Back to GSO Recommendations

Windows Local Admin Control: Privilege Escalation and Credential Reuse Risk

Why this risk matters

Local administrator rights on a Windows device give the account holder (or any process running in their context) the ability to install software, modify system settings, disable security tools, dump credentials from memory, and make changes that persist across reboots. In most environments, standard users do not need local admin rights for day-to-day work — but once granted, these rights are rarely removed.

Excessive local admin privileges are one of the most consistent findings in post-incident reviews. They significantly amplify the impact of a phishing or malware compromise: an attacker who gains code execution on a device with local admin rights can immediately disable antivirus, install persistence mechanisms, and dump credential hashes from LSASS — capabilities not available to a standard user. They also make it impossible for Defender and Intune to enforce certain security policies, since the user can simply modify or disable them.

The principle of least privilege for endpoint access is to give users standard account rights by default and use a just-in-time or request-based mechanism for temporary elevation when needed.

What happens if this is abused

  • Attacker who achieves code execution on a local admin device can immediately disable Microsoft Defender real-time protection
  • LSASS credential dumping (Mimikatz-style) is significantly easier with local admin rights, enabling extraction of cached domain or cloud credentials
  • Malware can install persistent services, drivers, or boot-level components that survive reboots and antivirus scans
  • User can install unapproved or malicious software without triggering any Intune or policy block
  • Attacker can modify Intune compliance settings locally, potentially causing the device to falsely report as compliant to Conditional Access
  • UAC (User Account Control) prompts are bypassed for a local admin, removing the elevation confirmation step

When this is expected or acceptable

Some roles genuinely require local admin rights as part of their job:

  • IT administrators and engineers who manage endpoints may need local admin for diagnostics and support tasks
  • Developers who need to install development tools, configure local services, or test software with elevated privileges
  • Specialist users running applications that require local admin for legitimate technical reasons (some legacy software, lab environments)

For these cases, the preferred approach is just-in-time local admin elevation (using Microsoft Endpoint Privilege Management or a third-party PAM solution) rather than permanent local admin rights. This provides temporary elevation with an audit trail, rather than standing privilege.

Checks to perform before taking action

  • In Intune, review device configuration profiles for local admin account settings — are standard users being provisioned without local admin rights?
  • For existing devices, audit the local Administrators group membership — this can be done via Intune device configuration or PowerShell
  • Identify which users or groups currently have local admin rights and assess whether each has a documented business need
  • Check whether Microsoft Endpoint Privilege Management (EPM) is available in your Intune licence as an alternative to full local admin rights
  • Review whether any Conditional Access or compliance policies check for local admin status as part of device compliance

Safe remediation steps

  1. Create or update a device configuration profile in Intune that configures the local Administrators group (Devices > Configuration > Create > Windows > Settings Catalog > Local Users and Groups)
  2. Remove standard users from the local Administrators group, retaining only named IT accounts and the built-in Administrator account (managed by LAPS)
  3. Deploy to a pilot group first and monitor for application compatibility issues that require elevation
  4. For applications that require elevation, evaluate Microsoft Endpoint Privilege Management (EPM) for policy-controlled temporary elevation
  5. Communicate to affected users that local admin rights are being removed and explain the process for requesting temporary elevation when needed
  6. Enforce the policy across all managed devices and monitor for Intune compliance status changes

Supporting documentation

Microsoft: Endpoint Privilege Management overview

Microsoft: Create a device profile in Intune

Microsoft: User Account Control overview

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Windows LAPS Configuration — removing standard users from the local Administrators group should be paired with LAPS to ensure IT can still access local admin credentials when needed
  • Windows Attack Surface Reduction — ASR rules that block credential theft from LSASS are significantly more effective when combined with removing local admin rights
  • Windows Defender Protection — users without local admin rights cannot disable Defender, making the Defender configuration more resilient
  • Intune Policy Coverage Gaps — ensure all managed devices are enrolled and receiving this policy; ungapped devices may still have standing local admin rights
TBD CTA