Every single Windows device has a built-in local administrator account. It's required, can’t be deleted, and, given its high privileges, has full access to the device. This local admin account is pro...
Updated Apr 28, 2023
Version 2.0
Blog Post
Keith-365 we are thinking about the same situation.
Windows 10/11 out-of-the-box with AutoPilot, local Administrator account is disabled = default.
Tested LAPS, it's resetting the password, but not enabling the account.
Tried a policy in Setting Catalog, this works to enable (after password is set because of the required password complexity) : Accounts Enable Administrator Account Status = Enabled
Don't think this is the best practice, because the SID of the local Administrator account is the same on every system. From security point of view, you don't want to enable that account.
So the other option is to create another account, we are trying to do this with Intune-only options.
You can create a custom policy and use the following OMA-URI:
- Click on Add button to add OMA-URI settings and provide below details:
- Name: Create Local User Account
- OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/LocalAdminAcc/Password
- Data type: String
- Value: mailto:P@ssw0rd!@P@ssw0rd!
Where LocalAdminAcc is the new user object, value is the Password (which will chang after Windows LAPS is configured).
The following OMA-URI will make the user object member of the Administrator Group:
- Click on Add button again to add OMA-URI settings and provide below details:
- Name: Add user to Local administrator group
- OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/LocalAdminAcc/LocalUserGroup
- Data type: Integer
- Value: 2
Only problem is that the option "change password at next logon" is activated, I believe there's no OMA-URI to change that.
You can configure Windows LAPS to change the password for this account.
Someone else better idea?