Add a User to Local Admin group using Intune

In this blog post, we’ll explore using Intune to add an Entra ID user or group to the local administrator group on Windows 10 and Windows 11 devices.

Elevating the permissions of a specific Entra ID user to a local administrator on one or multiple Intune-managed devices is straightforward. You can easily grant the necessary permissions by adding their account to the Local Administrator group.

For example, I will add an Entra ID user account called jatin.makhija@cloudinfra.net to the local administrator group on an Intune-managed Windows 11 device called CLOUDINFRA-W-25. You can also target adding a user account to the local admin group on multiple devices.

There are different ways to achieve this. However, we will use the Account protection option available under Intune admin center > Endpoint Security. Let’s check the steps.

Added AzureAD\JatinMakhija into the Local administrator’s group

How to create a local admin account using Intune

Create a Local Admin using Intune and Powershell

Create a local admin account on macOS using Intune

Step-by-step guides

Step 1 – Identify a User account

The first step is to Identify a user account you want to add to the local Administrator group on the target device. Once you have a user account ready, proceed to the next step.

Step 2 – Create an Account Protection Policy

The next step is to create an Account Protection Policy to add a user account to the Local admin group, Let’s check the steps.

  • Sign in to the Intune admin center.
  • Go to Endpoint Security > Account protection.
  • Click on Create Policy.
Create an Account Protection Policy
  • Platform: Windows 10 and later
  • Profile: Local user group membership. Click on Create.
Create an Account Protection Policy
Create an Account Protection Policy

Basics Tab

Provide a Name and Description of the Policy and click Next.

Create an Account Protection Policy
Create an Account Protection Policy

Configuration settings

  • Local group – Administrators
  • Group or user action – Add (Update)
  • User selection type – Users/Groups
  • Selected users/groups – Click on Select users/group and select the user you want to add to the Local admin group on the target device.
Create an Account Protection Policy
Create an Account Protection Policy
Create an Account Protection Policy
Create an Account Protection Policy

Scope tags

Click on Next.

Assignments

You can create an Entra security group and Add your device. After that, Click on Add groups and Select the Entra security group. Click Next.

Create an Account Protection Policy
Create an Account Protection Policy

Review + create

Review the Deployment Summary and click on Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

Step 3 – Monitoring Deployment Progress

To monitor the deployment progress of a Device configuration profile, follow the below steps:

  • Sign in to the Intune admin center
  • Click on “Endpoint Security” and then select “Account Protection“.
  • Locate the Account protection policy you created and click on it to Open.
Monitoring Deployment Progress
Monitoring Deployment Progress
  • Check under Device and user check-in status to find the Deployment status. For more information, click on Device Assignment status and Per Setting status.
Monitoring Deployment Progress
Monitoring Deployment Progress

End-user Experience

After the deployment is completed successfully, you can follow the steps below to confirm if the user account has been added to the Local administrator group on the target device.

  • Click on Start and search for Computer Management.
End-user Experience
End-user Experience
  • Click on Local Users and Groups > Groups—Double-click on the Administrators group.
  • You will find that the User account has been added to this group per the Policy we created.
End-user Experience
End-user Experience

3 thoughts on “Add a User to Local Admin group using Intune”

Leave a Comment