I noticed something strange a few days ago when doing a series of tests on MDT LiteTouch deployments with various settings and customizations. What I found out, purely by accident, is that if I used the default MDT setting, and the built-in (domain/Azure) admin account as the only user account on the target device, that account will be demoted to a normal, local admin account during the install process. This leaves the device without a built-in administrator account when it’s finished.
Before telling me I am wrong, please see this short video about a sample MDT LTI (Lite Touch Installation) deployment :
What happens in this video may be summarized as follows:
– The MDT LTI deployment finishes, using the default Task Sequence settings and answer file, then boots to the built-in admin’s desktop
– Opening an elevated Command Prompt, no UAC prompt shown as is normal when signed in as built-in admin, and opens in correct C:\Users\Administrator folder
– I create another user account, and make it the local admin
– I sign out from the built-in admin account, and sign into the new local admin account
– Signing out from the local admin account, I sign back into the built-in admin account
– Opening an elevated Command Prompt does now show a UAC prompt, and opens in the C:\WIndows\System32 folder. Both of these phenomena indicate that the account is now a normal local admin account, and is no longer a built-in admin account
If I am right, this is not good. I can’t imagine running a Windows device without a built-in admin account. I still have some testing to do, but I wanted to share this find with you geeks. If you have some ideas about how to prevent this, please let me know.
Author: Kari Finn
A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.