Every single Windows device has a built-in local administrator account. It's required, can’t be deleted, and, given its high privileges, has full access to the device. This local admin account is pro...
Updated Apr 28, 2023
Version 2.0
Blog Post
OlinHendriks , @Keith-365
MZONDERLAND
Here is what I did to ensure that I had a custom local admin account with a rotating password.
Instead of using the OMA-URI settings to create a local user, I used the Proactive Remediations option under Reports > Endpoint Analytics > Proactive Remediations.
As has been discussed, the default Administrator is disabled by default with our Azure joined machines, so I used this https://github.com/overlord64/Intune-Scripts/tree/main/Proactive%20Remediation/LAPS
You can enter whatever new admin username you wish and if the admin account doesn't exist for the specified groups in question, it will check and then create them with a randomized password. (This is great because we don't want it use the same password over and over again as that would be a security hole.)
You can then create a LAPS policy under Endpoint Security > Account Protection featuring this new custom admin account and the password can be autorotated to your desired specifications.
Hope this helps others out there!