Share via

Enabling local administrator account on windows 10 that's joined to azure via autopilot

Rob B 6 Reputation points
2020-10-16T15:50:03.827+00:00

Hello is it possible to activate the local administrators account of a windows device that was joined to azure via autopilot. If so what are the steps to enable the local administrator account on a laptop device. We currently are using Autopilot (OOBE) to setup our laptop. One main reasons we are using autopilot, because we don't want our users to have administrator rights on the device. We have achieved that, but once it goes through the autopilot set-up we can't enable the local administrators account. Is there away to enable the local administrators account after autopilot set-up? Please assist!

Autopilot
Newbie

Microsoft Security | Windows Autopilot
Microsoft Security | Intune | Configuration
Windows for business | Windows Client for IT Pros | User experience | Other

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luca Fabbri 156 Reputation points
    2020-10-16T22:59:22.88+00:00

    Hello @Rob B ,

    are you using any platform/software for managing these Azure AD joined devices like Microsoft Intune, Microsoft Endpoint Configuration Manager, or other similar tools ? If not, then you cannot enable LOCAL administrator account.
    However, in my own opinion, is not a good idea to enable LOCAL administrator, for security reasons.

    What's the reason why you want to enable LOCAL administrator ? For administrative purposes ? Instead, why don't you "promote" any of your Azure AD users as local administrator of your Azure AD joined devices ? You can do that from Azure Portal > Azure Active Directory > Devices > Device settings > Additional local administrators on all Azure AD joined devices:

    33046-local-administrator.png

    Bye,
    Luca

    1 person found this answer helpful.
  2. CiciWu-MSFT 1,206 Reputation points
    2020-10-19T02:57:18.05+00:00

    Apart from the configuration in Azure AD portal, you can try to run the following command to assign local administrator rights to Azure AD joined devices.

    1. Login to Windows as the user you wish to grant rights
    2. Start a command shell as Administrator
    3. Find the username of the new user (an easy way to find the username is to copy it from their user folder and append it to “AzureAD\”)
    4. Perform the command below
      net localgroup administrators AzureAD\<username> /add

    The command should give “The command completed successfully” as a result. If not, you can check for typos. Furthermore, double check if the user surely logged on to this computer previously.
    Finally, the user needs to log off and on.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Oliver Kieselbach 241 Reputation points MVP
    2020-11-14T11:40:18.43+00:00

    Hey @Anonymous ,

    Your topic is always a challenge. If you script your way and use a PowerShell script assigned in Intune you have to deal with a clear text password in the script and log files or you come up with a better idea. I know there is no official MS LAPS solution but there are some solutions out there to address this and they have build something like LAPS for Intune:

    see a good collection here:
    https://www.vansurksum.com/2020/02/11/challenges-while-managing-administrative-privileges-on-your-azure-ad-joined-windows-10-devices/

    and there is also the solution https://www.realmjoin.com which provides a App Store for Intune and also a LAPS component...

    So, I guess you have to look now if one of the solutions works for you :-).

    best,
    Oliver (@okieselb, oliverkieselbach.com)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.