This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 7.000000000000001%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
We are trying to create a local admin user other than the auto pilot user in Intune. The way we have setup is our auto pilot user (Domain user account) is an admin user and then we are using CSP to create another local admin user. We are using hybrid mode enrollment.
We have a Device configuration profile with OMA URI as follows:
Assignment : User Group
When it Works:
So far based on testing it works when the profile is assigned to the Dynamic device group which is created to perform auto pilot on intune machines for which the device hash is already imported, but in this process it fails to make the auto pilot user as an admin
When it doesn't work:
When the configuration profile is applied to user group, it fails to create the user, but then the auto pilot user is created properly with admin rights.
Variations tried:
Making the localadmin user as a non admin by changing the integer value to 1 and then first tried with dynamic device group assigned, which failed and also the user group which also failed.
Client machine Windows version: Windows 10 21H2
Would like to avoid the PowerShell script method if possible. Kindly let me know if you require any further details.
Update for the below section
When it doesn't work:
When the configuration profile is applied to user group, it fails to create the user, but then the auto pilot user is created properly with admin rights.
It now works, the issue was this configuration was applied after the auto pilot and domain join and hence the domain password policy where being applied to the machine.
But the process of creating multiple admin users during the process of auto pilot fails to make the auto pilot user as an admin is still the same behavior.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 60%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Did you ever figure this out? Currently having the exact same issue. What steps did you take to fix it?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Rookie{} , For the test "Making the localadmin user as a non admin by changing the integer value to 1, and then first tried with dynamic device group assigned, which failed and also the user group which also failed.", this is failed because "./Device/Vendor/MSFT/Accounts/Users/localadmin/LocalUserGroup" only support add operation. Changing is replace operation. So it will fail. we can see more details in the following link:
https://learn.microsoft.com/en-us/windows/client-management/mdm/accounts-csp
If we want to add the user into local administrators group, we can choose LocalUsersAndGroups CSP instead. Here is a link with more details for the reference:
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
For the Autopilot admin and configuration profile to create local admin conflict issue, I will do test in my environment to see if I have the same issue. This needs some time. if there's any update, I will update here.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks @Crystal-MSFT for the response , can Localusersandgroups be used to add a local users, the link only shows examples for adding AzureAD users to local groups.
@arjuna_svr , Thanks for the reply. Localusersandgroups CSP can be used to add loc al user as well. Here is an example I test in my environment for the reference:
Add local user "crystal" into local administrators group.
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: String
Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "crystal"/>
</accessgroup>
</GroupConfiguration>
Hope it can help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 85%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Is this also possible for Android devices? Can you give us a step by step instruction or a instruction video?
I was able to get it work with the original OMA URI mentioned, it was due to the password complexity since the user was created after domain join with domain policies applied. I will try the above method as well.
@arjuna_svr , Actually no, this is only for windows device.
@Rookie{} , Thanks for the update. My test has finished and on my Autopilot Azure AD join device. both the local user I create and the enrolled user are added into the local administrators group. I am also glad to hear that you find the cause and get it work in your environment. For the above localusersandgroup CSP, it is also a good option, you can also try. If there's anything else we can help, feel free to contact us.
Thanks for your time and have a nice day!
Thanks @Crystal-MSFT , I would like to know more about your configuration profiles for this. The only difference so far I see between my deployment and yours is that I am doing this on Hybrid device join.
@Rookie{} , Oh yes, you are right. I test on an Azure AD join device. Here is the profile I configure. After researching more, I find one similar issue, In this case it mentioned the device configuration profile needs to be assigned to user context. After the password complexity issue is fixed. We can assign the device configuration profile to user group to test again to see if it works.
