General
This check verifies whether it is disabled for users to be automatically added to the local administrators group on their device when they register it in Entra ID.
Rationale
Someone with administrative rights can change all settings of the computer and install software including malware. Even though users often highly value this freedom, from an organizational perspective, it poses significant risks. An individual user can be easily deceived into allowing their endpoint to be controlled by an external attacker, who can then use it as an entry point into your organization.
Attic Fix
A fix is available for this check! It will be offered via a ticket in Attic, which you can then accept.
Manual Instructions
Follow these steps to adjust the setting:
- Open the Entra portal https://entra.microsoft.com
- Go to Devices > All Devices > Device Settings
- Check if the setting Registering user is added as local administrator on the device during Microsoft Entra join (preview) is disabled
- Click on Save
Impact
Users can no longer install software at their discretion and may find this obstructive. Therefore, good communication about the reasons for this change is advisable.
Comments
0 comments
Please sign in to leave a comment.