In my previous blog post, which shows how to create a local admin account using Intune, I have created a local user account and added it to the local Administrators group using a custom device configuration profile and using OMA-URI settings.
In this blog post, We will see a different approach towards creating a local admin account using Intune. This time I would not be using OMA-URI settings. I would be ussing Reports > Endpoint Analytics > Proactive Remediation to create a local user account first and then Add that local user account to Administrators group using Local user group membership which is under Endpoint security > Account protection.
As we are using Powershell scripts to create a local user account, we can specify that the local user account should be created without any password. You can modify the script as per your requirement if you want to add a password to that local user account also or you can also go the OMA-URI way.
I have created two scripts for Proactive Remediation. First one is to Detect if a local user account already exists or not. If it does not exist, A remediation script will create a local user account. You can change the name of local user account in the script.
| Delete a local user account using Intune |
|---|
| If you are looking for deleting a local user account using Intune, you can refer to my other blog post How To Delete A Local User Account Using Intune. |
Create a local user account using Intune Proactive remediations
Let’s now create a local user account using Intune Proactive remediations. Proactive remediations allows IT administrators to automatically detect and remediate issues on managed devices before they can cause any harm or disruption. This feature uses a set of predefined scripts or custom scripts created by the IT admin to perform specific tasks on managed devices.
- Login on Microsoft Intune admin center.
- Go to Reports > Endpoint analytics > Proactive remediations.
- Click on + Create script package.
Basics Tab
In basics tab, we will provide information about the script package like Name, Description and Publisher.
- Name – Create cloudinfra101 local user account
- Description – This script package will create a local user account called cloudinfra101 on the targeted devices.
- Publisher – Jatin Makhija
Settings Tab
In Settings tab, we will need to browse to Detection script and Remediation script and few other script configuration settings. Let’s provide the details:
Create a Detection Script file using below powershell script. Save the file as .ps1 file.
DetectLocaluser.ps1
$userName = "cloudinfra101"
$Userexist = (Get-LocalUser).Name -Contains $userName
if ($userexist) {
Write-Host "$userName exist"
Exit 0
}
Else {
Write-Host "$userName does not Exists"
Exit 1
}Create a Remediation Script file using below powershell script. Save the file as .ps1 file.
RemediateLocalUser.ps1
$userName = "cloudinfra101"
$userexist = (Get-LocalUser).Name -Contains $userName
if($userexist -eq $false) {
try{
New-LocalUser -Name $username -Description "Cloudinfra101 local user account" -NoPassword
Exit 0
}
Catch {
Write-error $_
Exit 1
}
} - Detection script file – Browse to the Detection script Detectlocaluser.ps1
- Remediation script file – Browse to Remediation script file RemediateLocalUser.ps1
- Run this script using the logged-on credentials – No
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
Assignments tab
Create an Azure AD Security group which contains users or devices where this custom script package needs to be deployed. Please note that if you add users into the list, local user account will be created on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.
Review + Create
On Review + Create tab, review the device configuration profile and click on Create. As soon as you click on create button, The custom script package deployment will start and the process to create a local user account will begin.
Add Local user account to Administrators group
Now that we have created a script package for the deployment of our new local user account called as cloudinfra101. We also want this account to be a member of Local administrator’s group. There are many ways to accomplish this.
You can use OMA-URI setting to add this user to local admin group or you can also use Local user group membership option from Endpoint security > Account protection.
We are going to use Local user group membership option to add a local user account to local Administrator’s group. Please follow below steps for this:
- Login on Microsoft Intune admin center.
- Go to Endpoint Security > Account Protection
- Click on + Create Policy.
- Select Platform as Windows 10 and Later.
- Select Profile as Local user group membership.
- Click on Create.
Basics Tab
In basics tab, we will provide information about the profile like Name and description. Click Next after you enter this information.
- Name: Add cloudinfra101 to local admin group
- Description: This policy will add cloudinfra101 local user account to local admin group on targeted devices
Configuration settings
In Configuration tab, we will provide configure local administrator group to add a local user account cloudinfra101. Please make sure you choose below settings while updating local Administrators group.
- Local group: Administrators
- Group and user action: Add (Update)
- User selection type: Manual
- Selected Users/groups: Click on Add user(s) link and then provide cloudinfra101 local user account name.
We have provided cloudinfra101 to be added to local administrator group. You can add multiple local users into local Administrators group as well. Make sure that the local user account exists on the device and is a valid name. If a local user account name is invalid, it will simply be ignored.
Assignments tab
You can add an Azure AD group with users or devices to apply this policy. I normally prefer to target the policies to devices. This makes it certain the number of devices i target. If you target the policy to users, It will be applicable to all the devices which users have signed-in to or using.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.
Review + Create
You can review the policy once and then click on Create. Once your policy is created, you can view your policy under Endpoint security > Account protection. Please also make sure that there is no other policy created which targets the same settings. This can result in Conflict Policy error.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start the deployment process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and deployment process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the deployment on a test device then this can speed up your testing and can save some time.
End user Experience
Now, let’s check whats happening on end user device. After the policy has been deployed successfully. You can go to the computer management and confirm if a local user account has been created and if it has also been added to the local administrators group.
- Click on Start > search for Computer Management.
- Then go to Local Users and Groups > Users.
- Check if cloudinfra101 local user account has been created.
- Go to Groups folder and then double-click on Administrators group to check if cloudinfra101 local user account has been added.
Conclusion
In this blog post, we have learnt a different way to create a local user account using Intune and also a different way to add it to local administrator group. In my previous blog post, I had used OMA-URI settings for accomplishing this task of creating a local user and adding it to administrators group.
However, the approach I used in this blog post is to use a powershell script. I have not defined any password for the local user also as I have used -Nopassword parameter with New-LocalUser cmdlet. You can modify the script to add password for the local user account if you want.
READ NEXT
- How To Create A Local Admin Account Using Intune.
- Implement Windows LAPS On Azure AD Devices Using Intune.
- Block/whitelist Edge Extensions Using Intune.
- How To Configure Default Apps On Windows Using Intune.
- How To Force Intune Sync Using Powershell.
