You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New-GraphPOSTRequest-scope 'aeb86249-8ea3-49e2-900b-54cc8e308f85/.default'-uri "https://licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products/$($Item.productId)"-tenantid $Tenant-body $body-type PUT
82
-
Write-LogMessage-API 'Standards'-tenant $tenant-message "Changed Self Service status for product '$($Item.productName) - $($Item.productId)' to '$($Item.policyValue)'"
94
+
95
+
Write-LogMessage-API 'Standards'-tenant $tenant-message "Changed Self Service status for product '$($Item.productName) - $($Item.productId)' from '$currentValue' to '$($Item.policyValue)'"-sev Info
83
96
} catch {
84
97
Write-LogMessage-API 'Standards'-tenant $tenant-message "Failed to set product status for '$($Item.productName) - $($Item.productId)' with body $($body) for reason: $($_.Exception.Message)"-sev Error
85
98
}
@@ -100,12 +113,13 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses {
(Label) Configure local administrator rights for users joining devices
9
+
.DESCRIPTION
10
+
(Helptext) Controls whether users who register Microsoft Entra joined devices are granted local administrator rights on those devices and if Global Administrators are added as local admins.
11
+
(DocsDescription) Configures the Device Registration Policy local administrator behavior for registering users. When enabled, users who register devices are not granted local administrator rights, you can also configure if Global Administrators are added as local admins.
12
+
.NOTES
13
+
CAT
14
+
Entra (AAD) Standards
15
+
TAG
16
+
EXECUTIVETEXT
17
+
Controls whether employees who enroll devices automatically receive local administrator access. Disabling registering-user admin rights follows least-privilege principles and reduces security risk from over-privileged endpoints.
18
+
ADDEDCOMPONENT
19
+
{"type":"switch","name":"standards.intuneDeviceRegLocalAdmins.disableRegisteringUsers","label":"Disable registering users as local administrators","defaultValue":true}
20
+
{"type":"switch","name":"standards.intuneDeviceRegLocalAdmins.enableGlobalAdmins","label":"Allow Global Administrators to be local administrators","defaultValue":true}
21
+
IMPACT
22
+
Medium Impact
23
+
ADDEDDATE
24
+
2026-02-23
25
+
POWERSHELLEQUIVALENT
26
+
Update-MgBetaPolicyDeviceRegistrationPolicy
27
+
RECOMMENDEDBY
28
+
UPDATECOMMENTBLOCK
29
+
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
Write-LogMessage-API 'Standards'-Tenant $Tenant-Message "Could not get the intuneDeviceRegLocalAdmins state for $Tenant. Error: $($ErrorMessage.NormalizedError)"-Sev Error -LogData $ErrorMessage
New-GraphPostRequest-tenantid $Tenant-Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy'-Type PUT -Body $NewBody-ContentType 'application/json'
66
+
$CurrentOdataType=$DesiredOdataType
67
+
$CurrentEnableGlobalAdmins=$EnableGlobalAdmins
68
+
Write-LogMessage-API 'Standards'-tenant $Tenant-message "Set local administrator settings (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)."-sev Info
69
+
} catch {
70
+
$ErrorMessage=Get-CippException-Exception $_
71
+
Write-LogMessage-API 'Standards'-tenant $Tenant-message "Failed to set local administrator settings (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText). Error: $($ErrorMessage.NormalizedError)"-sev Error -LogData $ErrorMessage
72
+
}
73
+
}
74
+
}
75
+
76
+
if ($Settings.alert-eq$true) {
77
+
if ($StateIsCorrect-eq$true) {
78
+
Write-LogMessage-API 'Standards'-tenant $Tenant-message "Local administrator settings are configured as expected (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)."-sev Info
79
+
} else {
80
+
Write-StandardsAlert-message "Local administrator settings are not configured as expected (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)"-object @{ current=@{ registeringUsers=$CurrentOdataType; enableGlobalAdmins=$CurrentEnableGlobalAdmins }; desired=@{ registeringUsers=$DesiredOdataType; enableGlobalAdmins=$EnableGlobalAdmins } } -tenant $Tenant-standardName 'intuneDeviceRegLocalAdmins'-standardId $Settings.standardId
81
+
Write-LogMessage-API 'Standards'-tenant $Tenant-message "Local administrator settings are not configured as expected (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)."-sev Info
0 commit comments