Random Intune issue, activate local admin not applying to all machines

Ed ant 0 Reputation points
2024-09-24T17:19:19.0266667+00:00

Hello,

Over the past couple of weeks we have been having a weird issue where not all new machines are getting the local administrator account enabled for our new Autopilot/Intune machines. We have built maybe 20 machines in the last 3 weeks and 5 or 6 we had to log in with a domain admin to activate the local admin account manually even though the policy in Intune showed that it ran successfully on the machine. Have rebuilt the Local Admin policy but it still is happening. Any ideas on why this may be happening?

Thank you,

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,080 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Xenia-MSFT 2,345 Reputation points Microsoft Vendor
    2024-09-25T06:04:18.2066667+00:00

    @Ed ant Thanks for posting in our Q&A.

    To clarify this issue, we appreciate your help to collect some information:

    1.Please show us the policy you configured in intune.

    2.This policy is deployed to device group or user group.

    If there is anything update, we will continue to discuss.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Xenia-MSFT 2,345 Reputation points Microsoft Vendor
    2024-09-26T02:46:41.1533333+00:00

    @Ed ant Thanks for your update.

    Yes. We can check to see if Intune has enabled the built-in administrator account on the Windows devices using the following methods:

    1.Windows Event Viewer

    The event viewer IDs 813 and 814 indicate whether Intune has successfully enabled the built-in administrator account policy settings in event viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

    2.Windows Registry

    In the registry editor, navigate to the below path.

    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\AdministratorGUID\default\Device\LocalPoliciesSecurityOptions

    We’ll see the Accounts_EnableAdministratorAccountStatus registry key with the value “1.” This confirms that we can use the Windows registry to check whether the administrator account was enabled as per the Intune policy.

    Hope it will help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.