How to Create a Local Admin Account using Intune

Using Intune, you can create and manage local admin accounts on your Windows devices, which is particularly useful for managing devices that are not connected to a domain. You can easily create a local user account and then add it to the Administrators group using Intune.

This blog post outlines the steps for creating a local administrator account. If your specific requirement is to Add an existing Azure AD/Entra ID user account to the local admin group, please refer to: Add a User to Local admin group using Intune.

Not only you can create a local admin account on a Windows device using Intune, but you can also easily create a local administrator account on a Mac device as well. If you are managing a custom local admin account using Windows LAPS then you will need to create a local admin account first.

As an example, We are going to create a local admin account called cloudinfraadmin. However, you can create a local admin user account by providing any name you like.

Local administrator group on windows 10 device
Local admin account cloudinfraadmin created using Intune

To create a local admin account, we would be creating a Custom device configuration profile and use Accounts CSP to create a user account. Let’s check the steps:

Another way to Create a local admin user account using Intune and Powershell
You can also create a local user account and add it to the local administrator’s group using Intune and PowerShell by utilizing Intune proactive remediations. Refer to this post for more details: Create a Local Admin Using Intune and PowerShell.

When you are using Intune Proactive remediations, you can use Powershell script to create a local user account. This way you have the option to not specify any password for the local user account. Could be helpful when you are managing that local user account using Intune Windows LAPS.
Delete a local user account using Intune
If you are looking to delete a local user account using Intune, you can refer to the post: How To Delete A Local User Account Using Intune.

Create a Device Configuration Profile

To create a device configuration profile, we will follow below steps:

  • Login on Microsoft Intune admin center
  • Go to Devices > Configuration profiles > + Create profile
  • Select Platform as Windows 10 and later
  • Profile type as Templates.
  • Template Name: Custom
Create a Device Configuration Profile
Create a Device Configuration Profile


  • Provide a Name of the profile: Create Local admin on all devices.
  • Description: This custom device configuration profile will create a local administrator account called cloudinfraadmin on all intune managed devices.
Create a Device Configuration Profile
Create a Device Configuration Profile

Configuration settings

  • Click on Add button to add OMA-URI settings and provide below details:
    • Name: Create Local User Account
    • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/Password
    • Data type: String
    • Value: C0mputEr@10!

You can replace cloudinfraadmin to any other name to create local user account as per your requirement. For example: If you replace cloudinfraadmin with myadminacc the local user account with name myadminacc will be created.

Create a Device Configuration Profile
Create a Device Configuration Profile
  • Click on Add button again to add OMA-URI settings and provide below details:
    • Name: Add user to Local administrator group
    • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/LocalUserGroup
    • Data type: Integer
    • Value: 2
Create a Device Configuration Profile
Create a Device Configuration Profile


Create an Azure AD security group that includes the users or devices you want to apply the custom device configuration profile to. It’s important to note that if you add users to the group, a local admin account will be created on all of the user’s devices joined to Azure and Enrolled into Intune.

If you intend to deploy this configuration to specific devices, ensure that you add the devices to the Azure AD security group, not the users. To deploy it on all end-user devices, You can click on + Add all devices to target all devices that are enrolled into Intune.

Review + Create

On the Review + Create tab, review the device configuration profile and click on Create.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

End-user Experience

After the policy is deployed successfully, check the end user’s device. Confirm if a local user account has been created and added to the local administrator’s group.

  • Click on Start and search for Computer Management.
End-user Experience
End-user Experience
  • Click on Local Users and Groups > Users and find the local user account created by Intune Custom device configuration profile which is cloudinfraadmin in our case.
End-user Experience
End-user Experience
  • Next, ensure that the account is added to the Administrators group, granting local admin privileges. Go to Computer Management > Local Users and Groups > Groups > Administrators and check if your local user account is listed within the Administrators group.
End-user Experience
End-user Experience

Set local user account password to never expire using Intune

To set the local user account’s password expiry to ‘Never‘ on target devices, deploy a PowerShell script with the given command. For step-by-step instructions on deploying PowerShell scripts via Intune, refer to the blog post titled How to Deploy a PowerShell Script Using Intune.

Set-LocalUser -Name "cloudinfraadmin" -PasswordNeverExpires 1


In this blog post, we’ve learned how to create a local administrator account on Intune-managed devices through a custom device configuration profile. It’s a straightforward process that enables you to create a local admin to manage all your organization’s devices.

21 thoughts on “How to Create a Local Admin Account using Intune”

  1. What OMA-URI would we use if we dont want it to have a password associated with it because Windows LAPS will set the random password?

  2. Isn’t using OMA-URI settings for creating or managing accounts the OLD method? Why can’t Intune admins use the Endpoint Security -> Account Protection -> Local user group membership templates instead?

  3. Any ideas as to why the profile shows errors on config profile?

    Setting Name Setting Status Errorcode
    Create LAdmin [./Device/Vendor/MSFT/Accounts/Users/hmadmin/Password] Error -2016281112
    AddLAGroup ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/LocalUserGroup Error -2016281112

    The account is created successfully and added to the local admin group.

    Thank you,

    • Yes, even though it error’s out, the account is still created and added to local admin group. This could be due to the password which Intune is probably not able to verify and confirm if the profile deployment is successful.

      If you want to use another way to deploy local user account and add it to local admin, you can also use Intune Proactive remediations and Local user group membership option. I have written a blog post on this to provide the scripts and step by step guide:

      • A recent change in Intune requires E3 or better licensing to use Proactive Remediations. It is no longer available to those with M365 Business Premium, which unfortunately cuts off many non-profits and SMBs.

  4. Hi, what if you want to delete a local user? The MS documentation teaches you how to remove it from specific groups but not remove it from the Users part of Local Users and Groups.

  5. Am I correct in assuming that the password created in this process is a ‘one and done’ deployment in that it creates the account, sets the password and then leaves it? There wouldn’t be any issues with having another policy, lets say Windows LAPS since someone else mentioned it, changing the password?

    Also for the password, Are we able to use the serial number in the password by using “%SERIAL%” or {{serialnumber}} as used with Account SCP or in certain areas of Intune?

  6. Hi Jatin,

    Thanks for the article.

    Just wondering how do we create the local account without forcing it to change password at first logon? Because the creation of the local account and adding it to admin groups works well, it’s just that when we use it for the first time for anything that requires elevation, it says the account needs to change password first.


Leave a Comment