Blog

Add Azure User to Local Admin Group with Endpoint Management

 
Microsoft Endpoint Management (which replaced Intune in August 2020) allows administrators to deploy, manage, and rebuild Windows 10 Workstations while minimizing the need for site visits and work on remediating issues on individual systems.

One of the most frustrating features of Autopilot deployment and Endpoint Management is that once a systems is deployed and enrolled in Intune, there is no access to a local administrator account. This can create issues when end users need to install software that is not managed by Intune and they need to give permission to Windows User Account Control.

It is generally a bad idea to just add a local admin account to every workstations, as you will encounter issues with staff turnover and changing passwords. You should instead follow Microsoft best practices and create an Azure Active Directory account(s) for managing workstations. The accounts you create for this should be tied to individuals (for auditing and records management), and should not be used for other administrative tasks.

In order to set this up, you will need to work with OMA-URI settings

Process

 

Open a browser and navigate to https://endpoint.microsoft.com

 
 

Click Devices - Configuration Profiles

Click Create Profile.

 

For Platform, select Windows 10 and Later

For Profile, select Custom and then click Create
Give the profile a name and description that will make sense to you later, such as Local Admin Users.
In Configuration Settings, click Add to Add a Row
 
Enter a name and description for the custom row (this can have the same name, such as Local Admin Users).
 
Enter the OMA-URI as:
 ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
 Select Data Type as String
 
Edit the following string for your organization and enter it
 

<groupmembership>

<accessgroup desc = "Administrators">

<member name = "Administrator" />

<member name = "S-1-12-1-308664432-1169958086-4109379770-2611045822" />

<member name = "S-1-12-1-4244855314-1274535550-3233907865-112484193" />

<member name = "AzureAD\userone@contoso.com" />

<member name = "AzureAD\usertwo@contoso.com" />

</accessgroup>

</groupmembership>

 
 

Click OK and add the row

You will then need to assign this to either devices or users. I would recommend applying to All Devices in your Endpoint Management

If you make changes to the OMA-URI Value, the policy will be reapplied to workstations when they check in.

If the membership fails to take effect, it is likely that there is a syntax error in the text string. Double check it and apply again.

There if very little risk with this method as if there is something misconfigured it will simply not be applied to the devices.