One of the most frustrating features of Autopilot deployment and Endpoint Management is that once a systems is deployed and enrolled in Intune, there is no access to a local administrator account. This can create issues when end users need to install software that is not managed by Intune and they need to give permission to Windows User Account Control.

It is generally a bad idea to just add a local admin account to every workstations, as you will encounter issues with staff turnover and changing passwords. You should instead follow Microsoft best practices and create an Azure Active Directory account(s) for managing workstations. The accounts you create for this should be tied to individuals (for auditing and records management), and should not be used for other administrative tasks.

In order to set this up, you will need to work with OMA-URI settings

Process

Open a browser and navigate to https://endpoint.microsoft.com

 

Click Devices - Configuration Profiles

Click Create Profile.

For Platform, select Windows 10 and Later

<groupmembership>

<accessgroup desc = "Administrators">

<member name = "Administrator" />

<member name = "S-1-12-1-308664432-1169958086-4109379770-2611045822" />

<member name = "S-1-12-1-4244855314-1274535550-3233907865-112484193" />

<member name = "AzureAD\userone@contoso.com" />

<member name = "AzureAD\usertwo@contoso.com" />

</accessgroup>

</groupmembership>

 

 

Click OK and add the row

You will then need to assign this to either devices or users. I would recommend applying to All Devices in your Endpoint Management

If you make changes to the OMA-URI Value, the policy will be reapplied to workstations when they check in.

If the membership fails to take effect, it is likely that there is a syntax error in the text string. Double check it and apply again.

There if very little risk with this method as if there is something misconfigured it will simply not be applied to the devices.