Add a User to Local Admin group using Intune

Photo of author
Jatin Makhija
3

In this blog post, we will learn to add an Entra ID user or group to Local administrators group on Windows 10/11 devices using Intune admin center.

As an example, I will add an Entra ID user account called jatin.makhija@cloudinfra.net to the local administrator group on an Intune-managed Windows 11 device called CLOUDINFRA-W-25. You can also target multiple devices to add the account.

Below screenshot shows local Administrators group after the policy has been applied.

Adding Entra ID user to local admin group

Identify a User account

The first step is to identify a user account that you want to add to the local Administrator group on the target devices. Once you have a user account ready, proceed to the next step.

Create an Account Protection Policy

The next step is to create an Account protection policy, let’s check the steps:

  • Sign in to the Intune admin center > Endpoint Security > Account protection.
  • Click on Create Policy.
Create Account Protection policy
  • Platform: Windows
  • Profile: Local user group membership. Click on Create.
Select Local user group membership
  • Basics Tab: Provide a Name and Description of the Policy and click Next.
Provide policy info in Basics tab
  • Configuration settings:
    • Local group: Administrators
    • Group or user action: Add (Update)
    • User selection type: Users/Groups
    • Selected users/groups: Click on Select users/group and select the user you want to add to the Local admin group on the target device.

Add (Update): It will add selected members. When using Update, existing group members that are not specified in the policy remain untouched.

Add (Replace): When using Replace, existing group membership is replaced by the list of members specified in the add member section.

Remove (Update): Use it to remove any specific member from the local administrators group.

Select Entra account to add to local admin
Review the settings configured and click next
  • Scope tags: Click on Next.
  • Assignments: Click Add groups and select Entra security group containing Windows devices.
Assign the policy to windows devices
  • Review + create: Review the deployment summary and click on Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

Monitoring Deployment Progress

  • Sign in to the Intune admin center > Endpoint Security > Account Protection.
  • Find the Account protection policy you created and click on it to open.
Monitoring Deployment Progress
  • Check under Device and user check-in status to find the deployment status. For more information, click on Device Assignment status and Per Setting status.
Monitoring Deployment Progress

End User Experience

  • Click on Start and search for Computer Management.
Verify if user has been added to local admin
  • Click on Local Users and Groups > Groups – Double-click on the Administrators group.
  • You will find that the User account has been added to this group per the Policy we created.
Check from compmgmt.msc
6 Ways to Add Users to Local Admin Group on Windows
Create a Local Admin Account Using Intune

3 thoughts on “Add a User to Local Admin group using Intune”

Leave a Comment

Comprehensive Step-by-Step Guides: SetUp/Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.