Change Intune enrolled user from Standard user to Administrator (Windows 10)

Chned 46 Reputation points

So we have 2 different Windows Autopilot Deployment profiles. Only difference is that in 1 profile the User account type is Standard and the other is Administrator.

Once a user is enrolled with the User account type Standard on a Win10 device I would like to know what the best way is to change that user to local Administrator afterwards.

Thanks in advance.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,307 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Lu Dai-MSFT 28,341 Reputation points

    @Chned Thanks for posting in our Q&A.

    For this requirement, I have done the test in my lab. Here are the details:

    -->When my user is enrolled with Standard account on a windows 10 device, I run the following command to elevate my AzureAD user to become a local administrator.

    net localgroup administrators /add "AzureAD\UserUpn"  


    -->Check in Computer Management > Local Users and Groups > Groups > Administrators and find that my AzureAD user is added into Administrator group.

    Hope it can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. Rahul Jindal [MVP] 9,131 Reputation points MVP

    More importantly why would you want to do that? You should give the least possible permissions to your users.

    0 comments No comments

  3. Chned 46 Reputation points

    Ofcourse, but sometimes it's inevitable and only allowed for just a handful of very experienced users.

    But apart from this discussion; does anyone know a proper way to achieve this?

    0 comments No comments

  4. Pale Bear 33 1 Reputation point

    @Lu Dai-MSFT How about the reverse: users were deployed as administrator from autopilot policy but now we want to make them standard users

  5. Jessie 1 Reputation point

    Is it possible to take this scenario and add the Following abilities:

    -Grant a standard user timed local administrator rights, meaning that the through a scheduled task the account after lets say 5 minutes would be removed from Administrators group

    • Publish this as a application in SCCM in order to leverage approval / made available in the company portal when users have been approved by management.
    0 comments No comments