Event banner
Event details
Hello, Intune related question. I recently moved our organization to a Windows Autopilot/Intune deployment infrastructure and overall it has been a positive direction. One item that has been lost as part of this new environment has been related to local permissions on user’s laptops that I have not found a good solution and so I am curious if anyone has suggestions. For context, before we started deploying Windows laptops via Autopilot/Intune we would bind a laptop to an on-premise AD domain and then have the domain account run on the laptop as a standard account with non-administrator level permissions. This allowed us to have users effectively not have administrator level permissions over their laptop for day-to-day operations. However, our user base often has need to perform some tasks that requires administrator level permissions (install applications, make change to network adapters, copy/delete files in restricted folders, etc.) and our solution in the past was to have a second, separate domain account configured in the Administrators group under Computer Management. That way, when a user needed to perform a task that required administrator level permissions while they were running in a standard account, they could simply enter the credentials for this “admin” account when prompted and perform the task. This entire process worked very well. When we moved to Autopilot/Intune I could not find any solution that would replicate this form of permissions structure. We have a separate Jamf deployment infrastructure for our Apples devices (why we aren’t using Intune for that is a whole separate can of worms) and the Jamf MDM has the ability to run our macOS laptops as standard accounts with a push button ability to temporarily “elevate” an account to administrator for a set period of time (say 10 minutes) so that users can perform admin level tasks. I have been unable to find any form of solution on Windows that would allow for me to have my users operate day-to-day with only a standard user account and in some way either have a second local account that could have administrator level permissions or have some form of temporary account “elevation” capability like Jamf has. I would love suggestions/options/feedback if anyone has found solutions to this kind of problem.
- Joe_Lurie
Microsoft
Hi ToddMasegian thanks for the message. We don't recommend users ever having full admin rights on a desktop. Our solution for this is two-fold:
- Use Autopilot when you send the user the laptop. In the Autopilot configure the user as a standard user.
- Use Endpoint Privilege Management. EPM is part of the Microsoft Intune Suite, and instead of giving the user full-on admin rights, it gives them admin rights to a specific process.
As a sidenote, we also have a Cloud LAPS solution that allows you to rotate the local admin password, as well as additional policies.
Re: using JAMF for your macOS devices, Intune has come a very long way in managing macOS - it may be worth checking out again. Or at the very least joining our aka.ms/MacAdmins community. Our Cloud LAPS solution and EPM are Windows only today, but we are working with our mac team to get them integrated on macOS.
Keep an eye on aka.ms/M365Roadmap and aka.ms/IntuneInDev for more information on when these might be available in the future.
--Joe.
- Hi @joelurie thank you for the response. I had heard about EPM before but at the time I was advised that it was limited to only certain operations such as software installs and the other tasks such as modifying an Ethernet adapter properties weren't supported. I will have to take a deeper look at whether that is actually true or if EPM would actually cover my needs. On the LAPS front, I have been using LAPS on my on-prem AD for several years, I didn't realize there was a cloud version as well.
Hi Todd, our engineers have separate _onprem admin accounts, however our users have 'standard' accounts. One thing we have been using for some time is Admin By Request. Any user that has the client installed and is enabled to use it can elevate permissions. They would have to give a reason and this is logged into the audit logs. Just a suggestion, might be other stuff out there that others are using.
As an aside, you can also control what groups go into the local admin group on end user devices using Intune Configuration Profiles. We also use these and they work very well
- Hi Nick, thank you for the suggestion with Admin By Request. I hadn't seen this before and the possibility of having logging for requests would be awesome.
