To ensure that users are not added automatically to the local Administrators group when they join their Windows 11 device to Azure AD, you should configure Device settings in Azure AD. Specifically, you need to disable the setting that automatically adds users to the local Administrators group on Azure AD-joined devices.
This can be done by setting Local Administrator Group Membership to None in Azure AD's device settings.
Entra ID > Devices > Devices Settings > Under Local Administration Settings, Change the state to NONE for "Registering user is added as local administrator on the device during Microsoft Entra join (Preview)"
If you want to prevent regular users from becoming local administrators, you have the following options:
Windows Autopilot & bulk enrollment
https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin#manage-regular-users
You are right but the question is asking about Azure AD join and not Intune enrollment. Thus the correct answer is D.
Entra ID > Devices > Devices Settings > Under Local Administration Settings, Change the state to NONE for "Registering user is added as local administrator on the device during Microsoft Entra join (Preview)"
Only Autopilot prevents the auto join. The people saying D are referencing how to update the local admin after the fact. Using the method referenced in the link has no effect on the automatic addition of the user joining the device, that has to be done in Autopilot.
I changed my mind, I thinks its A now. Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by creating an Autopilot profile. I hate how this is worded.
Confired. It is D - https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin#manage-the-microsoft-entra-joined-device-local-administrator-role
Entra Device Settings > Registering user is added as local administrator on the device during Microsoft Entra join (Preview)
Technically, A can achieve this too. The question didn't specify if its during OOBE or for Autopilot. So the vagueness makes me incline towards D.
Checked in tenant and ability to restrict local admin privs to some, all or none is present in device settings as preview. Was added ~March '24, the longer you are reading this from now the more likely it is to be right. I still favour D as the question doesn't mention Autopilot, and if you go the autopilot route everyone's device is getting reset.
D. Device settings in Azure AD.
Device settings in Azure AD allow you to configure policies that control device behavior, including settings related to device enrollment and management. You can use these settings to configure restrictions on local administrator access to devices enrolled in Azure AD.
Option A, Windows Autopilot, primarily focuses on simplifying the deployment and management of Windows devices, including Windows 11 devices, through cloud-based services. While Windows Autopilot offers various configuration options for device provisioning and enrollment, it does not directly control the membership of local groups on devices.
Configuring Windows Autopilot might not directly address the requirement to prevent users from being added automatically to the local Administrators group on Windows 11 devices joined to the contoso.com Azure AD tenant.
Therefore, while Windows Autopilot can play a role in device provisioning and enrollment, it may not be the most appropriate choice for addressing the specific requirement stated in the scenario.
doesnt say anything about autopilot. it says "when user joins". wouldn't that be D?
If they never go through autopilot, then Autopilot profile won't do anything.
Right Answer = A
Manage regular users:
By default, Microsoft Entra ID adds the user performing the Microsoft Entra join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:
Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by creating an Autopilot profile.
Bulk enrollment - a Microsoft Entra join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device has been joined aren't added to the administrators group.
Source:
https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin#manage-regular-users
This section is not available anymore. Please use the main Exam Page.MD-102 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Tr619899
Highly Voted 6 months agoyoha1558
Highly Voted 1 year, 7 months agoAslan
Most Recent 1 month agosorinaccio
3 months, 1 week agoKnight_Of_Peace
3 months, 1 week agoAlboo007_rs007
6 months agoPisces225
6 months agoAleFCI1908
6 months, 3 weeks agobigreg
8 months, 2 weeks agobigreg
8 months, 2 weeks agoFemiA55
5 months, 2 weeks agoPisces225
6 months agoEUC_PRO
8 months, 3 weeks agoCezt
10 months agooopspruu
10 months, 1 week agochafe
10 months, 3 weeks agoCJL324
1 year agoCJL324
1 year ago62b396d
1 year, 1 month ago62b396d
1 year, 1 month agoejonesy80
1 year, 1 month agoMJFT
1 year, 1 month ago