How to create a local admin account using Intune

With Intune, you can create and manage local admin accounts on your Windows 10 devices, which is particularly useful for managing devices that are not connected to a domain. You can easily create a local user account and then add it to Administrators group using Intune.

If you are managing a custom local admin account using Windows LAPS then you will need to create a local admin account first. Please follow the guide for step by step implementation of Windows LAPS on Azure AD using Intune: Implement Windows LAPS On Azure AD Devices Using Intune.

As an example, We are going to create a local admin account called cloudinfraadmin. However, you can create a local admin user account by providing any name you like.

Local administrator group on windows 10 device

To create a local admin account, we would be creating a Custom device configuration profile and use Accounts configuration service provider (Accounts CSP) to create a user account. Let’s check the steps:

Another way to Create a local admin user account using Intune and Powershell
There is another way to create a local user account and add it to local administrators group via Intune and Powershell. I have written a blog post which shows how you can use Intune proactive remediations to create a local user account using Powershell and Intune. Create A Local Admin Using Intune And Powershell.

When you are using Intune Proactive remediations, you can use Powershell script to create local user account. This way you have the option to not specify any password for the local user account. Could be helpful when you are managing that local user account using Intune Windows LAPS.
Delete a local user account using Intune
If you are looking for deleting a local user account using Intune, you can refer to my other blog post How To Delete A Local User Account Using Intune.

Create a Device Configuration Profile

To create a device configuration profile, we will follow below steps:/

  • Login on Microsoft Intune admin center.
  • Go to Devices > Configuration profiles > + Create profile.
  • Select Platform as Windows 10 and later.
  • Profile type as Templates.
Create a Custom Device Configuration Profile
  • Provide a Name of the profile: Create Local admin on all devices.
  • Description: This custom device configuration profile will create a local administrator account called cloudinfraadmin on all intune managed devices.
Create Local admin using Intune
  • Click on Add button to add OMA-URI settings and provide below details:
    • Name: Create Local User Account
    • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/Password
    • Data type: String
    • Value: C0mputEr@10!
You can replace cloudinfraadmin to any other name to create local user account as per your requirement. For example: If you replace cloudinfraadmin with myadminacc the local user account with name myadminacc will be created.
OMA-URI for Local user account creation using Intune
  • Click on Add button again to add OMA-URI settings and provide below details:
    • Name: Add user to Local administrator group
    • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/LocalUserGroup
    • Data type: Integer
    • Value: 2
OMA-URI for adding Local user account to administrator group Intune

Assignments tab

Create an Azure AD Security group which contains users or devices where this custom device configuration profile needs to be deployed. Please note that if you add users into the list, local admin account will be created on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.

To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.

Review + Create

On Review + Create tab, review the device configuration profile and click on Create. As soon as you click on create button, The device configuration profile will be created and process to create a local admin account will begin on the targetted devices.

Intune Policy Refresh Cycle

The Device will Sync / Check in to start deployment of this new device configuration profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and deployment process. You can also use Powershell to force initiate Intune refresh cycle.

Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the deployment on a test device then this can speed up your testing and can save some time.

End user Experience

Now, let’s check whats happening on end user device. After the policy has been deployed successfully. You can go to the computer management and confirm if a local user account has been created and if it has also been added to the local administrators group.

  • Click on Start and search for Computer Management.
Search for Computer Management using Start memu
  • Click on Local Users and Groups > Users and find the local user account created by Intune Custom device configuration profile which is cloudinfraadmin in our case.
Local user account created using Intune
  • Now, Let’s check if this account is also added to Administrators group to make it a local admin. Go to Computer Management > Local Users and Groups > Groups > Administrators. You should find your local user account added into this group.
Local user account added to administrator group using Intune

Set local user account password to never expire using Intune

You can use a powershell script using below command and deploy it to target devices to set password expiry to Never for the local user account. You can go through the blog post How to deploy a powershell script using Intune which provides step by step guide on how to deploy a powershell script using intune.

Set-LocalUser -Name "cloudinfraadmin" -PasswordNeverExpires 1

Conclusion

In this blog post, we have seen how to create a local administrator account on Intune managed devices using a custom device configuration profile. Its very simple process which you can use to deploy a local admin to manage all your organization devices.

You should be careful while creating a local admin user account on all your organization devices. Because if a hacker got hold of this account then they may have admin access to all your organization’s devices which is a bit risky.

14 thoughts on “How to create a local admin account using Intune”

  1. What OMA-URI would we use if we dont want it to have a password associated with it because Windows LAPS will set the random password?

    Reply
  2. Isn’t using OMA-URI settings for creating or managing accounts the OLD method? Why can’t Intune admins use the Endpoint Security -> Account Protection -> Local user group membership templates instead?

    Reply
  3. Any ideas as to why the profile shows errors on config profile?

    Setting Name Setting Status Errorcode
    Create LAdmin [./Device/Vendor/MSFT/Accounts/Users/hmadmin/Password] Error -2016281112
    AddLAGroup ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/LocalUserGroup Error -2016281112

    The account is created successfully and added to the local admin group.

    Thank you,

    Reply
    • Yes, even though it error’s out, the account is still created and added to local admin group. This could be due to the password which Intune is probably not able to verify and confirm if the profile deployment is successful.

      If you want to use another way to deploy local user account and add it to local admin, you can also use Intune Proactive remediations and Local user group membership option. I have written a blog post on this to provide the scripts and step by step guide: https://cloudinfra.net/create-a-local-admin-using-intune-and-powershell/

      Reply
  4. Hi, what if you want to delete a local user? The MS documentation teaches you how to remove it from specific groups but not remove it from the Users part of Local Users and Groups.

    Reply

Leave a Comment