Overview

This guide outlines how to limit local administrators on Intune managed devices. This is a great way to improve security and reduce the risk of privilege escalation attacks. This guide will remove all local administrators except for Global Administrators and Azure AD Joined Device Local Administrators.

Limiting Local Administrators

Prerequisites

Step 1: Connect to MS Graph and get the Object IDs for the Directory Roles

First, we need to connect to MS Graph and get the Object IDs for the Directory Roles we want to keep as local administrators. In this example, we’ll keep Global Administrators and Azure AD Joined Device Local Administrators. Take note of the Object IDs as we’ll need them later.

1
2
3
Connect-MgGraph -Scopes "Directory.Read.All"
Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Select-Object -ExpandProperty Id
Get-MgDirectoryRole -Filter "DisplayName eq 'Azure AD Joined Device Local Administrator'" | Select-Object -ExpandProperty Id

Get Directory Role IDs

Step 2: Convert the Object IDs to SIDs

Next, we need to convert the Object IDs to SIDs. Take note of the SIDs as we’ll need them later. Run the following script and replace <Object ID> with the Object ID from the previous step, one for each role.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Function Convert-AzureAdObjectIdToSid {
    param([String] $ObjectId)
    $bytes = [Guid]::Parse($ObjectId).ToByteArray()
    $array = New-Object 'UInt32[]' 4
    [Buffer]::BlockCopy($bytes, 0, $array, 0, 16)
    $sid = "S-1-12-1-$array".Replace(' ', '-')
    return $sid
}

Convert-AzureAdObjectIdToSid -ObjectId "<Object ID>" # Replace <Object ID> with the Object ID from the previous step, one for each role.

Convert Object IDs to SIDs

Step 3: Create a Device Manager Policy

Now that we have the SIDs, we can create a Device Manager policy to limit local administrators.

  1. In the Intune portalexternal link , navigate to Endpoint Security > Account Protection.
  2. Create a new policy for Local user group membership.

Create a new policy

  1. Select the group Administrators, set the Action to Add (Replace), User selection type to Manual, and add the SIDs from the previous step.

Configure the policy

  1. Set assignment to the desired groups or all devices, and save the policy.

Conclusion

This is a great way to improve security and reduce the risk of privilege escalation attacks. Some estimates say that having users run with Standard Privileges can help mitigate 94% or more of Microsoft vulnerabilities.