Modifying Local Administrators: Autopilot Edition

So let’s get this straight, this was not my first time. (Insert James Franco Meme).
Let’s start just get right into it.

The Problem

You have group of users that do not need to be a local administrator on their Azure AD joined devices (Autopilot Devices).

The Solution (#1)

This is assuming you read my explaination to this problem. If not, then that’s okay. I’ll link it somewhere. So let’s just go with the first solution which is… drum roll..

Policy CSP - RestrictedGroups - Windows Client Management | Microsoft Docs

Yeah, Restricted Groups URI is your good neighbor next door. He takes care of you if you’re too old (Available in Windows 10, version 1607) or old enough (Available in Windows 10, version 2004.).

Create your Custom Device Configuration Profile (Here’s how to create one)

Name: (Your Desired Name)
Description: (Optional)
OMA-URI: ./Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
Data Type: String (XML File)

<groupmembership>

<accessgroup desc = "Administrators">

<member name = "Administrator" />

<member name = "YOUR_LOCAL_ADMIN" />

<member name = "S-1-12-1-YOUR OTHER AZURE ADMIN SIDS" />

<member name = "S-1-12-1-YOUR AZURE ADMIN SIDS" />

</accessgroup>

</groupmembership>

But wait, its Azure AD Joined Device, you cant remove Azure AD user this way!

That’s true. Since we can’t remove Azure AD User this way, you’ll see a bunch of errors about merging this policy.
If you look at Event Viewer:

Application and Services Logs > Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

So here’s what I had to do.. You need to remove the Azure AD user from Local Users and Groups/Administrators group.

Shortcut to this is (Winkey + R) to open up the Run window, and type:

LUSRMGR.MSC


For Autopilot, you’ll normally see the Azure AD primary user at the bottom. Here’s to how to remove it.

$cuser = (Get-WMIObject -class Win32_ComputerSystem | select username).username

$u = $cuser.split("\")[1]

$azureuser = "azuread\$u@upn.domain"

cmd /c "net localgroup administrators /delete ""$azureuser"""

Since you most likely need to run this as System, you might need to package this script via Win32APP, and then assign it to the target User groups that cannot be an Admin.

https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool

After the script/app runs to this device, the Restricted Group URI should function properly. But again, I’m really hoping they’d fix this in the future.

(The future solution for 20H2)

If you haven’t noticed already, your good neighbor next door can only support up to Windows 10, version 2004. That’s too bad, what happens if you need 20H2? You’re in luck but its only in Preview. If you want to know more here’s an article:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups


This is the XML, but remember, this is still in preview:

<GroupConfiguration>
    <accessgroup desc = "">
        <group action = ""/> 
            <add member = ""/>
            <remove member = ""/>
    </accessgroup>
</GroupConfiguration>



Welp, I hope this helped, If there’s any questions or feedback feel free to reach out to me.

Previous
Previous

How to make Azure AD Device Group based On-Prem AD user group.

Next
Next

Unique On-boarding Issue in Intune