Go to ...

RSS Feed

June 2, 2020

MDT LTI Deployment demoting Built-in Admin account

I noticed something strange a few days ago when doing a series of tests on MDT LiteTouch deployments with various settings and customizations. What I found out, purely by accident, is that if I used the default MDT setting, and the built-in (domain/Azure) admin account as the only user account on the target device, that account will be demoted to a normal, local admin account during the install process. This leaves the device without a built-in administrator account when it’s finished.

Before telling me I am wrong, please see this short video about a sample MDT LTI (Lite Touch Installation) deployment :

What happens in this video may be summarized as follows:

– The MDT LTI deployment finishes, using the default Task Sequence settings and answer file, then boots to the built-in admin’s desktop
– Opening an elevated Command Prompt, no UAC prompt shown as is normal when signed in as built-in admin, and opens in correct C:\Users\Administrator folder
– I create another user account, and make it the local admin
– I sign out from the built-in admin account, and sign into the new local admin account
– Signing out from the local admin account, I sign back into the built-in admin account
– Opening an elevated Command Prompt does now show a UAC prompt, and opens in the C:\WIndows\System32 folder. Both of these phenomena indicate that the account is now a normal local admin account, and is no longer a built-in admin account

If I am right, this is not good. I can’t imagine running a Windows device without a built-in admin account. I still have some testing to do, but I wanted to share this find with you geeks. If you have some ideas about how to prevent this, please let me know.


Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

3 Responses “MDT LTI Deployment demoting Built-in Admin account”

  1. SpottedTreeFrog
    July 30, 2019 at 22:30

    I see this as well. Still trying to figure out why this happens.
    LTI finishes. Logged in as Administrator. Launching anything requiring elevated privileges does not prompt with UAC.

    Reboot and come back in as Administrator. Now anything launched that requires elevated privilege results in a UAC prompt.


  2. spottedtreefrog
    July 31, 2019 at 21:59

    Am surprised that this is not documented more… This issue stems from the FilterAdministratorToken setting.
    My “Install Operating System” task will also apply the unattend.xml. This xml will set FilterAdministratorToken to 0.
    At the end of the TaskSequence, another script (LTICleanup.wsf) runs which will change FilterAdministratorToken to 1. Altering the cleanup script so that the setting is not altered fixed this issue for me.

    • August 1, 2019 at 02:00

      That’s an excellent solution for this issue! Thanks for sharing.

Leave a Reply

More Stories From Deployment