Jump to content


Joe misran

Autopilot - Users are local administrator on connected device instead of to be standard user

Recommended Posts

Hi,

I've got a problem with my users when I deploy win10 1709 with autopilot. I prevent my user account to be local administrator on his device (I make an profile enrollment assign to his device and i've got all prerequisites). I don't uderstand why he is still local administrator.

Did anyone ever have this problème ?

I'm using a test user account on a test tenant (E5). My account have the user rights on my Azure AD.

For my user

- Azure AD Premium P2  & Office 365 licences.

- Allowed to join devices into Azure AD

- MDM user scope : All

Here's my process 

- I create a VM (UEFI, no vTPM) in Vsphere with Win10 professional build 1709.

-  I capture my VM's hardware ID autopilot deployment. I realized that I don't have the same Hardware Hash when i used windowsautopilotinfo.ps1 and this scrypt 

wmic bios get serialnumber
Get-ItemPropertyValue "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\" "ProductId"
$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
$wmi.DeviceHardwareData | Out-File "($env:COMPUTERNAME).txt"

The first part is the same, the second part change everytime I run the script (in bold in the example) : xxxxxxxxx/YYYYYYYYY

- I reset my VM back to OOBE

- I register my VM to my organisation https://businessstore.microsoft.com/

- I assign a profile ; disable local admin account : On, Skip privacy settings : Off, Skip EULA: Off

Regards,

Joe

Share this post


Link to post
Share on other sites


are you testing this using a user that is a global admin in Azure, if so, then they will still be an admin (local) after autopilot is done

Share this post


Link to post
Share on other sites

Hi,

First of all I want to thank you for your Intune's tutorial. It was a very good help.

The directory role on my azure is user.

 

Edited by Joe misran

Share this post


Link to post
Share on other sites

thanks for the thanks,

ok, so after assigning the profile, you go through OOBE, when it prompts for credentials are you seeing the company name+logo you defined in AAD ?

Share this post


Link to post
Share on other sites

sounds like your system isn't registered for autopilot then.  you're supposed to see your company branding after you connect to the internet during oobe.

Share this post


Link to post
Share on other sites

i'm happy to teamviewer in to take a look if you want, let me know

Share this post


Link to post
Share on other sites

Hi Anyweb,

I'm sorry for my late response, I had to let this project aside and I could not answer you before. I'm sorry I can't let you do teamviewer with my computer. But I think about it and I would like to ask you something. I use autopilot with a test domain of the form of x@x.onmicrosoft.com. Do you think it could be the cause of the problem ?

Regards,

Joe

Share this post


Link to post
Share on other sites

the test domain in Azure doesn't matter, does your autopilot company branding appear during OOBE, if not, something is not right...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...