Demo
Log In
Support

Patch My PC / Blog

Autopilot Device Preparation The Standard User Fix

Autopilot Device Preparation: The Standard User Fix

by | Mar 12, 2025 | Blog

Table of Contents
2
3

This blog covers how Microsoft implemented a fix in the Intune Management Extension (IME) to address the standard user bug in Autopilot Device Preparation (AP-DP). The issue caused users to remain in the local Administrators group when they should have been demoted to standard users.

Introduction

In Autopilot Device Preparation, IT admins configure the device preparation policies to define whether the enrolling user should be a local administrator or a standard user.

configuring the autopilot device preparation profile to configure the standard user

This setting is enforced by StandardUserProvider, a component within the Intune Management Extension (IME) that ensures users are removed from the local Administrators group when required.

bootstrapper dll showing the standard user provider method

However, as highlighted in this previous blog, StandardUserProvider frequently failed to execute, leaving users as local administrators when they should have been *demoted.

*: The user becomes an Admin during Entra join (depending on the Entra settings) and would be demoted to a standard user once the IME is installed.

The Root Cause: Why Did Standard User Provider Fail?

  1. Language-Specific Group Names Caused Lookup Failures
    • StandardUserProvider originally attempted to find the “Administrators” group using a hardcoded English name:  using (GroupPrincipal byIdentity = GroupPrincipal.FindByIdentity(context, “Administrators”))
how the bootstrapper removed the user from the administrators group by using the name
  1. On non-English systems, the Administrators group might be named “Administratoren” (German), “Administrateurs” (French), etc.
  2. Since “Administrators” didn’t exist in those languages, the lookup failed, preventing the user from being removed.
  3. No Fallback or Error Logging
    • If the lookup failed, StandardUserProvider didn’t attempt a secondary method.
    • There were no logs explaining why the removal process was skipped.
    • As a result, users retained administrator privileges, even when the provisioning profile required standard user status.

The Fix: Switching to a SID-Based Approach

With the latest IME update, Microsoft replaced name-based lookups with a SID-based method, ensuring Standard User Provider functions reliably across all languages.

How IME Fixed Standard User Provider

1. Using a SID-Based Lookup (Language-Independent)

Instead of searching by name, IME now finds the Administrators group using its well-known SID: (which makes 100% sense!)

the local admin group showing the well known sid instead of using the well known name instead
  • S-1-5-32-544 is the universal SID for the Administrators group, consistent across all languages.
  • This ensures that Standard User Provider always finds the correct group, regardless of the system’s language settings.

2. Extracting the User SID from ExecutionContext JSON

Previously, StandardUserProvider assumed the correct user SID was passed but didn’t verify it. The fix now ensures it dynamically retrieves the user SID from ExecutionContext JSON:

the user sid will be extracted from the execution contetx

When we open the execution context ourselves, we can spot the same thing.

the usersid will be retrieved from the executioncontext
  • If the user SID is missing, the process now logs an explicit reason instead of failing silently.

3. Enhanced Logging and Telemetry

IME now logs every action in the bootstrapper event log, providing better visibility into execution flow and failures:

telemetry has been added

If the group lookup fails, logs now capture the exact reason instead of skipping execution.

New Execution Flow in Standard User Provider

With the updated IME logic, StandardUserProvider now follows this structured execution flow in which the removeuserfromadmingroup method is added and plays an important role:

Remove User From Admin Group Method

As we noticed in the flow above, the real power to remove the user from the admin group lies in this newly added method!

1.     The Fix in RemoveUserFromAdminGroup

the removeuserfromadmingroup method

The core logic for removing the user from the Administrators group now follows a SID-based method, ensuring language independence and consistent execution. With this new approach, the user is removed from the local administrators group!

the user is now removed from the local administrators group

2. IME Version with the Fix

This fix is included in IME version:

  • Fixed: 1.87.101.0
  • Old (Broken): 1.86.101.0
the new and old ime version

Conclusion

With this IME update, Autopilot Device Preparation now properly enforces Standard User configurations, ensuring users are reliably removed from the local Administrators group, regardless of system language.

By shifting from a name-based lookup to a SID-based approach, Microsoft now fixed the local administrator bug, ensuring StandardUserProvider functions reliably across different languages and locales.

Table of Contents
2
3

View Full SCUP Catalog