Local Administrator, and Autopilot Settings, and Entra Settings! Oh, my!

Last Updated on July 6, 2024 by rudyooms

In this blog, I am going to take a closer look at a new setting in Entra to prevent users from becoming a local administrator on their devices during the Entra Join

I will zoom in on how the settings in Entra could interfere with the user account type settings you configured in your Autopilot profile

I will divide this blog into multiple parts

  1. Introduction
  2. DeviceRegistrationPolicy vs Autopilot Profile
  3. Autopilot Device Preparation /APv2
  4. Conclusion

1. Introduction

Quite unexpectedly, 2 new wonderful settings appeared in Entra. You can these 2 new settings to configure the local administrator settings in Entra under: Devices –> All Devices –> Device Settings

If we want to prevent this from happening we could configure a similar setting in the Autopilot profile. In the Autopilot profile, we have the option to define if the user account that was enrolling the device would become a standard user or an administrator during the out-of-box experience.

Afbeelding met tekst, schermopname, Lettertype, nummer

Automatisch gegenereerde beschrijving

With the new second setting showing up in Entra, we don’t need to use Autopilot anymore?(don’t take this literally… just use Autopilot!). This new local administrator setting is configured to ALL by default.

My advice? Configure it to “None”. Having the registered user become a local admin on your device is a bad idea.

Afbeelding met tekst, Lettertype, lijn, schermopname

Automatisch gegenereerde beschrijving

All cool right but what happens if we configure the user to be a standard user in the Autopilot profile and the setting to add the registering user to the local administrator group is still configured to its default setting: ALL?

Before you go any further, it could come in handy to first read my blog about how the device registration policy works during Autopilot and how Autopilot will prevent the user from becoming a local administrator

2. DeviceRegistrationPolicy vs Autopilot Profile

Well, if you take a look at the picture below, I will show you 2 scenarios.

In the first scenario, I configured the Entra local administrator setting to NONE but I configured the account type in the Autopilot profile to: Administrator

In the second scenario, I am doing exactly the opposite. I configured the entra setting to add some selected users to the local administrator group (configuring it to all, will lead to the same outcome)

3. Autopilot Device Preparation / APv2

Beware: The stuff I mentioned above impacts the existing version of Autopilot. If you are running Autopilot Deviec Preparation / APv2, things are a bit different. That same setting to define who becomes a local administrator on the device is now breaking Autopilot Device Preparation!

The bottom line of that blog above is that you must set that same setting to “all” if you don’t want to break your Autopilot Device Preparation experience!

4. Conclusion

The conclusion? If you are using Autopilot (v1) and configuring the user account to standard you are good to go even when the Entra setting is still configured to ALL(or selected).

When you are using Autopilot Device Preparation (v2), you need to set that setting to: “All”

In addition to this policy, please make sure you are preventing the global admin role from being added to the administrator’s group by changing the corresponding setting to NO.

6 thoughts on “Local Administrator, and Autopilot Settings, and Entra Settings! Oh, my!

  1. Why do you recommend this ?

    “Besides this policy, please make sure you are preventing the global admin role from being added to the administrator’s group by changing the corresponding setting to NO.”

    1. Having an user that is member of the global admin in your tenant to also become local admin on all of your devices isnt best practise
      (tier domain for example)

      https://ramesh-seshadri.medium.com/why-important-to-use-microsoft-tier-administrative-3536bee4ef94

    2. in most cases the local technicians are different from the tenant. So giving permission to the global admins to enter as administrator of the machines is not a good idea.

      1. Yep… thats why i am mentioning the fact that the enabling this option isnt the best idea out there 😉

  2. Just a thought – If you are doing a manual Entra join (ie not with Autopilot), then in the given settings the user is made a local admin, if allowed to enroll the device?

    1. Manually joining entra, would always add the user that was performing the join to the local admins… with this setting we can now prevent that from happening… which is cool and great

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  8  =  11