Its a good security practice to keep built-in local Administrator account disabled and do not use for any activities on a windows device. By default its disabled already for you on a windows 10 device. Please note that when you boot your Windows device into Safe mode, Administrator account will get enabled automatically. But it will remain disabled in normal boot mode.
However, if you are using Windows LAPS and managing the local administrator account using LAPS, then you would need to enable built-in local administrator account.
Recently Microsoft released the capability to manage local administrator account using Windows LAPS on Azure AD devices using Intune. You can manage a custom local admin account or existing built-in Administrator account which is availalbe on all Windows devices.
| Related Articles |
|---|
| How To Create A Local Admin Account Using Intune. Create A Local Admin Using Intune And Powershell. Implement Windows LAPS On Azure AD Devices Using Intune. |
Enable built-in Administrator account using Intune
Let’s enable built-in Administrator account on a Windows 10 or Windows 11 device using Intune. We will be creating a Device configuration profile and using the settings available from Settings Catalog.
- Login on Microsoft Intune admin center.
- Go to Devices > Configuration profiles.
- Click on + Create Profile
- Select Platform as Windows 10 and later.
- Profile type: Settings Catalog
Basics Tab
In basics tab, we will provide information about the device configuration profile like Name and Description.
- Name – Enable built-in Local administrator account
- Description – This device configuration profile will enable built-in Local administrator account on Windows devices.
Configuration settings
In Configuration settings tab, you need to click on + Add settings link to browse or search the catalog for the settings you want to configure. A Settings picker pane will open on the right hand side. Search for Local Policies Security Options and Check the policy setting “Accounts Enable Administrator Account status“. Toggle it to Enable built-in Administrator Account.
The OMA-URI setting which is used in the background for managing built-in local Administrator account is :
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
Policy CSP – LocalPoliciesSecurityOptions
| Disable built-in Administrator Account |
|---|
| By default built-in local administrator account is disabled on Windows 10 or Windows 11 devices. However, if you find that it was enabled previously by someone, then you can use this policy setting toggle to disable built-in local administrator account as well if you want. You can also rename built-in local Administrator account using “Accounts rename Administrator Account” policy. Windows LAPS can still manage the local administrators account even though you have renamed it because Windows LAPS will looks for well known SID of the local administrator account not the name of the account. |
Assignments
As this is a device based policy, Scope of this policy must be targeted to devices. You can assign this policy to only a few devices by creating an Azure AD security group and assign this device configuration profile to that group only.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.
Review + Create
On Review + Create tab, review the profile and click on Create. This will create the deployment profile for enabling built-in local administrator on targeted devices.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start deployment of this profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the deployment on a test device then this can speed up your testing and can save some time.
End User Experience
After the policy has been deployed successfully on target devices. You can login on one of the device to check if Administrator account has been enabled now.
- Go to Start > search for Computer Management.
- Then go to Local Users and Groups > Users.
- Check the status of Administrator Account, it should now be Enabled.
Troubleshooting
After you assign the device configuration profile to target devices and have also waited for device check-in process, restarted your device as well but you noticed that built-in Administrator account is not getting enabled.
When you will check the status of device configuration profile, you may receive an Error Code 65000 shown for this setting. Also, when you will check it in Event Viewer of one of the device where the device configuration profile deployment failed, you will see below issue:
- Go to the Device and then Click on Start > search for Event Viewer.
- Go to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
| Error Event ID 404 |
|---|
| MDM ConfigurationManager: Command failure status. Configuration Source ID: (7CCD9C30-BFE5-4CE3-97C8-FC5E16474D01), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus), Result: (Unknown Win32 Error code: 0xc000006c). |
I have then set the password of local administrator account to meet the complexity requirement and re-created the same device configuration profile to Enable the local administrator account. This time it was successful and local admin account was enabled.
Conclusion
In this blog post, we have seen how to Enable or Disable a built-in local administrator account. If you are enabling a local administrator account, make sure that built-in local administrator meets password complexity requirements otherwise you may get Error 65000 shown on the Intune admin center after you deploy the device configuration profile.
READ NEXT
- Create A Local Admin Using Intune And Powershell.
- Implement Windows LAPS On Azure AD Devices Using Intune.
- How To Create A Local Admin Account Using Intune.
- Move Windows Known Folders To Onedrive Using Intune.
- How To Configure Default Apps On Windows Using Intune.
Hello,
How did you set the password of local administrator account to meet the complexity requirement? Manually resetting it or by Intune? Is the complexity requirement of Local Security Policy or Intune?
Regards
I did changed the password manually on the device but if you have a perform this on devices in bulk then you could create a powershell script and using that change password of the Administrator account to meet complexity requirements. I believe its a local security policy which does not allow a simple password for Administrator account.