

  • A security group with your device administrators in Entra ID

Step 1: Access Microsoft Entra ID

Step 2: Create a Policy to Manage Local Administrators

  • Navigate to Devices / All devices.
  • Select Device Settings
  • Change Local Administrator setting

This option blocks the users’ enrollment from being added to the local administrators group.

Step 3: Access Microsoft Intune

    Step 3: Configure the Local User Group Membership

    • Select Endpoint Security
    • Select Account protection

    • Create Policy: Click on Create policy.
      • Platform: Select Windows 10 and later.
      • Profile type: Select Local user group membership
      • Click Create

    Tab Basics:

    • Enter a Name for the profile, e.g., “Manage Local Admin Group”.
    • Optionally, add a Description.

    Tab Configuration settings:

    • Select the group to modify: Choose Administrators.
    • Members: Add the users or Azure AD groups you want to be members of the local Administrators group. You can use the user principal names (UPNs) or Azure AD object IDs.

    Example:

    • Enter user1@yourdomain.com for individual users.
    • Enter group1@yourdomain.com for groups.

    Assignments:

    • Assign the profile to specific groups of devices or users that need this configuration. Click on Add groups and select the appropriate Azure AD groups.

    Review + Create:

    • Review the settings and click on Create to create the profile.

    Step 4: Monitor the Policy

    • Navigate to Devices: Go back to the Devices section.
    • Monitor: Under Monitor, select Per settings or Per device to see the status of the policy deployment.
    • Ensure the policy is applied successfully to the target devices.

    Troubleshooting Tips

    • Policy Conflicts: Ensure there are no conflicting policies that modify the local Administrators group.
    • Permissions: Verify that the users or groups specified in the policy have the correct permissions.
    • Device Sync: Ensure that devices are syncing with Intune. Users can manually sync their devices by going to Settings > Accounts > Access work or school, selecting the account, and clicking Info > Sync.
    Categories: Intune
    Tags:

    0 Comments

    Leave a Reply

    Avatar placeholder

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Related Posts

    Intune

    How to Pin Applications to the Start Menu with Microsoft Intune

    Learn how to pin applications to the Windows 10 Start Menu using Microsoft Intune and the Export-StartLayout cmdlet. This guide provides step-by-step instructions to create and deploy a custom Start Menu layout, enhancing user productivity and maintaining consistency across managed devices.

    Intune

    Configure a Desktop Wallpaper Using Intune

    Learn how to use Microsoft Intune to configure and deploy a custom desktop wallpaper across Windows 11 Enterprise devices. This guide provides step-by-step instructions for creating a device configuration profile in Microsoft Endpoint Manager, ensuring brand consistency and a professional look for your organization.

    Intune

    Event Viewer “DeviceManagement-Enterprise-Diagnostics-Provider”

    Learn how to use Event Viewer to monitor and analyze events generated by the "DeviceManagement-Enterprise-Diagnostics-Provider" in Windows. This guide helps system administrators diagnose and resolve enterprise device management issues using detailed event logs.