Enable/Disable local admin account using Intune remediations

Every Windows computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account created during the Windows installation.

The Administrator account has full control of the files, directories, services, and other resources on the local device. The default Administrator account can’t be deleted or locked out, but it can be renamed or disabled. An Administrator account can’t be removed from the Administrators group.

The best practice is to use a non-administrator account to log on to the PC and elevate to an administrator account when required e.g. to install any applications or perform any configuration tasks on your device. It’s best to avoid using a local administrator account to Sign in to the device.

You can enable or disable a built-in Administrator account simply by creating a Device configuration profile in Intune and using a setting called “Accounts Enable Administrator Account status” from the settings catalog.

However, If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password doesn’t meet the password requirements, you can’t reenable the account using this Settings catalog setting.

An alternative approach is to use Powershell scripts which can first set a password on the local user account that meets complexity requirements and then Enable the account.

We would be using Device Remediation as a solution to fix this issue. Intune device remediation requires two PowerShell scripts, one for the detection of the problem and another one for remediation.

Important Points

  • The local admin account used in the script is named: cloudinfra-net [This is the built-in Administrator account renamed to cloudinfra-net]
  • You have the flexibility to replace the variable $user to target a specific local admin account as needed. For instance, if you are retaining the default name for the built-in Administrator account, you can assign the value $user = "Administrator". This allows you to target the appropriate local admin account in your scripts.
  • In the remediation script, you’ll observe that it uses a plaintext password provided within the script. It’s important to note that this password is not intended to be a permanent one for the local administrator account.
  • Instead, the account will be managed by Windows LAPS (Local Administrator Password Solution). LAPS will automatically rotate the password according to the LAPS configuration policy, and the password will be securely stored with the device object in Azure.

Create a Script Package

By using the following steps, we will set a complex password on a given local admin user account and also Enable it.

Basics Tab

In the basics tab, we will provide information about the script package like Name, Description, and Publisher.

  • Name – Provide a Name of the script package.
  • Description – Provide a useful description.
  • Publisher – Provide a publisher name.

Settings Tab

  • Create a Detection script using the below Powershell code. Save it as Detect_Local_Admin.ps1
<#
.DESCRIPTION
    This script will check if the local user account is enabled or not.
    Author: Jatin Makhija
    Site: cloudinfra.net
    Version: 1.0.0
#>
$user = "cloudinfra-net"
if ((Get-LocalUser -Name $user).Enabled)
{
  Write-Host "$user is already Enabled" 
  Exit 0
} 
Else {
  Write-Host "$user is not Enabled"
  Exit 1
}
  • Create a Remediation script using the below Powershell code. Save it as Remediate_Local_Admin.ps1.
<#
.DESCRIPTION
    This script will check if the local user account is enabled or not.
    If its not Enabled, then it will reset its password and then Enable
    the local user account.
    Author: Jatin Makhija
    Site: cloudinfra.net
    Version: 1.0.0
#>
$user = "cloudinfra-net"
if (((Get-localuser -Name $user).Enabled) -eq $false)
{
try{
    Write-Host "Resetting password and Enabling User"
    $password = ConvertTo-SecureString "HnjIUNkje&*930" -AsPlainText -Force
    $UserAccount = Get-LocalUser -Name $user
    $UserAccount | Set-LocalUser -Password $Password  
    Enable-LocalUser -Name $user
    Exit 0
    }
Catch {
       Write-Host "$user is already Enabled" 
        Write-error $_
        Exit 1
      }
      }
Else {
  Write-Host "$user is already Enabled"
  Exit 1
}
  • Detection script file – Browse to the Detection script Detect_Local_Admin.ps1
  • Remediation script file – Browse to Remediation script file Remediate_Local_Admin.ps1
  • Run this script using the logged-on credentials – No
  • Enforce script signature check – No
  • Run script in 64-bit Powershell – Yes
Enable/Disable local admin account using Intune remediations
Detection and remediation scripts for Enabling a Local user account

Assignments tab

Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices. You can also select the Schedule for running this Powershell script. You have three options, Once, hourly, or Daily.

Intune remediations package execution schedule
Intune remediations package execution schedule

Review + Create

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

End-user Experience

After the deployment is completed successfully, the local user account specified will be Enabled.

  • Click on Start > search for Computer Management.
  • Then go to Local Users and Groups > Users.
  • Check if cloudinfra-net local admin account has been enabled.
Local user account has been enabled using Intune remediations
Local user account has been enabled using Intune remediations

Monitor the script package

To Monitor the progress of a script package deployed via Intune, follow below steps:

  • Login on Microsoft Intune admin center
  • Go to Devices > Remediations
  • Click on the Remediation script package you want to monitor. For example: Enable Local User cloudinfra-net
Monitor Intune remediation package for enabling local user account
Monitor Intune remediation package for enabling local user account
  • Go to the Overview page and check the Detection Script and Remediation Script status.
  • In the screenshot below, you can observe that our Detection script has identified issues, specifically detecting that the local admin account was in a disabled state. The “Remediation Status” indicates that the issue has been resolved, with a status of “Issue Fixed” This suggests that the remediation PowerShell script successfully reset the password and enabled the local admin account.
Detection status and Remediation status for Intune remediation package
Detection status and Remediation status for Intune remediation package

How to locate Intune Remediation Logs?

To access Intune device remediation logs and locate the log file related to this script package deployment, follow these steps:

  • Browse to “C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
  • Look for the most recent version of the “IntuneManagementExtension.log” file in this directory.
  • For a more user-friendly log viewing experience, consider using a tool like CMTrace.
How to locate Intune Remediation Logs
How to locate Intune Remediation Logs

Conclusion

In this blog post, we’ve explored how to enable the built-in local administrator account using Intune Device Remediations, which offers an alternative approach to achieving this compared to using Settings Catalog. Both approaches are effective. The alternative method using Intune remediations involves PowerShell scripts that initially reset the password of the local administrator account to ensure it meets password complexity requirements before enabling the account.

Leave a Comment