With Intune, you can create and manage local admin accounts on your Windows 10 devices, which is particularly useful for managing devices that are not connected to a domain. You can easily create a local user account and then add it to Administrators group using Intune.
If you are managing a custom local admin account using Windows LAPS then you will need to create a local admin account first. Please follow the guide for step by step implementation of Windows LAPS on Azure AD using Intune: Implement Windows LAPS On Azure AD Devices Using Intune.
As an example, We are going to create a local admin account called cloudinfraadmin. However, you can create a local admin user account by providing any name you like.
To create a local admin account, we would be creating a Custom device configuration profile and use Accounts configuration service provider (Accounts CSP) to create a user account. Let’s check the steps:
| Another way to Create a local admin user account using Intune and Powershell |
|---|
| There is another way to create a local user account and add it to local administrators group via Intune and Powershell. I have written a blog post which shows how you can use Intune proactive remediations to create a local user account using Powershell and Intune. Create A Local Admin Using Intune And Powershell. When you are using Intune Proactive remediations, you can use Powershell script to create local user account. This way you have the option to not specify any password for the local user account. Could be helpful when you are managing that local user account using Intune Windows LAPS. |
| Delete a local user account using Intune |
|---|
| If you are looking for deleting a local user account using Intune, you can refer to my other blog post How To Delete A Local User Account Using Intune. |
Create a Device Configuration Profile
To create a device configuration profile, we will follow below steps:/
- Login on Microsoft Intune admin center.
- Go to Devices > Configuration profiles > + Create profile.
- Select Platform as Windows 10 and later.
- Profile type as Templates.
- Provide a Name of the profile: Create Local admin on all devices.
- Description: This custom device configuration profile will create a local administrator account called cloudinfraadmin on all intune managed devices.
- Click on Add button to add OMA-URI settings and provide below details:
- Name: Create Local User Account
- OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/Password
- Data type: String
- Value: C0mputEr@10!
| You can replace cloudinfraadmin to any other name to create local user account as per your requirement. For example: If you replace cloudinfraadmin with myadminacc the local user account with name myadminacc will be created. |
- Click on Add button again to add OMA-URI settings and provide below details:
- Name: Add user to Local administrator group
- OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/LocalUserGroup
- Data type: Integer
- Value: 2
Assignments tab
Create an Azure AD Security group which contains users or devices where this custom device configuration profile needs to be deployed. Please note that if you add users into the list, local admin account will be created on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.
Review + Create
On Review + Create tab, review the device configuration profile and click on Create. As soon as you click on create button, The device configuration profile will be created and process to create a local admin account will begin on the targetted devices.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start deployment of this new device configuration profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and deployment process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the deployment on a test device then this can speed up your testing and can save some time.
End user Experience
Now, let’s check whats happening on end user device. After the policy has been deployed successfully. You can go to the computer management and confirm if a local user account has been created and if it has also been added to the local administrators group.
- Click on Start and search for Computer Management.
- Click on Local Users and Groups > Users and find the local user account created by Intune Custom device configuration profile which is cloudinfraadmin in our case.
- Now, Let’s check if this account is also added to Administrators group to make it a local admin. Go to Computer Management > Local Users and Groups > Groups > Administrators. You should find your local user account added into this group.
Set local user account password to never expire using Intune
You can use a powershell script using below command and deploy it to target devices to set password expiry to Never for the local user account. You can go through the blog post How to deploy a powershell script using Intune which provides step by step guide on how to deploy a powershell script using intune.
Set-LocalUser -Name "cloudinfraadmin" -PasswordNeverExpires 1
Conclusion
In this blog post, we have seen how to create a local administrator account on Intune managed devices using a custom device configuration profile. Its very simple process which you can use to deploy a local admin to manage all your organization devices.
You should be careful while creating a local admin user account on all your organization devices. Because if a hacker got hold of this account then they may have admin access to all your organization’s devices which is a bit risky.
READ NEXT
- How To Configure Default Apps On Windows Using Intune.
- Expedite Windows Security Updates Deployment Using Intune.
- How To Force Intune Sync Using Powershell.
- How To Implement Applocker Using Intune.
- How To Import ADMX Templates Into Intune.
What OMA-URI would we use if we dont want it to have a password associated with it because Windows LAPS will set the random password?
In that case, you can try creating a local user using a Powershell script:
PS C:\> New-LocalUser -Name “localuser01” -Description “Description of this account.” -NoPassword
Using that would they be part of the Administrators group?
Hello dj56, I have created a blog post which shows how you can create a local user account without password using Intune. You will have to use Proactive remediations to create local user account.
Then add that account to local administrators group using Local user group membership option.
https://cloudinfra.net/create-a-local-admin-using-intune-and-powershell/
Isn’t using OMA-URI settings for creating or managing accounts the OLD method? Why can’t Intune admins use the Endpoint Security -> Account Protection -> Local user group membership templates instead?
Yes, you can use that as well. Please create the local user account first before updating Administrator group.
Cool stuff.
Tried this and it worked a treat
This CSP always works but shows error 0x87d1fde8. Any ideas?
Hi Jeff,
Same issue for me as well. The config applies but I experience the same error for both settings.
I have been doing additional digging. Here’s some information that may help.
Blog: https://call4cloud.nl/2021/12/i-kill-remediation-errors/
MS: https://learn.microsoft.com/en-us/windows/client-management/mdm/accounts-csp
“Supported operation is Add and the GET operation is not supported. When you have configured this setting from the Endpoint Manager it will report as failed when deployed.”
Any ideas as to why the profile shows errors on config profile?
Setting Name Setting Status Errorcode
Create LAdmin [./Device/Vendor/MSFT/Accounts/Users/hmadmin/Password] Error -2016281112
AddLAGroup ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/LocalUserGroup Error -2016281112
The account is created successfully and added to the local admin group.
Thank you,
Yes, even though it error’s out, the account is still created and added to local admin group. This could be due to the password which Intune is probably not able to verify and confirm if the profile deployment is successful.
If you want to use another way to deploy local user account and add it to local admin, you can also use Intune Proactive remediations and Local user group membership option. I have written a blog post on this to provide the scripts and step by step guide: https://cloudinfra.net/create-a-local-admin-using-intune-and-powershell/
Hi, what if you want to delete a local user? The MS documentation teaches you how to remove it from specific groups but not remove it from the Users part of Local Users and Groups.
You can delete a local user account using Intune Proactive remediations. Here’s is a blog post which provides step by step guide along with powershell scripts to delete a local user account using Intune.
https://cloudinfra.net/how-to-delete-a-local-user-account-using-intune/