IBM Support

Removal of local administrator privileges on enrolled Windows 10 devices

Release Notes


Abstract

Removal of local administrator privileges on enrolled Windows 10 devices

Content

Microsoft requires that the user accounts enrolling in MDM needs to necessarily have local admin rights on the Windows machine. MaaS360 adds a workaround to overcome this limitation for organizations, allowing the users to enroll the Windows 10 devices into MaaS360 without local admin privileges. Note: Some apps that require administrator privileges may not install or function.

Heads up! When the local administrator privilege is removed,

  • Some apps that require administrator privileges may not install or function.
  • Admin access will be removed only if the user is directly part of administrators group and not any other group which is part of administrators.
  • The device is scheduled for a restart after the removal of admin privileges to reflect the changes.
  • Disabling the policy will not re-enable administrator privileges for the enrolled user.
  • Ensure that there is at least one administrator other than enrolled user for troubleshooting any unforeseen issues.
  • A device restart will be scheduled 5 minutes after the removal of admin access for the changes to take effect.
  • The enrolled user cannot remove MDM control. If required, needs to be initiated by the portal administrator.
  • Admin access will not be removed for Active Directory users or users that are not directly part of the administrator's group.

To remove the local administrator privileges on the enrolled user account,

  1. In the Windows MDM policy, navigate to Device Settings > User Accounts and then select Enforce removal of local administrator privileges on enrolled user account.

Removal of administrator privileges after the BitLocker encryption

To enable BitLocker Device Encryption on the device, the device user requires to have local admin privileges on the machine. If  BitLocker encryption policies are enforced on the devices, administrators can delay the removal of local administrator privileges on the end user devices until the BitLocker encryption is completed.

To keep the removal of administrator privileges on hold until the BitLocker encryption is completed,

  1. In the Windows MDM policy, navigate to Device Settings > User Accounts and then select Enforce removal of local administrator privileges on enrolled user account.
    Result: The User Accounts section is displayed.
  2. Select the Remove local administrator privileges only once BitLocker Encryption is complete policy.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.70","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 November 2018

UID

ibm10743461

Page Feedback