In this blog post, we’ll explore using Intune to add an Entra ID user or group to the local administrator group on Windows 10 and Windows 11 devices.
Elevating the permissions of a specific Entra ID user to a local administrator on one or multiple Intune-managed devices is straightforward. You can easily grant the necessary permissions by adding their account to the Local Administrator group.
For example, I will add an Entra ID user account called jatin.makhija@cloudinfra.net to the local administrator group on an Intune-managed Windows 11 device called CLOUDINFRA-W-25. You can also target adding a user account to the local admin group on multiple devices.
There are different ways to achieve this. However, we will use the Account protection option available under Intune admin center > Endpoint Security. Let’s check the steps.
Video link of the tutorial
How to create a local admin account using Intune
Step-by-step guides
Table of Contents
Step 1 – Identify a User account
The first step is to Identify a user account you want to add to the local Administrator group on the target device. Once you have a user account ready, proceed to the next step.
Step 2 – Create an Account Protection Policy
The next step is to create an Account Protection Policy to add a user account to the Local admin group, Let’s check the steps.
- Sign in to the Intune admin center.
- Go to Endpoint Security > Account protection.
- Click on Create Policy.
- Platform: Windows 10 and later
- Profile: Local user group membership. Click on Create.
Basics Tab
Provide a Name and Description of the Policy and click Next.
Configuration settings
- Local group – Administrators
- Group or user action – Add (Update)
- User selection type – Users/Groups
- Selected users/groups – Click on Select users/group and select the user you want to add to the Local admin group on the target device.
Scope tags
Click on Next.
Assignments
You can create an Entra security group and Add your device. After that, Click on Add groups and Select the Entra security group. Click Next.
Review + create
Review the Deployment Summary and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Step 3 – Monitoring Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow the below steps:
- Sign in to the Intune admin center
- Click on “Endpoint Security” and then select “Account Protection“.
- Locate the Account protection policy you created and click on it to Open.
- Check under Device and user check-in status to find the Deployment status. For more information, click on Device Assignment status and Per Setting status.
End-user Experience
After the deployment is completed successfully, you can follow the steps below to confirm if the user account has been added to the Local administrator group on the target device.
- Click on Start and search for Computer Management.
- Click on Local Users and Groups > Groups—Double-click on the Administrators group.
- You will find that the User account has been added to this group per the Policy we created.
please assist how to get users SID details (members of administrators there will be SID how to know user details)
Thank you for this.
This method applicable only for Azure AD Devices not hybrid