Restrict Local Admin Access on Windows Devices with Intune

Table of Contents

Introduction

Controlling local administrator rights is one of the fundamental security measures for protecting Windows endpoints in any organisation. Local admin access allows users to install software, change critical settings, and override enterprise policies. While this level of access might seem necessary for power users, it creates significant risks, including malware propagation, privilege escalation, and configuration drift.

Microsoft Intune provides powerful tools to remove or restrict local admin rights on Windows devices, ensuring that users operate under the principle of least privilege. This blog post explores:

Why removing local admin access is important
Methods to restrict admin rights
Proactive remediation using PowerShell
Monitoring compliance and reporting

Why Local Admin Access is a Security Risk

Allowing standard users to retain local administrator privileges can lead to:

Malware installation without detection
Unauthorised software and driver installs
Registry modifications that bypass policies
Security tool tampering (e.g., disabling antivirus)

Reducing administrative rights across endpoints enhances your overall security posture and aids in compliance with ISO 27001, CIS Benchmarks and GDPR.

Prerequisites

Ensure the following before proceeding:

Devices are Entra joined or Entra hybrid joined
Devices are enrolled in Microsoft Intune
You have Intune RBAC permissions to deploy scripts and endpoint policies
Azure AD P1 or higher is available for proactive remediation

Review Default Local Admin Group Membership

On a typical Windows 10/11 device:

Azure AD Join places the user who enrols the device into the Administrators group
Hybrid AAD Join allows GPO or Intune to manage admin roles

You can view current admin users by running:

Get-LocalGroupMember -Group "Administrators" -ErrorAction Ignore

Option 1: Configure Account Protection in Endpoint Security

To restrict local admin access, configure Endpoint Security policies to manage local user rights:

Manage Local Admin in Entra joined Devices

Go to Intune Admin Center > Endpoint Security > Account Protection
Click Create Policy > Platform: Windows 10 and later, Profile: Local user group membership

Name: Remove Local Admin - Standard Users
Click Next to configure settings:
- Local Group: Administrators
- Group and User Action: Replace (See table below for more info)
- User Selection Type: User/Group
  The manual option is used when you want to manage your on-premises Active Directory users from AD to a local group for a Microsoft Entra hybrid joined device.
- Selected Users: Add required IT Admin groups (e.g., Azure AD group IT-Admins)
Assign this to your user or device groups

Table below compare Group and User Action options

Setting Name	Description	Action Code	Key Behavior	Important Note
Update Group Membership	Updates a local group by adding and/or removing members. Existing members not specified in the policy remain in the group.	`U`	Only specified changes are applied; existing unspecified members are retained.	Existing members not listed in the policy are not removed.
Replace Group Membership	Replaces the local group membership with a specified list of users. Functions like Restricted Groups policy. Members not in the policy are removed.	`R`	Entire membership is replaced with the specified list.	Members not listed in the policy are removed from the group.
Conflict Resolution	If the same group is configured with both `Update` and `Replace`, the Replace action will take precedence.	N/A	Replace overrides Update.	Carefully review configurations to avoid unintended removal of group members.

Manage Local Admin in Entra Hybrid joined Devices

If you’re managing Microsoft Entra ID users, you can follow the same steps outlined for Entra-joined devices above.

However, if you want to manage on-premises Active Directory (AD) users by adding them to a local group on a Microsoft Entra hybrid-joined device, use the same steps but choose the Manual option instead.

In this example, I will demonstrate how to remove the built-in Guest account from the Guests group.

Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error:

Error Code Symbolic Name Error Description Header
0x55b (Hex)
1371 (Dec) ERROR_SPECIAL_ACCOUNT Cannot perform this operation on built-in accounts. winerror.h

When configuring the built-in Administrators group with the R (Restrict) action, specify the built-in Administrator account SID/Name in <add member> to avoid this error.

Error Code	Symbolic Name	Error Description	Header
0x55b (Hex) 1371 (Dec)	ERROR_SPECIAL_ACCOUNT	Cannot perform this operation on built-in accounts.	winerror.h

Option 2: Use Custom Configuration Profiles to manage Local Admin (Advanced)

You can deploy a custom CSP or OMA-URI to manage group membership manually. This is less common but can be useful in specific scenarios. check Microsoft Article for more information Local Users And Groups Policy CSP | Microsoft Learn

Sample OMA-URI:

./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure

<GroupConfiguration>
    <accessgroup desc = "">
        <group action = ""/>
            <add member = ""/>
            <remove member = ""/>
    </accessgroup>
</GroupConfiguration>

Example below shows different ways to modify the

<GroupConfiguration>
    <accessgroup desc = "Administrators">
        <group action = "U" />
        <add member = "AzureAD\bob@contoso.com"/>
        <add member = "Contoso\ITAdmins"/>
        <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
        <remove member = "Test"/>
    </accessgroup>
</GroupConfiguration>

Option 3: Deploy Proactive Remediation Scripts

Microsoft Endpoint Manager allows deploying Proactive Remediation scripts via the Endpoint Analytics feature.

Automatically scan for and remove unauthorised users from the local administrator’s group.

Detection Script:

$localAdmins = Get-LocalGroupMember -Group "Administrators"
$unauthorizedUsers = $localAdmins | Where-Object { $_.Name -notmatch "IT-Admins|Administrator|Domain Admins" }

if ($unauthorizedUsers) {
    Write-Output "Non-compliant"
    exit 1
} else {
    Write-Output "Compliant"
    exit 0
}

Remediation Script:

$localAdmins = Get-LocalGroupMember -Group "Administrators"
$unauthorizedUsers = $localAdmins | Where-Object { $_.Name -notmatch "IT-Admins|Administrator|Domain Admins" }

foreach ($user in $unauthorizedUsers) {
    Remove-LocalGroupMember -Group "Administrators" -Member $user.Name
}

Deploy Scripts

Check How to Deploy PowerShell Script via Intune: A Complete Guide for IT Admins for by step-by-step guide

Go to Devices > Windows > Scripts and remediations
Click Create
Upload detection and remediation scripts
Assign to device groups

Monitor Compliance and Results

After a policy is applied on the client device, you can investigate the event log to review the result:

Open Event Viewer (eventvwr.exe).
Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
Search for the LocalUsersAndGroups string to review the relevant details.

You can run Get-LocalGroupMember -Group <group Name> command to check if the settings implement correctly on users’ group

Troubleshooting Tips

Problem	Solution
Policy not applying	Ensure device is Azure AD joined and policy is assigned
Users still have admin rights	Check for other policies re-adding users to the admin group
Scripts not running	Verify script permissions and use 64-bit PowerShell
Devices show Non-Compliant status	Reboot the device and rerun the detection script

Summary

Removing local administrator rights is a critical step for securing Windows devices and enforcing enterprise policy. Organisations can automate the removal of unnecessary administrative privileges using Intune’s Endpoint Security, Account Protection, and Proactive Remediations. This approach offers several key benefits, including a minimised attack surface, improved compliance, and standardised configurations, along with enhanced visibility into privilege usage. When implementing this, start by targeting test groups and gradually expand the policy rollout. Combine this strategy with Microsoft Defender for Endpoint and privileged identity management for maximum effect.