MT.1090 - Global administrator role should not be added as local administrator on the device during Microsoft Entra join
Overviewβ
The 'Global administrator role is added as local administrator on the device during Microsoft Entra join' setting determines if Microsoft Entra Global Administrator role is added to the local administrators group. This setting applies only once during the actual registration of the device as Microsoft Entra join.
Remediation actionβ
Within the Entra Portal - Device Settings set 'Global administrator role is added as local administrator on the device during Microsoft Entra join' to No. To remediate existing devices, you need to create an Intune account policy, overriding the built-in Windows Administrators group.
Related linksβ
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1090 |
| Severity | Medium |
| Suite | Maester |
| Category | Entra |
| PowerShell test | Test-MtDeviceRegistrationLocalAdminsGlobalAdmin |
| Tags | Device, Entra, MT.1090 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-MtEntraDeviceRegistrationPolicy.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtDeviceRegistrationLocalAdminsGlobalAdmin.ps1