You may need to delete a local user account when its not in use any more or to perform a cleanup of local user account across all your organization devices. Whichever may be the reason, you can easily delete a local user account on a Windows 10 or Windows 11 device using Intune.
There are two ways to create a local user account using Intune. First method is to use Intune device configuration profile custom templates and second one is to use Intune proactive remediations which requires detect and remediate powershell scripts.
Using any of the above methods you can easily create a local user account and also you if want you can add it to local administrators group as well. Local user account creation is also a requirement in Windows LAPS. But, what if you have to delete a local user account ?
Please note that if you are creating the same user account using intune which you are targeting to delete. That account may get created again. Therefore, first thing you should do is to either remove that device configuration profile which creates the user account that we are trying to delete or remove the device from the target of that policy.
Delete a local user account using Intune Proactive remediations
Let’s now delete a local user account using Intune Proactive remediations. Proactive remediations allows IT administrators to automatically detect and remediate issues on managed devices before they can cause any harm or disruption. This feature uses a set of predefined scripts or custom scripts created by the IT admin to perform specific tasks on managed devices.
- Login on Microsoft Intune admin center
- Go to Devices > Remediations
- Click on + Create script package
Basics
In basics tab, we will provide information about the script package like Name, Description and Publisher.
- Name – Delete cloudinfra101 local user account
- Description – This script package will delete a local user account called cloudinfra101 on the targeted devices.
- Publisher – Jatin Makhija
Settings
In Settings tab, we will need to browse to Detection script and Remediation script and configure few other script configuration settings. Let’s provide the details:
Create a Detection Script file using below powershell script. Save the file as .ps1 file.
DetectLocaluser.ps1
$userName = "cloudinfra101" $Userexist = (Get-LocalUser).Name -Contains $userName if ($userexist) { Write-Host "$userName exist" Exit 1 } Else { Write-Host "$userName does not exist" Exit 0 }
Create a Remediation Script file using below powershell script. Save the file as .ps1 file.
RemediateLocalUser.ps1
$userName = "cloudinfra101" $userexist = (Get-LocalUser).Name -Contains $userName if($userexist) { try{ Remove-LocalUser -Name $username Exit 0 } Catch { Write-error $_ Exit 1 } }
- Detection script file – Browse to the Detection script Detectlocaluser.ps1
- Remediation script file – Browse to Remediation script file RemediateLocalUser.ps1
- Run this script using the logged-on credentials – No
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
Assignments
Create an Azure AD Security group which contains users or devices where this custom script package needs to be deployed. Please note that if you add users into the list, local user account will be created on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.
Review + Create
On Review + Create tab, review the device configuration profile and click on Create. As soon as you click on create button, The custom script package deployment will start and the process to delete the local user account will begin.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start the deployment process. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and deployment process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the deployment on a test device then this can speed up your testing and can save some time.
End user Experience
Now, let’s check whats happening on end user device. After the policy has been deployed successfully. You can go to the computer management and confirm if the local user account has been deleted successfully.
- Click on Start > search for Computer Management.
- Then go to Local Users and Groups > Users.
- Check if cloudinfra101 local user account has been deleted.
- If this user was a part of other local groups. For example: Administrators or Remote desktop users, it will be removed from those groups as well.
How to Verify Proactive Remediation status from Logs
For troubleshooting purpose, You can also check the logs to verify if the detection and remediation scripts were executed successfully. You can also check script date timestamp from the logs. You can also refer to the logs if there are any issues with your deployment.
You can find Intune management extension log file at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs location.
If there are multiple IntuneManagementExtension.log files. Sort out the list using date modified to find the most recent / active log file. As you can see from below screenshot, cloudinfra101 local user account was detected by the script and therefore the exit code is 1 which will trigger the remediation script to delete that local user account.
Conclusion
In this blog post we have seen how to delete a local user account using Intune. I found proactive remediation script package option easier. You could also just deploy a one off powershell script to delete a local user account on the device.
However, using proactive remediation is better because it first checks if the local user account exists before removing it which is more efficient way and also it will run on schedule to make sure that local account is deleted if anyone recreates it.
Thanks for this tutorial, very useful
Just a remark : you made a typo in DetectLocalUser.ps1 : exists should be exist.
Thanks again for this post, it works like a charm !