Enabling local administrator account on windows 10 that's joined to azure via autopilot

Question

question

RobB-1273 asked Oct 16, '20 lucafabbri365 commented Mar 23, '21

Enabling local administrator account on windows 10 that's joined to azure via autopilot

Hello is it possible to activate the local administrators account of a windows device that was joined to azure via autopilot. If so what are the steps to enable the local administrator account on a laptop device. We currently are using Autopilot (OOBE) to setup our laptop. One main reasons we are using autopilot, because we don't want our users to have administrator rights on the device. We have achieved that, but once it goes through the autopilot set-up we can't enable the local administrators account. Is there away to enable the local administrators account after autopilot set-up? Please assist!

Autopilot
Newbie

windows-10-setup mem-intune-device-configurations mem-autopilot

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JurreLagerweij-6824 · Feb 01, 2021 at 03:44 PM

Found this guide the other day. Enjoy.

https://www.cloud-boy.be/blog/serverless-laps-with-intune-function-app-and-key-vault/

0 ·

Answer 1 · 2020-10-16T22:59:22.88Z

lucafabbri365 answered Oct 16, '20 lucafabbri365 commented Mar 23, '21

Hello @RobB-1273,

are you using any platform/software for managing these Azure AD joined devices like Microsoft Intune, Microsoft Endpoint Configuration Manager, or other similar tools ? If not, then you cannot enable LOCAL administrator account.
However, in my own opinion, is not a good idea to enable LOCAL administrator, for security reasons.

What's the reason why you want to enable LOCAL administrator ? For administrative purposes ? Instead, why don't you "promote" any of your Azure AD users as local administrator of your Azure AD joined devices ? You can do that from Azure Portal > Azure Active Directory > Devices > Device settings > Additional local administrators on all Azure AD joined devices:

Bye,
Luca

local-administrator.png (40.2 KiB)

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RobB-1273 · Oct 22, 2020 at 04:58 AM

Hi Luca,
I really appreciate you responding to my question. We are using MS. Intune to manage our Azure AD joined devices. We use autopilot to setup windows 10, push apps etc.... So once the device has been set-up via autopilot, the user doesn't have local admin rights on the device, which is what we wanted to accomplish. We would like to enable the local administrator account with a password. Our helpdesk team want it enabled, so they can log-in as the local administrator to troubleshoot any issues with the users laptop. We don't want to elevate the current users local rights in order to troubleshoot the users issue, but enable the local administrators account.

Robert

0 ·

lucafabbri365 RobB-1273 · Mar 23, 2021 at 10:16 PM

Hello @RobB-1273,

sorry for the late reply.
However I wasn't thinking to "elevate current users local rights", instead add an Azure AD user (used by your helpdesk) as local admin on managed devices.

Bye,
Luca

0 ·

Answer 2 · 2020-10-19T02:57:18.05Z

CiciWu-MSFT answered Oct 19, '20 NishantSinghMINDTREELIMITED-6782 commented Oct 23, '20

Apart from the configuration in Azure AD portal, you can try to run the following command to assign local administrator rights to Azure AD joined devices.

Login to Windows as the user you wish to grant rights
Start a command shell as Administrator
Find the username of the new user (an easy way to find the username is to copy it from their user folder and append it to “AzureAD\”)
Perform the command below
net localgroup administrators AzureAD\<username> /add

The command should give “The command completed successfully” as a result. If not, you can check for typos. Furthermore, double check if the user surely logged on to this computer previously.
Finally, the user needs to log off and on.

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NishantSinghMINDTREELIMITED-6782 · Oct 23, 2020 at 08:56 AM

Hello, @RobB-1273 Just wanted to check if the above answer is helpful to you. If not, please let us know.

0 ·

Answer 3 · 2020-11-14T11:40:18.43Z

OliverKieselbach-MVP answered Nov 14, '20 lucafabbri365 commented Mar 23, '21

Hey @lucafabbri365,

Your topic is always a challenge. If you script your way and use a PowerShell script assigned in Intune you have to deal with a clear text password in the script and log files or you come up with a better idea. I know there is no official MS LAPS solution but there are some solutions out there to address this and they have build something like LAPS for Intune:

see a good collection here:
https://www.vansurksum.com/2020/02/11/challenges-while-managing-administrative-privileges-on-your-azure-ad-joined-windows-10-devices/

and there is also the solution https://www.realmjoin.com which provides a App Store for Intune and also a LAPS component...

So, I guess you have to look now if one of the solutions works for you :-).

best,
Oliver (@okieselb, oliverkieselbach.com)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

lucafabbri365 · Mar 23, 2021 at 10:12 PM

Hello @OliverKieselbach-MVP,

sorry for the late answer.
Well I was aware of Serverless LAPS by John Seerden (I was searching for a LAPS solution on Azure), but not the other solutions; the first link you shared is pretty interesting.

Thank you,
Luca

0 ·

question