You have an Azure AD tenant named contoso.com.
You need to ensure that users are not added automatically to the local Administrators group when they join their Windows 11 device to contoso.com.
What should you configure?
You have an Azure AD tenant named contoso.com.
You need to ensure that users are not added automatically to the local Administrators group when they join their Windows 11 device to contoso.com.
What should you configure?
To ensure that users are not added automatically to the local Administrators group when they join their Windows 11 device to contoso.com, you should configure the Device settings in Azure AD. Device settings in Azure AD allow you to control policies related to device enrollment and management, including settings that restrict local administrator access during the enrollment process.
in Autopilot, you choose the type of user Administrator or Standard.
If you want to prevent regular users from becoming local administrators, you have the following options: Windows Autopilot & bulk enrollment https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin#manage-regular-users
D. entra.microsoft.com -> device setting -> Select No under "Registering user is added as local administrator on the device during Microsoft Entra join" The question doesn't mention Autopilot
https://learn.microsoft.com/en-us/entra/identity/devices/howto-manage-local-admin-passwords Enabling Windows LAPS with Microsoft Entra ID
"When they join their device" Does this mean Autopilot is not being used, since they are manually adding their device. Or am I reading too much into it Its A or D depending on what microsoft is looking for
The correct answer is D. Device settings in Azure AD. To prevent users from being added automatically to the local Administrators group when they join their Windows 11 device to contoso.com, you need to configure the Device settings in Azure AD.
correct
Correct
Correct
There is a setting in Autopilot deployment profile to set either a Standard or Administrator user.....but the question doesnt mention adding devices to Intune...so why Autopilot?
ChatGPT answer is B. Provisioning packages for Windows.
ChatGPT is useful but it gives wrong answers when it is used in a wrong way. Here's "A"
A is correct.
Right Answer = A Manage regular users: By default, Microsoft Entra ID adds the user performing the Microsoft Entra join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options: Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by creating an Autopilot profile. Bulk enrollment - a Microsoft Entra join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device has been joined aren't added to the administrators group. Source: https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin#manage-regular-users
doesnt say anything about autopilot. it says "when user joins". wouldn't that be D? If they never go through autopilot, then Autopilot profile won't do anything.
Doesn't say anything about autopilot, just that a user joins their device. so D, Device Settings.
D. Device settings in Azure AD. Device settings in Azure AD allow you to configure policies that control device behavior, including settings related to device enrollment and management. You can use these settings to configure restrictions on local administrator access to devices enrolled in Azure AD.
Option A, Windows Autopilot, primarily focuses on simplifying the deployment and management of Windows devices, including Windows 11 devices, through cloud-based services. While Windows Autopilot offers various configuration options for device provisioning and enrollment, it does not directly control the membership of local groups on devices. Configuring Windows Autopilot might not directly address the requirement to prevent users from being added automatically to the local Administrators group on Windows 11 devices joined to the contoso.com Azure AD tenant. Therefore, while Windows Autopilot can play a role in device provisioning and enrollment, it may not be the most appropriate choice for addressing the specific requirement stated in the scenario.
Checked in tenant and ability to restrict local admin privs to some, all or none is present in device settings as preview. Was added ~March '24, the longer you are reading this from now the more likely it is to be right. I still favour D as the question doesn't mention Autopilot, and if you go the autopilot route everyone's device is getting reset.