question

changhian avatar image
1 Vote"
changhian asked changhian commented

Intune Autopilot Device with Assign Local Administrator Right After Deployment.

Hi All,

I have Assign Autopilot to my window 10 Devices with User account type "Standard". at Home > Devices > Enroll devices > Windows Autopilot deployment profiles > Autopilot Policy.

Right now some of the devices which is VIP User have submit to allow the login to have "Local Admin Right" instead of "Standard" user. because those devices is already been deployed with autopilot with Standard user account type and devices is already in use. is there any policy in Intune that can allow me to assign them "Local admin Right"? and if i can turn off the "Local admin Right" later as well?

mem-intune-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
2 Votes"
LuDaiMSFT-0289 answered changhian commented

@changhian Thanks for posting in our Q&A.

For this requirement, based on my test, we can run the following command to add local admin right to the AzureAD user.

 net localgroup administrators /add "AzureAD\UserUpn"

54322-image.png
54351-image.png
If we want to turn off "Local admin Right", we can run the following command to delete.

 net localgroup administrators /delete "AzureAD\UserUpn"

However, there is no such settings in intune, if you are interested in this, we can feedback in intune uservoice in the following link. This is a place to collect customers' requirements and problems.
https://microsoftintune.uservoice.com/forums/291681-ideas

Thanks for understanding.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image.png (43.4 KiB)
image.png (209.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi LuDaiMSFT-0289,

Thank for your help, Your is working and i have use a notepad and save it as powershell. (e,g addaccountasadminright.ps1) and push through Intune script.

But i found a more easy method to do it which is this link "https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups"
but is only available for window 10 20H2, older version can use "RestrictedGroups/ConfigureGroupMembership" through this link,

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups#restrictedgroups-configuregroupmembership

0 Votes 0 ·
Jason-MSFT avatar image
2 Votes"
Jason-MSFT answered changhian commented

In addition, see https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/ for many details and a complete description on managing local admins with Intune.

Note however that a VIP with local admin access potentially poses a greater security risk than a non-VIP user so I strongly suggest that this course of action be reconsidered. Just because someone thinks their special, doesn't mean they should have a greater potential to compromise the environment's security.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jason, Thank for your help, I think i found a link which is for 20H2 and i had tested and it work using "./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure".

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups

Your is also working just that my window version is 20H2 and i am using the CSP LocalUsersAndGroups/Configure instead.

Thank for your help.!

0 Votes 0 ·