Forum Discussion

clubbing80s's avatar
clubbing80s
Copper Contributor
May 04, 2022

Configure Local Admins on Intune Hybrid joined devices, per device

Hi, 

I'm looking for a way to manage local administrators on the Windows Endpoint devices. These devices are currently in a hybrid joined configuration. 

We have a hand full of users that use VPN and a majority the don't, they consume online services. 

The original plan was to use AD groups one per machine and then where required assign user the user to the group for the target machine. In reality this only works reliable for users who are on site as the VPN causes issue with the user membership not being updated. The vpn is not running until after login. and obviously users who do not use the vpn will never be able to have the group added. 

I have been looking to see if I can use groups in AAD, but I'm not seeing any clear examples except for managing groups of machines. 

I have found that it can be done via policy, but I have my doubt about how good it may be to have hundreds of policies for this purpose. 

Has anyone else had experience solving this or similar, and can make suggestions ? 

Thanks

3 Replies

  • Mr_Helaas's avatar
    Mr_Helaas
    Steel Contributor

    Hi clubbing80s 

     

    did you already look at an always on vpn based on device authentication? 

    Another option is setup an autopilot profile and make the user local admin during enrollment. 

    And you can also create a PowerShell script that makes your user a local admin 

     

    kind regards,

     

    rene 

     

    • clubbing80s's avatar
      clubbing80s
      Copper Contributor
      Mr_Helaas,
      Thanks for that.
      - Always on VPN is on the roadmap, distant horizon, years away.
      - Going to be using AutoPilot, scheduled for later this year.
      - with regard to using PowerShell I tried to add my user to my machines Local admins and the lookup for my azure UPN fails on the lookup. I have tried an number of different ways to do the lookup but all fail, I suspect this is because of the Hybrid domain join.
      • Mr_Helaas's avatar
        Mr_Helaas
        Steel Contributor

        Hi clubbing80s ,

         

        I am not a PowerShell expert but did you already try this method to get the logged in users? This scripts will create for every logged in user a firewall rule for teams. 

         

        Source : https://docs.microsoft.com/en-us/microsoftteams/client-firewall-script

         

        If the below code is working you can change the script and replace the firewall rule to local admin. 

        $users = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users') -Exclude 'Public', 'ADMINI~*'
        if ($null -ne $users) {
            foreach ($user in $users) {
                $progPath = Join-Path -Path $user.FullName -ChildPath "AppData\Local\Microsoft\Teams\Current\Teams.exe"
                if (Test-Path $progPath) {
                    if (-not (Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue)) {
                        $ruleName = "Teams.exe for user $($user.Name)"
                        "UDP", "TCP" | ForEach-Object { New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Profile Domain -Program $progPath -Action Allow -Protocol $_ }
                        Clear-Variable ruleName
                    }
                }
                Clear-Variable progPath
            }
        }


        Another option is to implement autopilot earlier. This is the easiest method in my opinion.

           

        Kind regards,

         

        rene 

Resources