Forum Discussion
Deploying a Local Admin Account to Multiple Targets
Hello,
Thanks for this forum and your time.
I recently started using Intune to manage mobile devices for an organization.
I recently went to do some admin work on intuned laptops and found that I could not make administrative changes even with a domain admin account.
I learned that the way our Intune is set up if I want to make admin changes on a device, I have to set the device to an admin device for admin users.
Then, when finished, set it back to a user device for standard users.
I'm new to Intune but this seems a bit convoluted, so my first thought was how can I make it possible to do admin work on an Intune device without needing to change those settings each time?
I decided the best way would be to use Intune to add local admin accounts on all the devices.
Researching this, I found there are two common ways to do this. 1. Add a Powershell script that will create a local admin account on the device/s of my choice. Though my Powershell script worked when I ran it on the local machine, it wouldn't work using Intune. Either it would deploy but no admin account was created on the target machine, or it just wouldn't deploy.
Because of this, I tried the other way of doing it which is Intune's LAPS (Local Administrator Password Solution).
But after setting this up, it would never enable to built-in admin account, nor could I find any system-generated password in Intune for that account.
In the end, I just want local admin accounts on all our surface pros deployed en masse.
- Pearl-Angeles
Community Manager
Thanks for your feedback and question! The panelists in a Microsoft Technical Takeoff session, AMA: Cloud native with Microsoft Intune, covered this topic at around 8:34 of the session.
there are two primary methods I've found to make this kind of situation work, depending on your domain situation.
- Domain Hybrid Joined -> LAPS
- Create policy under Account Protection using profile "Local admin password solution (Windows LAPS)" with desired configuration settings.
- Create a device configuration policy (separate from LAPS above) with Settings Catalog.
- Add settings:
- "Accounts Enable Administrator Account Status" set to Enable.
- "Accounts Rename Administrator Account" set to desired name (whatever you set in LAPS Policy).
- Add settings:
- Deploy both policies to desired group of devices.
- Entra Joined
- Create an EntraID security group for administrative users.
- Add the Azure role "Microsoft Entra Joined Device Local Administrator" to the group you created.
- Domain Hybrid Joined -> LAPS
I normally use a csp to create the local admin account (if you are ok to live with the compliance error where the csp doesn’t support the GET method) and then use LAPS. Maybe the following articles can help.
https://rahuljindalmyit.blogspot.com/2021/05/intune-different-ways-of-setting-local.htmlhttps://rahuljindalmyit.blogspot.com/2023/04/windows-laps-with-microsoft-entra-azure.html
