Local admin report with Defender for EndPoint

Securing Windows PCs starts with managing local administator access. Microsoft Defender for Endpoint logs every login and records if it was a local admin. Use the following KQL query in the Advanced Hunting portal to create a report.

Use Active Directory Group Policy to manage the local admins that need to be there for support or management tools. Take care with this policy, one setting removes all admins EXCEPT the ones in the GPO. The other leaves existing local admins and ADDs additional ones (for your management systems). For Azure AD joined machines, note that members of AAD Intune Administrators role become local admins.

There’s always a few exceptions where some account must be a local admin. A low cost method to manage machine specific local admin access is to create global group for each machine that needs a custom local admin configuraiton. Use a naming convention incluing the hostname e.g. domain\LocalAdmins_hostname. This keeps management centralised in AD for easier maintenance and governance. If the machine is rebuilt the custom local administrator group membership will come back.

Then a group policy startup and shutdown script that does the following:

  • Remove all user accounts in local administrators group
  • Add domain global group (domain\LocalAdmins_hostname) if exists

Otherwise there are commercial tools on the market to for endpoint priviliged access management.

Also see also see this post to track how they became local admin. https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes


Find more IT Infrastructure tips at blog.alexmags.com