8,330 questions
Take some advantage of my script but I would recommend to rely on Azure LAPS. Ofcourse you still can use the script to create additional account but manage it with LAPS.
Run powershell script from Intune (MEM) for local administrator account.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 56.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Renaldo Jack
5
Reputation points
Hi, we are trying to run PowerShell scripts from Intune to do the following on workstations:
- To enable the local administrator account (some of our accounts are disabled)
- Remove the tick "change password at next logon" for local administrator account
- Search and remove all accounts from local administrator group apart from the local administrator account.
We try to run it in the context of the system account or logged in user, but it fails. I assume it needs admin rights, but you cannot set this via the script options in Intune. How can we get around this issue?
Windows for business Windows Server User experience PowerShell
Microsoft Security Intune Other
5,569 questions
{count} votes
-
Rahul Jindal [MVP] 10,911 Reputation points MVP2023-08-01T13:51:33.95+00:00 Using the built-in local admin account is not recommended from a security perspective. I will suggest to create a custom local admin account and implement Windows LAPS. Also, you can use Account Protection profiles to manage the membership of local admin group. The following links may be of some help - https://rahuljindalmyit.blogspot.com/2023/04/windows-laps-with-microsoft-entra-azure.html
https://rahuljindalmyit.blogspot.com/2022/02/fixing-issue-of-remote-sign-in-though.html
-
Renaldo Jack 5 Reputation points
2023-08-01T14:01:02.4666667+00:00 In addition, we will use LAPS to manage the password of the built-in local administrator account. to get the password you need the relevant azure AD role and we have phishing resistant MFA using USB tokens.. so we are ok to use the built-in local admin account. it also reduces the need to create additional accounts reducing admin overhead and additional accounts to be used as part of an attack.
-
Lu Dai-MSFT 28,496 Reputation points2023-08-02T01:43:10.12+00:00 @Renaldo Jack Did you want to use intune for LAPS? If yes, please refer to the following article:
-
Renaldo Jack 5 Reputation points
2023-08-02T06:33:22.9133333+00:00 Gents.
- We already have LAPS configured in Azure AD and Intune (No further assistance or request here).
- We are using the administrator account (we are not looking to change this so the guidance I am looking for is not whether this is best practice or not)
We want to run scripts in Intune to enable the local administrator account and also to untick change password at next logon. These scripts dont seem to run. This is the assistance I need. Nothing else. When we run the scripts locally it works..when we run it via Intune we just get "error" no other information. It seems these scripts needs admin rights, but there is not option in Intune to run with admin rights. Please advise.
-
Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator2023-08-21T11:36:12.99+00:00 Hello
Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik
Sign in to comment
1 answer
Sort by: Most helpful
-
Pavel yannara Mirochnitchenko 13,331 Reputation points MVP2023-08-02T07:05:44.0933333+00:00