Local Admin: Where should it be managed?

Local Admin: Where should it be managed?

Introduction

For a while now, there have been several ways to manage local administrators on a device. You might have seen it in Entra ID, but also in Microsoft Intune. The big question is, what do the different settings do, and how should we handle them?

In this blog, we will take a look at the different ways of managing local administrators and see what happens when Windows Autopilot and Entra ID aren't aligned.


Where can we manage the local admins?

From a quick look in Entra ID, under device settings, we have three options currently. We have the option to change whether the GA role is added as a local administrator and if the registrering user is added as a local administrator.

Lastly, we have the RBAC role, Entra Joined Device Local Admin, that we have to take care of.

If we jump into Intune, we also have a few options available. If you are using Windows Autopilot or the new Device Preparation policies, you also have the opportunity to manage the user account type. From the Device Preparation tab:

Lastly, the picture below is from Windows Autopilot.

You would probably think, "Waow! That was a lot, are we done?". No, we are not done yet! We have the possibility of managing local administrators from the account protection tab with the help of local user group membership.


Scenario 1: Entra Settings Configured

Let's take a look at which settings wins. To start off, I have enabled "Global administrator role is added as local administrator on the device during Microsoft Entra join (Preview)" and "Registering user is added as local administrator on the device during Microsoft Entra join (Preview)" in Entra ID. I also have a Windows Autopilot profile that sets the user account type to standard.

The device is finished enrolling in Autopilot, and when it boots up for the first time, we will see the following content of the administrators group.

The default administrator is a part of the group, together with 2 SIDs. If we translate those, we can see that the "Entra Global Administrator" and "Entra Joined Device Local Admin group".

Interesting! So when the user account type is configured to standard, it will overrule the settings from Entra ID in this case.


Scenario 2: Autopilot Deployment Profile

I have grabbed a cup of coffee and changed the user account type to administrator for Windows Autopilot and configured "Registering user is added as local administrator on the device during Microsoft Entra join (Preview)" to none.

The device has been enrolled through Windows Autopilot, and I have now taken a look in the local administrator group on the device.

Surprise! I am not a local administrator, even though I changed the user account to administrator for the deployment profile. That's very interesting!

What we can see again is that the RBAC roles "Entra Global Administrator" and "Entra Joined Device Local Admin group" is part of the local administrator.


How should we handle admins on our devices?

How should we handle local administrators on our devices? I would say it depends on the case. First of all, you would have to decide if you would like to use LAPS/Endpoint Privilege Management or a third-party admin by request on your devices. EPM requires an additional license, where LAPS is included in the Intune licenses.

From there on, you have to take care of the users in the local admin group. I would recommend you manage your local administrator group with Intune by using the "Local user group membership" in account protection using the Add (Replace) action, which will clear the local group and add the specified users in the policy.

Now that I have decided to use the "local user group membership" policy, I would go back to Entra and make the following changes:

Lastly, I will make sure to check the assignments to the "Microsoft Entra Joined Device Local Administrator" RBAC role and make sure it's empty.

If you have decided to use LAPS, remember to enable it in Entra ID, otherwise, it won't work.


Conclusion

One of the first things to do in a new tenant should be handling the local administrator settings on the devices. You have to decide whether to use LAPS/EPM or another admin by request tool and where to manage your local administrators on your devices.

My recommendation is: Manage them where you manage your devices in Microsoft Intune.

Thanks for reading this blog, I hope it gave some insights on what happens when have a mix of settings.