Enable/Disable built-in Administrator account using Intune

Every Windows computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account created during the Windows installation.

The Administrator account has full control of the files, directories, services, and other resources on the local device. The default Administrator account can’t be deleted or locked out, but it can be renamed or disabled. An Administrator account can’t be removed from the Administrators group.

The best practice is to use a non-administrator account to log on to the PC and elevate to an administrator account when required e.g. to install any applications or perform any configuration tasks on your device. It’s best to avoid using a local administrator account to Sign in to the device.

However, if you are using Windows LAPS and managing a built-in Administrator account, It must be enabled before you can deploy LAPS policy to the device.

In this blog post, we’ll explore two methods for enabling the built-in local administrator account. The first approach involves using a Device Configuration Profile, and the alternative method is through Intune device Remediations.

Local admin account status on Windows 10/11 device
Local admin account status on Windows 10/11 device

Enable built-in Administrator account using Intune

Let’s Enable a built-in Administrator account on Windows 10/11 devices using Intune by creating a Device configuration profile.

  • Login on Microsoft Intune admin center
  • Go to Devices > Configuration profiles
  • Click on + Create Profile
  • Select Platform as Windows 10 and later
  • Profile type: Settings Catalog

Basics Tab

Provide a Name and Description for the Profile. Click on Next.

Configuration settings

Click on the Add settings link, and search for Local Policies Security Options and Check the policy setting “Accounts Enable Administrator Account status“. Use the Toggle switch to Enable.

The OMA-URI setting which is used in the background for managing built-in local Administrator account is: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus

Policy CSP – LocalPoliciesSecurityOptions
Configuration settings
Configuration settings

Assignments

Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices.

Review + Create

Review the deployment and click on Create to start the deployment process.

End-user Experience

Let’s check the result of this policy from one of the target devices:

  • Go to Start > search for Computer Management.
  • Then go to Local Users and Groups > Users.
  • Check the status of the Administrator Account, it should now be Enabled.
End-user Experience
End-user Experience

Troubleshooting

Even after applying this policy, If built-in Administrator account may still not be enabled. The status of the deployment may show an Error Code 65000. Event Viewer logs also show that deployment has failed.

  • Go to the Device and then Click on Start > Search for Event Viewer.
  • Go to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.

MDM ConfigurationManager: Command failure status. Configuration Source ID: (7CCD9C30-BFE5-4CE3-97C8-FC5E16474D01), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus), Result: (Unknown Win32 Error code: 0xc000006c).

Error Event ID 404

The error message provided doesn’t offer a clear indication of the problem’s location. On the device itself, we observed an Error Event ID 404, and in the Intune admin center, the Error code is 65000.

Upon re-checking Microsoft’s documentation, it was discovered that if the local built-in Administrator account doesn’t meet password complexity requirements, it won’t be enabled.

To fix this issue, you can refer to the blog post: Enable/Disable Local Admin Account Using Intune Remediations which shows a different way of Enabling a built-in Administrator account by setting a complex password first to meet the password complexity requirements.

Conclusion

In this blog post, we have seen how to Enable or Disable a built-in local administrator account. If you are enabling a local administrator account, make sure that the built-in local administrator meets password complexity requirements otherwise you may get Error 65000 shown on the Intune admin center after you deploy the device configuration profile.

3 thoughts on “Enable/Disable built-in Administrator account using Intune”

  1. Hello,
    How did you set the password of local administrator account to meet the complexity requirement? Manually resetting it or by Intune? Is the complexity requirement of Local Security Policy or Intune?
    Regards

    Reply
    • I did changed the password manually on the device but if you have a perform this on devices in bulk then you could create a powershell script and using that change password of the Administrator account to meet complexity requirements. I believe its a local security policy which does not allow a simple password for Administrator account.

      [Update]: I have created a blog post on how to Enable/Disable built in Administrator account using Intune Proactive Remediations which used Powershell scripts. Hope this will help you to fix this issue: https://cloudinfra.net/enable-disable-local-admin-account-using-intune-remediations/

      Reply

Leave a Comment