From 083a29ba529006246a6a4a86c7c395bc51245bcb Mon Sep 17 00:00:00 2001 From: aachiu <61710375+aachiu@users.noreply.github.com> Date: Mon, 2 Mar 2020 11:36:27 -0800 Subject: [PATCH 1/2] Document DeviceEnroller.exe behavior when local admin already exists --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 475db540e0..5e9ed757bd 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -76,6 +76,8 @@ manager: dansimp This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. +Please note that DeviceEnroller.exe will not elevate the user if there is already a local admin group pre-configured on the device. This is a security measure in the executable where it checks for other non-disabled Administrators membership and if there are already at least one then the tool exits without elevating. + Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. From 3b4d3da67d998ad49e87fd089cadd1c516a3319b Mon Sep 17 00:00:00 2001 From: aachiu <61710375+aachiu@users.noreply.github.com> Date: Thu, 5 Mar 2020 11:15:43 -0800 Subject: [PATCH 2/2] Update windows/client-management/mdm/policy-csp-restrictedgroups.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 5e9ed757bd..8138c1bd37 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -76,7 +76,8 @@ manager: dansimp This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Please note that DeviceEnroller.exe will not elevate the user if there is already a local admin group pre-configured on the device. This is a security measure in the executable where it checks for other non-disabled Administrators membership and if there are already at least one then the tool exits without elevating. +> [!NOTE] +> DeviceEnroller.exe will not elevate the user if a pre-configured local admin group already exists on the device. This is a security measure in the executable where it checks for other non-disabled Administrators' membership(s). If at least one already exists, the tool will exit without elevating. Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.