Minimize Local Administrators [CHK-1165]
This check verifies if users are automatically added to the local administrators group on their device when they register it in Entra ID.
Rationale
Administrative rights allow users to change all settings of the computer and install software, including malware. This poses significant risks as an individual user can be easily deceived into allowing their endpoint to be controlled by an external attacker.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to Entra ID portal at https://entra.microsoft.com
- Go to Devices > All Devices > Device Settings
- Check if the setting "Registering user is added as local administrator on the device during Microsoft Entra join (preview)" is disabled
- Under "Local administrator settings", set "Enable Microsoft Entra Local Administrator Password Solution (LAPS)" to "Yes" if using LAPS
- Set "Additional local administrators on all Microsoft Entra joined devices" to add specific users or groups who should have local admin rights
- Do not add regular users to this list
- Click "Save"
Impact
Users can no longer install software at their discretion and may find this obstructive. Therefore, good communication about the reasons for this change is advisable.