This blog post will explore how to elevate a standard user’s permissions to local administrator rights on a Windows 365 Cloud PC. This is a common request from business users and is sometimes necessary for troubleshooting.
By default, when you provision a Cloud PC for a user, the user will not get administrator rights on the PC. However, Windows 365 services provide a User Settings page on the Intune admin center under the Windows 365 node. Using User Settings, an IT administrator can create a policy to elevate a user’s rights to a local administrator.
Using the User Settings page is one option for granting local admin rights. However, there are also various other solutions available through Intune. If you have a Windows 365 Enterprise license, you can utilize an Account Protection policy from the Intune admin center to Add a User to the Local Admin group using Intune on the Cloud PC.
This blog post will focus on the Windows 365 service’s native option, User settings to Elevate the user’s permission to local admin. The user settings option is the easiest way to elevate user rights to local admin.
How to create a local admin account using Intune
Step-by-Step guides
Prerequisites
To Elevate a user to Local administrator rights, take note of the following first:
- “Enable local admin” permission in Windows 365 applies at the User level.
- User settings can be applied before or after a Cloud PC is assigned.
- The policy to elevate the user to local admin will affect the user login. Therefore, If a user is already logged in, they must sign out and sign in again to get the admin rights.
- After a user is assigned User Settings via an Entra security group, the user will have local admin privileges on all Cloud PCs assigned to them.
Local Administrators group in Windows 365 Cloud PC
To check and confirm if you have local administrator rights on your Windows 365 Cloud PC, you can examine the Local Administrators group using Computer Management. If your account is not listed in this group, you do not have local administrator privileges on this PC.
- Press Windows + R to open the Run dialog box.
- Type compmgmt.msc and press Enter to open Computer Management.
- Navigate to Local Users and Groups > Groups > Double-click Administrators group.
We will use the User Settings option in Windows 365 to add a user to this Local administrators group. Let’s check the steps in the next section.
As I discussed earlier, if you have Windows 365 Enterprise, you could use Account Protection policies to Add a User to the Local Admin group using Intune.
Another option
Steps to Elevate User to Local Admin on Windows 365 Cloud PC
To Elevate a User account to Local admin on their Windows 365 Cloud PC, follow the below steps:
- Sign in to the Intune admin center.
- Navigate to Devices > Windows 365 > User settings.
- Click on Add.
Settings Tab
- Name: Provide a Name of the User settings policy. For Example, Elevate the User to local Administrator.
- Enable Local admin: Check the box to Enable it.
- Enable users to reset their Cloud PCs: Keep it unchecked (Default setting).
- Allow user to initiate restore service: Keep it unchecked (Default setting).
- Frequency of restore-point service: Keep default.
Assignments Tab
Click Add groups to choose an Entra security group that includes end-user accounts. Users within the assigned groups will be granted Local Administrator privileges on their Cloud PCs.
I have selected an Entra security group called W365-test-group, which contains my user account. Therefore, I will become the local administrator of my Cloud PC.
Review + Create
Review the policy and click on the Create button to proceed.
Users settings policy has been assigned and created successfully.
End-user Experience
When the user signs out and signs back into their Cloud PC, the policy will take effect, and the user will be added to the Local Administrators group. It took me only a few minutes to confirm that this change has been applied.
The screenshot below demonstrates that the user account ‘AzureAD/JatinMakhija,’ a member of the ‘W365-test-group,’ has been successfully added to the local administrator’s group on the Cloud PC.
Conclusion
In conclusion, granting local administrator rights on a Windows 365 Cloud PC is essential for effective troubleshooting in business environments. While default provisioning doesn’t provide these privileges, the User Settings page in the Intune admin center offers a straightforward solution for IT administrators.
Also by using the Account Protection policy, you can add an Entra ID user to the local administrator group using Intune.
