Issue with Removing Local Admin Rights via Intune for Group Members

Ahmed Mahfuz 20 Reputation points
2024-06-17T17:52:57.78+00:00

Hello,,

I'm experiencing a challenge with Intune's "Local user group membership" policy on Windows 11. I've been attempting to remove local admin rights from devices, and the policy works as expected when I add individual users. However, when I try to apply the policy to a group, it doesn't seem to be effective.
I have followed this: Endpoint security > Account protection>Local user group membership to manage local user group membership. I choose Remove (Update) to remove specific user from local administrators group.

Here's what I've done so far:

Navigated to "Local user group membership" under policies.

Successfully removed local admin rights for individual accounts.

The issue arises when I attempt to remove admin rights for a group of users. Despite adding the group in the policy, the rights remain unchanged on the devices.

Is there a specific procedure or consideration for applying this policy to groups that I might be missing? Any insights or guidance on how to properly remove local admin rights from devices using Intune for groups would be greatly appreciated.

Thank you for your assistance!

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,743 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
370 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,643 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 45,486 Reputation points Microsoft Vendor
    2024-06-18T01:20:29.35+00:00

    @Ahmed Mahfuz , Thanks for posting in Q&A. Based as I know, when we add group under Remove (update). it will only remove the same group from the local administrators group. The user in the group will still be kept. Could you confirm if the group you added is under local administrators group on the affected device? And if our issue is the group still exist under local administrators group after we apply the policy.

    If you want to remove the users in this group instead of the group from local administrators group, you can consider Add (Replace): action to only add the users you want. Here is a link with more details:

    https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.