question

RobB-1273 avatar image
1 Vote"
RobB-1273 asked lucafabbri365 commented

Enabling local administrator account on windows 10 that's joined to azure via autopilot

Hello is it possible to activate the local administrators account of a windows device that was joined to azure via autopilot. If so what are the steps to enable the local administrator account on a laptop device. We currently are using Autopilot (OOBE) to setup our laptop. One main reasons we are using autopilot, because we don't want our users to have administrator rights on the device. We have achieved that, but once it goes through the autopilot set-up we can't enable the local administrators account. Is there away to enable the local administrators account after autopilot set-up? Please assist!

Autopilot
Newbie

windows-10-setupmem-intune-device-configurationsmem-autopilot
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucafabbri365 avatar image
1 Vote"
lucafabbri365 answered lucafabbri365 commented

Hello @RobB-1273,

are you using any platform/software for managing these Azure AD joined devices like Microsoft Intune, Microsoft Endpoint Configuration Manager, or other similar tools ? If not, then you cannot enable LOCAL administrator account.
However, in my own opinion, is not a good idea to enable LOCAL administrator, for security reasons.

What's the reason why you want to enable LOCAL administrator ? For administrative purposes ? Instead, why don't you "promote" any of your Azure AD users as local administrator of your Azure AD joined devices ? You can do that from Azure Portal > Azure Active Directory > Devices > Device settings > Additional local administrators on all Azure AD joined devices:

33046-local-administrator.png

Bye,
Luca


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Luca,
I really appreciate you responding to my question. We are using MS. Intune to manage our Azure AD joined devices. We use autopilot to setup windows 10, push apps etc.... So once the device has been set-up via autopilot, the user doesn't have local admin rights on the device, which is what we wanted to accomplish. We would like to enable the local administrator account with a password. Our helpdesk team want it enabled, so they can log-in as the local administrator to troubleshoot any issues with the users laptop. We don't want to elevate the current users local rights in order to troubleshoot the users issue, but enable the local administrators account.


Robert

0 Votes 0 ·

Hello @RobB-1273,

sorry for the late reply.
However I wasn't thinking to "elevate current users local rights", instead add an Azure AD user (used by your helpdesk) as local admin on managed devices.

Bye,
Luca

0 Votes 0 ·
CiciWu-MSFT avatar image
0 Votes"
CiciWu-MSFT answered NishantSinghMINDTREELIMITED-6782 commented

Apart from the configuration in Azure AD portal, you can try to run the following command to assign local administrator rights to Azure AD joined devices.

  1. Login to Windows as the user you wish to grant rights

  2. Start a command shell as Administrator

  3. Find the username of the new user (an easy way to find the username is to copy it from their user folder and append it to “AzureAD\”)

  4. Perform the command below
    net localgroup administrators AzureAD\<username> /add

The command should give “The command completed successfully” as a result. If not, you can check for typos. Furthermore, double check if the user surely logged on to this computer previously.
Finally, the user needs to log off and on.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello, @RobB-1273 Just wanted to check if the above answer is helpful to you. If not, please let us know.

0 Votes 0 ·
OliverKieselbach-MVP avatar image
0 Votes"
OliverKieselbach-MVP answered lucafabbri365 commented

Hey @lucafabbri365,

Your topic is always a challenge. If you script your way and use a PowerShell script assigned in Intune you have to deal with a clear text password in the script and log files or you come up with a better idea. I know there is no official MS LAPS solution but there are some solutions out there to address this and they have build something like LAPS for Intune:

see a good collection here:
https://www.vansurksum.com/2020/02/11/challenges-while-managing-administrative-privileges-on-your-azure-ad-joined-windows-10-devices/

and there is also the solution https://www.realmjoin.com which provides a App Store for Intune and also a LAPS component...

So, I guess you have to look now if one of the solutions works for you :-).

best,
Oliver (@okieselb, oliverkieselbach.com)


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @OliverKieselbach-MVP,

sorry for the late answer.
Well I was aware of Serverless LAPS by John Seerden (I was searching for a LAPS solution on Azure), but not the other solutions; the first link you shared is pretty interesting.

Thank you,
Luca

0 Votes 0 ·