Intune Device Management – Removing Local Admins in Windows 10 Devices

Following up to the post on renaming windows 10 devices that are managed by Intune, another frequent requirement is remove the local user accounts from Administrators group. The AAD user account will be provisioned as Standard User and hence removing the local user accounts from Admin group is critical to secure the device from unauthorized privileged access. This can also be accomplished using PowerShell script given below.

$computerName = hostname

$LocalGroupName = “Administrators”

$Group = [ADSI](“WinNT://$computerName/$localGroupName,group”)

$Group.Members() |

foreach {

    $AdsPath = $_.GetType().InvokeMember(‘Adspath’, ‘GetProperty’, $null, $_, $null)

    $A = $AdsPath.split(‘/’,[StringSplitOptions]::RemoveEmptyEntries)

    $Names = $a[-1]

    $Domain = $a[-2]

    If ($Domain -eq $ComputerName -and $Names -ne “Administrator”) {

        Add-Content C:WindowsTempRemoveUsersFromAdminGroup.log “User $Names found on computer $computerName … ”

        $Group.Remove(“$AdsPath”)

        Add-Content C:WindowsTempRemoveUsersFromAdminGroup.log “Removed”

    }

}

Below are the high-level steps to be performed.

  1. Create AD Device Security Group with Static or Dynamic Membership rules (example: include all Azure AD Domain joined machines)
  2. Create a PowerShell Script with commands to remove users from Administrators group.
  3. Configure PowerShell Script profile in Intune and upload the created script.
  4. Assign the profile to AD Device Security group created in Step 1.
  5. Review the status based on user or device.

Please follow the steps from this post and replace the PS Script with above one to remove local users from Administrators group. Once you deploy the PowerShell Script Configuration Profile and wait for the sync to happen, the local accounts which are part of Administrator Group will get removed. You can find the logs in C:WindowsTempRemoveUsersFromAdminGroup.log

Hurray! The local user account(s) has/have been automatically removed from the Administrators group.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.