Managing local administrator access is one of the most critical steps in securing corporate Windows devices. By default, the first user who sets up a Windows endpoint becomes a local administrator, giving them elevated privileges to install software, change security settings, or even bypass IT policies.

In this article, I’ll show you practical methods to control and restrict local admin rights on Windows devices, step by step.

Restricting Local Admin Rights with Windows Autopilot

Autopilot allows you to define whether the first user to provision the device becomes a Standard user or a Local administrator.

Steps:

Go to Intune admin center → Devices → Windows → Windows enrollment → Deployment Profiles.
Edit or create a Deployment Profile.
Under User account type, select:
- Standard user (recommended for corporate security).
- Administrator (only in exceptional scenarios).

👉 *Tip: Even when set to Standard, Global Admins and “Microsoft Entra Joined Device Local Administrators” will always retain local admin rights.*

2. Managing Local Administrators with Intune Account Protection Policy

2.1. Account Protection Policy (best option)

The Account Protection policy in Intune uses the LocalUsersAndGroups CSP and provides a straightforward interface. It allows you to Add, Remove, or Replace members of the Local Administrators group.

Navigate to Endpoint security → Account protection → Create policy.
Select Platform: Windows 10 and later.
Choose profile: Local user group membership.
Configure:
- Group: Administrators
- Action: Add / Remove / Replace
- Members: specify groups or users to manage.

2. A Note on Restricted Groups (legacy method)

In traditional Active Directory environments, Restricted Groups via GPO was the standard way to manage local administrator accounts.

It is still possible to configure this approach in Intune through a Custom profile with an OMA-URI and XML definition of group membership. However, this method is considered legacy, less flexible, and harder to maintain compared to the modern Account Protection policy.

👉 For most scenarios, Account Protection policies should be used instead, as they provide a simpler interface, more granular control (Add / Remove / Replace), and better long-term support.

3. Best Practices and Considerations

Policy delay: Intune policies are not applied in real-time. Changes may take a few sync cycles.
Built-in Administrator account: This account cannot be removed from the Administrators group. Use Microsoft LAPS (Local Administrator Password Solution) to secure it, and consider renaming it.
Pilot deployments: Always test with a subset of devices before deploying broadly.
Audit regularly: Use lusrmgr.msc or PowerShell to review group membership.

Conclusion

Restricting local administrator rights is a fundamental endpoint security best practice. By combining Windows Autopilot (to block admin rights at provisioning) with Microsoft Intune policies (to continuously enforce group membership), organizations can minimize risk, improve compliance, and reduce the attack surface of their Windows endpoints.

Implementing these controls should be part of your modern endpoint management strategy, especially if your organization is adopting a Zero Trust security model.

💡 Looking to strengthen your Intune and Autopilot deployment? I help organizations implement least privilege strategies and improve their endpoint security posture.

👉 Get in touch to discuss how we can secure your Windows environment.

How to Restrict Local Administrator Rights on Windows Endpoints with Intune and Autopilot