In this blog post, we’ll explore the process of adding an Azure AD/Entra ID user or group to the local administrator group on Windows 10 and Windows 11 devices using the Intune admin center.
Elevating the permissions of a specific Entra ID user to a local administrator on one or multiple Intune-managed devices is a straightforward process. By adding their account to the Local Administrator group, you can easily grant the necessary permissions.
For Example – I will be adding an Azure AD/Entra ID user account called email@example.com into the Local administrator group on an Intune-managed Windows 11 device called CLOUDINFRA-W-25. However, you can also target the addition of a user account into the local admin group on multiple devices.
There are different ways to achieve this, however, we are going to use the Account protection option available under Intune admin center > Endpoint Security. Let’s check the steps.
Video link of the tutorial
Table of Contents
Step 1 – Identify a User account
The first step is to Identify a user account that you want to add to the local Administrator group on the target device. Once you have a user account ready, proceed to the next step.
Step 2 – Create an Account Protection Policy
The next step is to create an Account Protection Policy to add a user account to the Local admin group, Let’s check the steps.
- Sign in to the Intune admin center.
- Go to Endpoint Security > Account protection.
- Click on Create Policy.
- Platform: Windows 10 and later
- Profile: Local user group membership and click on Create.
Provide a Name and Description of the Policy and click Next.
- Local group – Administrators
- Group or user action – Add (Update)
- User selection type – Users/Groups
- Selected users/groups – Click on Select users/group and select the user you want to add to the Local admin group on the target device.
Click on Next.
You can create an Entra security group and Add your device. After that, Click on Add groups and Select the Entra security group. Click Next.
Review + create
Review the Deployment Summary and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Step 3 – Monitoring Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow the below steps:
- Sign in to the Intune admin center
- Click on “Endpoint Security” and then select “Account Protection“.
- Locate the Account protection policy you created and click on it to Open.
- Check under Device and user check-in status to find the Deployment status. You can also click on Device assignment status and per setting status to get more information.
After the deployment is completed successfully, you can follow the below steps to check and confirm if the user account has been added to the Local administrator group on the target device.
- Click on Start and search for Computer Management.
- Click on Local Users and Groups > Groups. Double-click on the Administrators group.
- You will find that the User account is added to this group by the Policy we created.