Share via

Intune Autopilot Device with Assign Local Administrator Right After Deployment.

Toh 81 Reputation points
2021-01-07T03:51:24.21+00:00

Hi All,

I have Assign Autopilot to my window 10 Devices with User account type "Standard". at Home > Devices > Enroll devices > Windows Autopilot deployment profiles > Autopilot Policy.

Right now some of the devices which is VIP User have submit to allow the login to have "Local Admin Right" instead of "Standard" user. because those devices is already been deployed with autopilot with Standard user account type and devices is already in use. is there any policy in Intune that can allow me to assign them "Local admin Right"? and if i can turn off the "Local admin Right" later as well?

Microsoft Security | Intune | Other
0 comments
Answer accepted by question author
  1. Lu Dai-MSFT 28,516 Reputation points
    2021-01-07T08:51:10.29+00:00

    @Toh Thanks for posting in our Q&A.

    For this requirement, based on my test, we can run the following command to add local admin right to the AzureAD user. 

    net localgroup administrators /add "AzureAD\UserUpn"

    54322-image.png
    54351-image.png
    If we want to turn off "Local admin Right", we can run the following command to delete. 

    net localgroup administrators /delete "AzureAD\UserUpn"

    However, there is no such settings in intune, if you are interested in this, we can feedback in intune uservoice in the following link. This is a place to collect customers' requirements and problems.
    https://microsoftintune.uservoice.com/forums/291681-ideas

    Thanks for understanding.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,421 Reputation points Microsoft Employee Moderator
    2021-01-08T17:48:31.82+00:00

    In addition, see https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/ for many details and a complete description on managing local admins with Intune.

    Note however that a VIP with local admin access potentially poses a greater security risk than a non-VIP user so I strongly suggest that this course of action be reconsidered. Just because someone thinks their special, doesn't mean they should have a greater potential to compromise the environment's security.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.