Autopilot - Users are local administrator on connected device instead of to be standard user

[Joe misran]

Hi,

I've got a problem with my users when I deploy win10 1709 with autopilot. I prevent my user account to be local administrator on his device (I make an profile enrollment assign to his device and i've got all prerequisites). I don't uderstand why he is still local administrator.

Did anyone ever have this problème ?

I'm using a test user account on a test tenant (E5). My account have the user rights on my Azure AD.

For my user

- Azure AD Premium P2  & Office 365 licences.

- Allowed to join devices into Azure AD

- MDM user scope : All

Here's my process 

- I create a VM (UEFI, no vTPM) in Vsphere with Win10 professional build 1709.

-  I capture my VM's hardware ID autopilot deployment. I realized that I don't have the same Hardware Hash when i used windowsautopilotinfo.ps1 and this scrypt 

wmic bios get serialnumber
Get-ItemPropertyValue "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\" "ProductId"
$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
$wmi.DeviceHardwareData | Out-File "($env:COMPUTERNAME).txt"

The first part is the same, the second part change everytime I run the script (in bold in the example) : xxxxxxxxx/YYYYYYYYY

- I reset my VM back to OOBE

- I register my VM to my organisation https://businessstore.microsoft.com/

- I assign a profile ; disable local admin account : On, Skip privacy settings : Off, Skip EULA: Off

Regards,

Joe

[anyweb]

are you testing this using a user that is a global admin in Azure, if so, then they will still be an admin (local) after autopilot is done

[Joe misran]

Hi,

First of all I want to thank you for your Intune's tutorial. It was a very good help.

The directory role on my azure is user.

 

Edited April 25, 2018 by Joe misran

[anyweb]

thanks for the thanks,

ok, so after assigning the profile, you go through OOBE, when it prompts for credentials are you seeing the company name+logo you defined in AAD ?

[Joe misran]

No I don't see the compagny name +logo. I only see my logo after I log with my user's UPN, to enter the password.

[pej1025]

sounds like your system isn't registered for autopilot then.  you're supposed to see your company branding after you connect to the internet during oobe.

[Joe misran]

Hi Pej,

That's what I thought. I will try my process with  another environment (I'll will create a VM on azure).

[anyweb]

i'm happy to teamviewer in to take a look if you want, let me know

[Joe misran]

Hi Anyweb,

I'm sorry for my late response, I had to let this project aside and I could not answer you before. I'm sorry I can't let you do teamviewer with my computer. But I think about it and I would like to ask you something. I use autopilot with a test domain of the form of x@x.onmicrosoft.com. Do you think it could be the cause of the problem ?

Regards,

Joe

[anyweb]

the test domain in Azure doesn't matter, does your autopilot company branding appear during OOBE, if not, something is not right...