Every windows computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account created during the Windows installation.
The Administrator account has full control of the files, directories, services, and other resources on the local device. The default Administrator account can’t be deleted or locked out, but it can be renamed or disabled. Administrator account can’t be removed from the Administrators group.
Best practice is to use a non-administrator account to login on the PC and elevate to administrator account when required e.g. to install any applications or perform any configuration tasks on your device. Its best to avoid using a local administrator account to Sign in to the device.
You can enable or disable built-in Administrator account simply by creating a Device configuration profile in Intune and using a setting called “Accounts Enable Administrator Account status” from settings catalog.
To be able to use this setting and make sure built-in administrator account is Enabled, you must meet below requirements, otherwise the account will not be enabled.
| Accounts Enable Administrator Account status |
|---|
| If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. |
That means if local administrator account does not meet password complexity requirements then this policy will not be able to enable the account. The alternative approach is to use Powershell scripts which can first set a password on the local user account which meets complexity requirements and then Enable the account.
We would be using Remediations (previously called as Proactive remediations) as a solution to fix this issue. Intune device Remediations requires two powershell scripts, one for detection of the problem and another one for remediation.
In below scripts, you will find the local admin user which I am trying to Enable is called as “cloudinfra-net“. This is because I have already renamed the built-in local administrator account name. If you still have the default name of local administrator account as “Administrator“. You can change the variable $user = “Administrator”.
You will also notice that the Remediation script is using a password given in the script in plaintext. This will be not a permanent password of this local administrator account, as this account will be managed by Windows LAPS. Therefore, its password will be rotated automatically as per the LAPS configuration policy and password will be stored with Device object in Azure.
Detection Script (Detect_Local_Admin.ps1)
<#
.DESCRIPTION
This script will check if the local user account is enabled or not.
Author: Jatin Makhija
Site: cloudinfra.net
Version: 1.0.0
#>
$user = "cloudinfra-net"
if ((Get-LocalUser -Name $user).Enabled)
{
Write-Host "$user is already Enabled"
Exit 0
}
Else {
Write-Host "$user is not Enabled"
Exit 1
}
Remediation Script (Remediate_Local_Admin.ps1)
<#
.DESCRIPTION
This script will check if the local user account is enabled or not.
If its not Enabled, then it will reset its password and then Enable
the local user account.
Author: Jatin Makhija
Site: cloudinfra.net
Version: 1.0.0
#>
$user = "cloudinfra-net"
if (((Get-localuser -Name $user).Enabled) -eq $false)
{
try{
Write-Host "Resetting password and Enabling User"
$password = ConvertTo-SecureString "HnjIUNkje&*930" -AsPlainText -Force
$UserAccount = Get-LocalUser -Name $user
$UserAccount | Set-LocalUser -Password $Password
Enable-LocalUser -Name $user
Exit 0
}
Catch {
Write-Host "$user is already Enabled"
Write-error $_
Exit 1
}
}
Else {
Write-Host "$user is already Enabled"
Exit 1
}
Create Remediation Script Package in Intune
We will use the above Detection and Remediation scripts to Create a script package using Intune device Remediations. Let’s check the steps:
- Login on Microsoft Intune admin center
- Go to Devices > Remediations
- Click on + Create script package
Basics Tab
Provide the Name and Description of the package. Keep rest of the settings as default.
- Name: Enable Local User cloudinfra-net
- Description: This Remediation will set a password on built-in Local Administrator Account and also Enable the account.
- Publisher: Jatin Makhija (auto-filled)
- Version: Auto-filled
Settings Tab
Browse to the Detection script and Remediation Script file. You need to save above scripts in two powershell script files with extension as .ps1 and then browse to it using blue folder Icon as shown in below screenshot.
- Detection script file – Browse to the Detection script Detect_Local_Admin.ps1
- Remediation script file – Browse to Remediation script file Remediate_Local_Admin.ps1
- Run this script using the logged-on credentials – No
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
Assignments tab
Create an Azure AD Security group which contains users or devices where this custom script package needs to be deployed. Please note that if you add users into the list, local user account will be enabled on all the devices which are assigned to that user. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune. You can also choose the Schedule of running this powershell scripts. You have three options, Once, hourly and Daily.
Review + Create
On Review + Create tab, review the remediations script package details and click on Create. As soon as you click on create button, The custom script package deployment will start and the process to enable local admin account will begin.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start the Remediation process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and remediation process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the script package on a test device then this can speed up your testing and can save some time.
End user Experience
Now, let’s check whats happening on end user device. After the Remediation script package has been executed successfully. You can go to the computer management and confirm if a local user account has been enabled.
- Click on Start > search for Computer Management.
- Then go to Local Users and Groups > Users.
- Check if cloudinfra-net local admin account has been enabled.
How to Monitor Intune device Remediations
You can monitor Intune device remediation script packages from Intune admin center by following below steps:
- Login on Microsoft Intune admin center
- Go to Devices > Remediations
- Click on the Remediation script package you want to monitor. For example: Enable Local User cloudinfra-net
Go to the Overview page and check the Detection Script and Remediation Script status. As you can see in below screenshot that our Detection script has found issues that means that it found local admin account was in disabled state. Remediation Status shows as “Issue Fixed” that means remediation powershell script was able to reset the password and also enable the local admin account successfully.
Where to find Intune Remediation Logs
You can find Intune device remediation logs in IntuneManagementExtension.log file, please follow below steps to locate this log file and find the logs related to this script package deployment
- Browse to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and look for most recent version of IntuneManagementExtension.log file.
- Best way to open the file is using CMTrace tool.
Conclusion
In this blog post, we have seen how to Enable built-in local administrator account using Intune Device Remediations which is an alternative approach to Enabling built-in local administrator account using Device configuration profile. Both the approaches works fine. Alternative approach which used Intune remediations requires powershell scripts which first resets the password of local administrator account to make sure its meeting password complexity requirements before it is enabled.