Event banner
Event details
Hello, Intune related question. I recently moved our organization to a Windows Autopilot/Intune deployment infrastructure and overall it has been a positive direction. One item that has been lost as part of this new environment has been related to local permissions on user’s laptops that I have not found a good solution and so I am curious if anyone has suggestions. For context, before we started deploying Windows laptops via Autopilot/Intune we would bind a laptop to an on-premise AD domain and then have the domain account run on the laptop as a standard account with non-administrator level permissions. This allowed us to have users effectively not have administrator level permissions over their laptop for day-to-day operations. However, our user base often has need to perform some tasks that requires administrator level permissions (install applications, make change to network adapters, copy/delete files in restricted folders, etc.) and our solution in the past was to have a second, separate domain account configured in the Administrators group under Computer Management. That way, when a user needed to perform a task that required administrator level permissions while they were running in a standard account, they could simply enter the credentials for this “admin” account when prompted and perform the task. This entire process worked very well. When we moved to Autopilot/Intune I could not find any solution that would replicate this form of permissions structure. We have a separate Jamf deployment infrastructure for our Apples devices (why we aren’t using Intune for that is a whole separate can of worms) and the Jamf MDM has the ability to run our macOS laptops as standard accounts with a push button ability to temporarily “elevate” an account to administrator for a set period of time (say 10 minutes) so that users can perform admin level tasks. I have been unable to find any form of solution on Windows that would allow for me to have my users operate day-to-day with only a standard user account and in some way either have a second local account that could have administrator level permissions or have some form of temporary account “elevation” capability like Jamf has. I would love suggestions/options/feedback if anyone has found solutions to this kind of problem.
Hi Todd, our engineers have separate _onprem admin accounts, however our users have 'standard' accounts. One thing we have been using for some time is Admin By Request. Any user that has the client installed and is enabled to use it can elevate permissions. They would have to give a reason and this is logged into the audit logs. Just a suggestion, might be other stuff out there that others are using.
As an aside, you can also control what groups go into the local admin group on end user devices using Intune Configuration Profiles. We also use these and they work very well
- Hi Nick, thank you for the suggestion with Admin By Request. I hadn't seen this before and the possibility of having logging for requests would be awesome.