Jump to content


  • 0
Joe misran

Autopilot - Users are local administrator on connected device instead of to be standard user

Question

Hi,

I've got a problem with my users when I deploy win10 1709 with autopilot. I prevent my user account to be local administrator on his device (I make an profile enrollment assign to his device and i've got all prerequisites). I don't uderstand why he is still local administrator.

Did anyone ever have this problème ?

I'm using a test user account on a test tenant (E5). My account have the user rights on my Azure AD.

For my user

- Azure AD Premium P2  & Office 365 licences.

- Allowed to join devices into Azure AD

- MDM user scope : All

Here's my process 

- I create a VM (UEFI, no vTPM) in Vsphere with Win10 professional build 1709.

-  I capture my VM's hardware ID autopilot deployment. I realized that I don't have the same Hardware Hash when i used windowsautopilotinfo.ps1 and this scrypt 

wmic bios get serialnumber
Get-ItemPropertyValue "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\" "ProductId"
$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
$wmi.DeviceHardwareData | Out-File "($env:COMPUTERNAME).txt"

The first part is the same, the second part change everytime I run the script (in bold in the example) : xxxxxxxxx/YYYYYYYYY

- I reset my VM back to OOBE

- I register my VM to my organisation https://businessstore.microsoft.com/

- I assign a profile ; disable local admin account : On, Skip privacy settings : Off, Skip EULA: Off

Regards,

Joe

Share this post


Link to post
Share on other sites

9 answers to this question

Recommended Posts

  • 0

are you testing this using a user that is a global admin in Azure, if so, then they will still be an admin (local) after autopilot is done

Share this post


Link to post
Share on other sites

  • 0

thanks for the thanks,

ok, so after assigning the profile, you go through OOBE, when it prompts for credentials are you seeing the company name+logo you defined in AAD ?

Share this post


Link to post
Share on other sites

  • 0

Hi Anyweb,

I'm sorry for my late response, I had to let this project aside and I could not answer you before. I'm sorry I can't let you do teamviewer with my computer. But I think about it and I would like to ask you something. I use autopilot with a test domain of the form of x@x.onmicrosoft.com. Do you think it could be the cause of the problem ?

Regards,

Joe

Share this post


Link to post
Share on other sites

  • 0

the test domain in Azure doesn't matter, does your autopilot company branding appear during OOBE, if not, something is not right...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.