Enabling local administrator account on windows 10 that's joined to azure via autopilot

Rob B 6 Reputation points

Hello is it possible to activate the local administrators account of a windows device that was joined to azure via autopilot. If so what are the steps to enable the local administrator account on a laptop device. We currently are using Autopilot (OOBE) to setup our laptop. One main reasons we are using autopilot, because we don't want our users to have administrator rights on the device. We have achieved that, but once it goes through the autopilot set-up we can't enable the local administrators account. Is there away to enable the local administrators account after autopilot set-up? Please assist!


Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,060 questions
Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
235 questions
Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,732 questions
1 vote

3 answers

Sort by: Most helpful
  1. Luca Fabbri 136 Reputation points

    Hello @Rob B ,

    are you using any platform/software for managing these Azure AD joined devices like Microsoft Intune, Microsoft Endpoint Configuration Manager, or other similar tools ? If not, then you cannot enable LOCAL administrator account.
    However, in my own opinion, is not a good idea to enable LOCAL administrator, for security reasons.

    What's the reason why you want to enable LOCAL administrator ? For administrative purposes ? Instead, why don't you "promote" any of your Azure AD users as local administrator of your Azure AD joined devices ? You can do that from Azure Portal > Azure Active Directory > Devices > Device settings > Additional local administrators on all Azure AD joined devices:



  2. CiciWu-MSFT 1,166 Reputation points

    Apart from the configuration in Azure AD portal, you can try to run the following command to assign local administrator rights to Azure AD joined devices.

    1. Login to Windows as the user you wish to grant rights
    2. Start a command shell as Administrator
    3. Find the username of the new user (an easy way to find the username is to copy it from their user folder and append it to “AzureAD\”)
    4. Perform the command below
      net localgroup administrators AzureAD\<username> /add

    The command should give “The command completed successfully” as a result. If not, you can check for typos. Furthermore, double check if the user surely logged on to this computer previously.
    Finally, the user needs to log off and on.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Oliver Kieselbach 166 Reputation points

    Hey @Luca Fabbri ,

    Your topic is always a challenge. If you script your way and use a PowerShell script assigned in Intune you have to deal with a clear text password in the script and log files or you come up with a better idea. I know there is no official MS LAPS solution but there are some solutions out there to address this and they have build something like LAPS for Intune:

    see a good collection here:

    and there is also the solution https://www.realmjoin.com which provides a App Store for Intune and also a LAPS component...

    So, I guess you have to look now if one of the solutions works for you :-).

    Oliver (@okieselb, oliverkieselbach.com)