This blog post will explore how to elevate a standard user’s permissions to local administrator rights on a Windows 365 Cloud PC. This is a common request from business users and is sometimes necessary for troubleshooting.
By default, when you provision a Cloud PC for a user, the user will not get administrator rights on the PC. However, Windows 365 services provide a User Settings page on the Intune admin center under the Windows 365 node. Using User Settings, an IT administrator can create a policy to elevate a user’s rights to a local administrator.
Using the User Settings page is one option for granting local admin rights. However, there are also various other solutions available through Intune. If you have a Windows 365 Enterprise license, you can utilize an Account Protection policy from the Intune admin center to Add a User to the Local Admin group using Intune on the Cloud PC.
In this blog post, we will focus on the Windows 365 service’s native option, User settings to Elevate the user’s permission to local admin. The “User settings” option is the easiest option to elevate user rights to local admin.
To Elevate a user to Local administrator rights, take note of the following first:
- “Enable local admin” permission in Windows 365 applies at the User level.
- User settings can be applied before or after a Cloud PC is assigned.
- The policy to elevate the user to local admin will affect the user login. Therefore, If a user is already logged in, they must sign out and sign in again to get the admin rights.
- After assigning User Settings to a user via an Entra security group, the user will get local admin privileges on all Cloud PCs assigned to them.
Local Administrators group in Windows 365 Cloud PC
To check and confirm if you have local administrator rights on your Windows 365 Cloud PC, you can examine the Local Administrators group using Computer Management. If your account is not listed in this group, you do not have local administrator privileges on this PC.
- Press Windows + R to open the Run dialog box.
- Type compmgmt.msc and press Enter to open Computer Management.
- Navigate to Local Users and Groups > Groups > Double-click Administrators group.
We will use the User Settings option in Windows 365 to add a user to this Local administrators group. Let’s check the steps in the next section.
As I discussed earlier, if you have Windows 365 Enterprise, you could use Account Protection policies to Add a User to the Local Admin group using Intune.Another option
Steps to Elevate User to Local Admin on Windows 365 Cloud PC
To Elevate a User account to Local admin on their Windows 365 Cloud PC, follow below steps:
- Sign in to the Intune admin center.
- Navigate to Devices > Windows 365 > User settings.
- Click on Add.
- Name: Provide a Name of the User settings policy. For Example, Elevate the User to local Administrator.
- Enable Local admin: Check the box to Enable it.
- Enable users to reset their Cloud PCs: Keep it unchecked (Default setting).
- Allow user to initiate restore service: Keep it unchecked (Default setting).
- Frequency of restore-point service: Keep default.
Click ‘Add groups‘ to choose an Entra security group that includes end-user accounts. Each user within the assigned groups will be granted Local Administrator privileges on their own Cloud PCs.
I have selected an Entra security group called W365-test-group which contains my user account. Therefore, I will become local administrator of my Cloud PC.
Review + Create
Review the policy and click on the Create button to proceed.
Users settings policy has been assigned and created successfully.
When the user signs out and signs back into their Cloud PC, the policy will take effect, and the user will be added to the Local Administrators group. It took me only a few minutes to confirm that this change has been applied.
The screenshot below demonstrates that the user account ‘AzureAD/JatinMakhija,’ a member of the ‘W365-test-group,’ has been successfully added to the local administrator’s group on the Cloud PC.
In conclusion, granting local administrator rights on a Windows 365 Cloud PC is essential for effective troubleshooting in business environments. While default provisioning doesn’t provide these privileges, the User Settings page in the Intune admin center offers a straightforward solution for IT administrators.
Additionally, users with a Windows 365 Enterprise license can explore the Account Protection policy in the Intune admin center as an alternative.