MT.1091 - Registering user should not be added as local administrator on the device during Microsoft Entra join
Overview
The 'Registering user is added as local administrator on the device during Microsoft Entra join' setting determines if the registering user is added to the local administrators group. This setting applies only once during the actual registration of the device as Microsoft Entra join.
Remediation action
Within the Entra Portal - Device Settings set 'Registering user is added as local administrator on the device during Microsoft Entra join' to None. To remediate existing devices, you need to create an Intune account policy, overriding the built-in Windows Administrators group.
Related links
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1091 |
| Severity | Medium |
| Suite | Maester |
| Category | Entra |
| PowerShell test | Test-MtDeviceRegistrationLocalAdminsRegisteringUser |
| Tags | Device, Entra, MT.1091 |
Source
- Pester test:
tests/Maester/Entra/Test-MtEntraDeviceRegistrationPolicy.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtDeviceRegistrationLocalAdminsRegisteringUser.ps1