From b6ada01aef62c780e510b81548b550376c9e7383 Mon Sep 17 00:00:00 2001
From: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
Date: Mon, 20 May 2024 11:45:11 -0400
Subject: [PATCH 1/2] feat: enabled locking for windows admins

---
 ee/server/service/embedded_scripts/windows_lock.ps1 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ee/server/service/embedded_scripts/windows_lock.ps1 b/ee/server/service/embedded_scripts/windows_lock.ps1
index e4d9809fee..792cf71f19 100644
--- a/ee/server/service/embedded_scripts/windows_lock.ps1
+++ b/ee/server/service/embedded_scripts/windows_lock.ps1
@@ -1,10 +1,10 @@
 # PowerShell script to log off all non-administrative users and disable their accounts
 
-# Log off all non-administrative users
+# Log off all users
 $loggedOffUsers = @{}
 Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false } | ForEach-Object {
     $username = $_.LocalPath.Split('\')[-1]
-    if ($username -ne "Administrator" -and $username -ne $env:USERNAME -and -not $loggedOffUsers.ContainsKey($username)) {
+    if ($username -ne $env:USERNAME -and -not $loggedOffUsers.ContainsKey($username)) {
         try {
             $userSessions = query user | Where-Object { $_ -match "\b$username\b" }
             foreach ($session in $userSessions) {
@@ -25,8 +25,8 @@ Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false }
     }
 }
 
-# Disable all non-administrative local user accounts
-Get-LocalUser | Where-Object { $_.Enabled -eq $true -and $_.Name -ne "Administrator" } | ForEach-Object {
+# Disable all local user accounts
+Get-LocalUser | Where-Object { $_.Enabled -eq $true } | ForEach-Object {
     $username = $_.Name
     Disable-LocalUser -Name $username
     Write-Host "Disabled account for $username"

From 2d93448b6fa859b66aaef11c67a04efc7403a20f Mon Sep 17 00:00:00 2001
From: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
Date: Mon, 20 May 2024 12:09:52 -0400
Subject: [PATCH 2/2] chore: changes file

---
 changes/18461-windows-lock | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changes/18461-windows-lock

diff --git a/changes/18461-windows-lock b/changes/18461-windows-lock
new file mode 100644
index 0000000000..68dd284c2e
--- /dev/null
+++ b/changes/18461-windows-lock
@@ -0,0 +1 @@
+- Adds the ability to automatically log off and lock out `Administrator` users on Windows hosts.
\ No newline at end of file