Short situation sketch:
I inherited a customer environment where all devices are Azure AD joined and managed via Intune. The Azure AD account with which the user logs on, is local administrator.
I need to set up that all users are forced to use a dedicated secondary admin account for all elevated activities, and their day-to-day account should no longer be local admin (meaning: they have to enter a different password when getting a UAC prompt, instead of just clicking Yes). These users are developers and they DO need the ability to run things as admin, so they're supposed to know the admin password.
Any advice on how to go about this?
FYI: the reasoning behind this is compliance with CIS Controls, in this case 4.3.
Things I've considered
I know I can push an extra local admin to all computers via Intune, and then remove other accounts from the Administrators group. However, this means that I would be setting the admin password for all computers to the same thing, which is a security concern.
If I would do it this way, is there a way to force them to change the password of their admin account?
I've read about DIY LAPS-solutions via Intune, which would set the passwords randomly. However, the users must know that password and be able to remember it.
