Call4Cloud

Remove all Local Admins!!

In this blog, I will show you how you could make sure when you are performing an Azure Ad Join or using Autopilot there are no additional or unwanted local administrators by using PowerShell.

I will divide this blog into multiple parts

  1. Introduction
  2. The PowerShell script

1.Introduction

A while ago I posted a linked message to ask for the differences between a normal Azure Ad join and the famous Autopilot function.

Of course, I know the differences… but I wanted to start a conversation. There are a lot of benefits you have when making sure you are only using Autopilot and blocking personal devices to be enrolled.

To start with one of the benefits: The possibility to make sure the user who enrolled device doesn’t become a local admin. This is so important because when being a local admin there is no security!

With autopilot, you could make sure the user is not a local admin when enrolling their device, you could do so by configuring the “User Account Type” to “Standard

This is just a fantastic option, of course when they don’t know about the Shift + F10 option to just create an additional local admin. Luckily I also wrote a blog about how you could fix that one!

But what if I tell you that you could do the same with a regular Azure Ad Joined Device!.

2. The PowerShell Option

I am going to show you the two options for how you could remove local admin permissions by using PowerShell. The first option will output the PowerShell script to a file and will create a scheduled task to execute this PowerShell Script. The second one will use the same PowerShell script but now as an encoded command.

  1. PowerShell Script converted to a Win32App
  2. PowerShell Base64 Encoded Script

1.PowerShell script converted to a IntuneWin App

Let’s start with a nice written PowerShell script and convert that one to a Win32App so we can be sure we can deploy this app during the Device setup in the Autopilot White glove flow!

Step 1:

First, you need to know how to create an Intunwin installer. I am not going to show you how you can it :). Just take a look at the MS Docs

Prepare a Win32 app to be uploaded to Microsoft Intune | Microsoft Docs

Step 2:

Make sure you set up your own local admin user with Intune CSP like I am showing in this blog

Step 3:

You will need to write a PowerShell script to remove the existing admins from the administrator group but also you need to make sure those 2 weird SID ID’s are removed from the local administrator’s group as shown below

Those 2 SID IDs represent the “Global Administrator Role” and the “Device Administrator Role”. Everyone who is assigned that role will become a local administrator on the device and that’s something I don’t want!

Some notes about the PowerShell Scripts:

*Make sure you remove the: “azuread/*” users.

*Beware of the @’ at the beginning and the end the

*Make sure your own created “local admin” is always added to the administrator’s group by configuring the”$username”.

$content = @'
$administrators = @( ([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') | % { $_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null) } ) -match '^WinNT'; 
$administrators = $administrators -replace "WinNT://","" 
foreach($administrator in $administrators) 
{if ($administrator -like "$env:COMPUTERNAME/administrator" -or $administrator -like "AzureAd/*" -or $administrator -like "$env:COMPUTERNAME/deltacom") { continue; } Remove-LocalGroupMember -group "administrators" -member $administrator }
$remove = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch 'De opdracht is voltooid.|^deltacom$|^administrator$|^admin$'}
foreach ($user in $remove) 
{net localgroup administrators ""$user"" /delete}
$username = "cspadmin"
if ($(Get-LocalGroupMember -Group "Administrators").Name -notcontains "$env:ComputerName\$username") {
Add-LocalGroupMember -Group "Administrators" -Member $username}
get-localuser | Set-localUser -PasswordNeverExpires:$True
'@

Step 4: Get the @ content, create a folder, and out-put it to a file on the device. In this example the file will be saved in the programdat\custom scripts folder

# create custom folder and write PS script
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\myScript.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false
 

Step 5: Okey? We got a PowerShell script on de the local device… so why don’t we just create a scheduled task, to schedule this script to launch every time a user logs in? Of course, the task will be run with system privileges.

# register script as scheduled task
$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\myScript.ps1`""
Register-ScheduledTask -TaskName "RemoveAdmin" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "RemoveAdmin"

Step 6: Just put these pieces together and create an intunewin app and make sure you put this app in the list of apps that are needed before the user logs in the first time. You can do this on the ESP page in intune, as I am showing below!

2. A PowerShell Base64 Encoded Script

This option is really easy. It will use the third part of the first option but now Base64 encoded so you can deploy it with A PowerShell script to make sure it’s scheduled to run each minute or at user logon.

If you don’t know how and why you need to convert these scripts to a nice base64 value, please read part 2 of this blog first

And the encoded PowerShell Script itself. Of course please make sure before you convert it, you changed the required settings I showed you earlier!

$triggers = @()
$triggers += New-ScheduledTaskTrigger -At (get-date) -Once -RepetitionInterval (New-TimeSpan -Minutes 1)
$triggers += New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -EncodedCommand JABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAIAA9ACAAQAAoACAAKABbAEEARABTAEkAXQAiAFcAaQBuAE4AVAA6AC8ALwAuAC8AQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACIAKQAuAHAAcwBiAGEAcwBlAC4ASQBuAHYAbwBrAGUAKAAnAE0AZQBtAGIAZQByAHMAJwApACAAfAAgACUAIAB7ACAAJABfAC4ARwBlAHQAVAB5AHAAZQAoACkALgBJAG4AdgBvAGsAZQBNAGUAbQBiAGUAcgAoACcAQQBkAHMAUABhAHQAaAAnACwAJwBHAGUAdABQAHIAbwBwAGUAcgB0AHkAJwAsACQAbgB1AGwAbAAsACQAKAAkAF8AKQAsACQAbgB1AGwAbAApACAAfQAgACkAIAAtAG0AYQB0AGMAaAAgACcAXgBXAGkAbgBOAFQAJwA7ACAACgAgACQAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAAPQAgACQAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAALQByAGUAcABsAGEAYwBlACAAIgBXAGkAbgBOAFQAOgAvAC8AIgAsACIAIgAgAAoAIABmAG8AcgBlAGEAYwBoACgAJABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACAAaQBuACAAJABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAKQAgAHsAIABpAGYAIAAoACQAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgAgAC0AbABpAGsAZQAgACIAJABlAG4AdgA6AEMATwBNAFAAVQBUAEUAUgBOAEEATQBFAC8AYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgAiACAALQBvAHIAIAAkAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIAAtAGwAaQBrAGUAIAAiAEEAegB1AHIAZQBBAGQALwAqACIAIAAtAG8AcgAgACQAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgAgAC0AbABpAGsAZQAgACIAJABlAG4AdgA6AEMATwBNAFAAVQBUAEUAUgBOAEEATQBFAC8AZABlAGwAdABhAGMAbwBtACIAKQAgAHsAIABjAG8AbgB0AGkAbgB1AGUAOwAgAH0AIABSAGUAbQBvAHYAZQAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIAAtAGcAcgBvAHUAcAAgACIAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACIAIAAtAG0AZQBtAGIAZQByACAAJABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACAAfQAKACAAJAByAGUAbQBvAHYAZQAgAD0AIABuAGUAdAAgAGwAbwBjAGEAbABnAHIAbwB1AHAAIABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAIAB8ACAAcwBlAGwAZQBjAHQAIAAtAHMAawBpAHAAIAA2ACAAfAAgAD8AIAB7ACQAXwAgAC0AYQBuAGQAIAAkAF8AIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcARABlACAAbwBwAGQAcgBhAGMAaAB0ACAAaQBzACAAdgBvAGwAdABvAG8AaQBkAC4AfABeAGQAZQBsAHQAYQBjAG8AbQAkAHwAXgBhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACQAfABeAGEAZABtAGkAbgAkACcAfQAKACAAZgBvAHIAZQBhAGMAaAAgACgAJAB1AHMAZQByACAAaQBuACAAJAByAGUAbQBvAHYAZQApACAAewAKACAAIAAgACAAIABuAGUAdAAgAGwAbwBjAGEAbABnAHIAbwB1AHAAIABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAHMAIAAiACIAJAB1AHMAZQByACIAIgAgAC8AZABlAGwAZQB0AGUACgAgAH0ACgAkAHUAcwBlAHIAbgBhAG0AZQAgAD0AIAAiAGMAcwBwAGEAZABtAGkAbgAiAAoAIABpAGYAIAAoACQAKABHAGUAdAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIAAtAEcAcgBvAHUAcAAgACIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACIAKQAuAE4AYQBtAGUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACIAJABlAG4AdgA6AEMAbwBtAHAAdQB0AGUAcgBOAGEAbQBlAFwAJAB1AHMAZQByAG4AYQBtAGUAIgApACAAewAKACAAIAAgACAAIABBAGQAZAAtAEwAbwBjAGEAbABHAHIAbwB1AHAATQBlAG0AYgBlAHIAIAAtAEcAcgBvAHUAcAAgACIAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACIAIAAtAE0AZQBtAGIAZQByACAAJAB1AHMAZQByAG4AYQBtAGUAfQAKACAAZwBlAHQALQBsAG8AYwBhAGwAdQBzAGUAcgAgAHwAIABTAGUAdAAtAGwAbwBjAGEAbABVAHMAZQByACAALQBQAGEAcwBzAHcAbwByAGQATgBlAHYAZQByAEUAeABwAGkAcgBlAHMAOgAkAFQAcgB1AGUA"
$Null = Register-ScheduledTask -TaskName "Remove Admin" -Trigger $triggers -User $User -Action $Action -Force

Conclusion:

Of course, it’s not the nicest method… But hey.. it works? The user is not an admin, so he can’t see this scheduled task..

Breaking Bad Im The Admin GIF - Breaking Bad Im The Admin Give - Discover &  Share GIFs

Neither he can not change nor remove the custom scripts files/folder… Job done… So your Applocker config also works the moment a user joins his device to azure.

If you want to read all other options you have to make sure your users are not local admin please read this blog

2 thoughts on “Remove all Local Admins!!

  1. Pingback: No Country For Not Monitoring - Call4Cloud
  2. Pingback: The forgotten fruits of securing your Windows 10 Endpoint - Call4Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *

81  +    =  90