Restricting the Local Admins group – Intune

Sometimes, a device that should be onboarded with Autopilot, doesn’t get onboarded with Autopilot – for example, I recently uploaded the hardware hashes for several hundred devices provided by a hardware vendor.  The majority of these devices kicked into Windows Autopilot and onboarded with the appropriate Deployment Profile assigned.

But I noticed that a very small number of devices did not onboard correctly, and while this isn’t a huge issue for the user, there were a few things that could cause an issue – two immediately spring to mind

  1. The computer name is randomly generated instead of having the computer name that should be configured via the Autopilot Deployment Profile
  2. The user is made a Local Administrator on the device by default….  GREAT DANGER!!!

Now you could go into troubleshooting mode, deleting hardware hashes, and trying to upload new ones (keep in mind that the Intune device needs deleting too if deleting the autopilot object), basically, huge disruption to the user.

But as the device is mostly in a configuration that is acceptable, I thought that surely there is a less disruptive way to remedy these issues.

In this blog, I will detail how using Intune CSP Configuration Profiles to manage the Built In Local Administrator group can resolve this issue of a faulty Autopilot Onboarding (as well as a good way to prevent “accidental modifications” of the local admin group on a device).

Windows 10 pre version 20H2

For pre Windows 10 20H2 devices, I use the RestrictedGroups CSP

This CSP will essentially replace every object in the Built In Local Administrator group.  By default, the Built-in local admin account will need to be part of this as will the SIDs for the two Azure AD roles (Global Admin and Azure AD joined device local administrator).

This is example of the XML text (I have kept it basic here, but it is common to add an IT Support group) :

<groupmembership>
	 <accessgroup desc = "Administrators">
		<member name = "Administrator" />
		<member name = "Global Administrator Role SID" />
		<member name = "Azure AD joined device local administrator Role SID" />
	</accessgroup>
</groupmembership>

I created the following Custom Configuration Profile in Intune

Profile nameWin 10 – Custom – Policy CSP – RestrictedGroups
Profile DescriptionConfigures the Local Admin Group (Windows 10 devices v2004 and earlier)

OMA-URI Settings

NameConfigure Restricted Groups
DescriptionConfigure Restricted Groups
OMA-URI./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
 Data TypeString
ValueXML Text

Windows 10 20H2 and later and Windows 11

For Windows 10 20H2 (and later) and Windows 11 devices, I use the LocalUsersAndGroups CSP

There are a number of options with this CSP, but I will focus on the “R” replace option to secure the Built In Local Administrator group. When using the replace option, it is required to always specify the administrator as a member as well as any other custom members.

An example of this XML (Like the previous CSP, I’ve kept it basic, but the option to add an IT Support group also exists here):

<GroupConfiguration>
	<accessgroup desc = "Administrators">
		<group action = "R" />
                        <add member = "Global Administrator Role SID"/>
                        <add member = "Azure AD joined device local administrator Role SID"/>
			<add member = "Administrator"/>
	</accessgroup>
</GroupConfiguration>

NOTE: I found that if I did not place the the Built In Local Administrator account at the end of the access group block, the profile would fail to apply.

I created the following Custom Configuration Profile in Intune

Profile nameWin 10 – Custom – Policy CSP – LocalUsersAndGroups – Restrict Local Admins Group
Profile DescriptionConfigures the Local Admin Group

OMA-URI Settings

NameLocalUsersAndGroups
DescriptionLocalUsersAndGroups
OMA-URI./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
 Data TypeString
ValueXML Text

Mixed Windows 10 version Environment

If you’re in an environment where you have a mix of Windows 10 versions, Microsoft recommend that you do not mix these two CSPs on a single device.

The option to use two separate Azure AD Dynamic Device groups is one way to deploy these Configuration Profiles, but I have recently been exploring the Intune Filters features, and I think this is a more efficient way to deploy these two Configuration Profiles

I created a Filter called Windows 10 Device v2004 and earlier with the rule syntax:

(device.manufacturer -eq “Microsoft Corporation”) and (device.osVersion -contains “10.0.18362”) or (device.osVersion -contains “10.0.18363”) or (device.osVersion -contains “10.0.19041”)

Assigning Profiles

I have assigned the profile Win 10 – Custom – Policy CSP – LocalUsersAndGroups – Restrict Local Admins Group to my Azure AD group Device – Win – All Managed Windows and selected Excluded filtered devices in assignment with the Windows 10 v2004 and earlier filter

I have assigned the profile Win 10 – Custom – Policy CSP – RestrictedGroups to the same Device – Win – All Managed Windows Azure AD group and selected Include filtered devices in assignment with the Windows 10 v2004 and earlier filter

MVP-LAB-001 (Windows 10 v20H2)

Filter Evaluation

Results

Built in Administrator group before profile assigned – User Demo01 is in the group

Built in Administrator group after profile assigned – User Demo01 as been removed from the group and only the objects specified in the CSP remain.

MVP-LAB-002 (Windows 11)

Filter Evaluation

Results

Built in Administrator group before profile assigned – User Demo01 is in the group

Built in Administrator group after profile assigned – User Demo01 as been removed from the group and only the objects specified in the CSP remain.

MVP-LAB-003 (Windows 10 v1909)

Filter Evaluation

Results

Built in Administrator group before profile assigned – User PaulWarren is in the group

Built in Administrator group after profile assigned – User PaulWarren as been removed from the group and only the objects specified in the CSP remain.

P.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s