Home

Best practice for Win10 local admin user when computer offline

%3CLINGO-SUB%20id%3D%22lingo-sub-643883%22%20slang%3D%22en-US%22%3EBest%20practice%20for%20Win10%20local%20admin%20user%20when%20computer%20offline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-643883%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20question%20about%20your%20best%20practices%20for%20organizations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScenario%3A%3C%2FP%3E%3CP%3EYou%20have%20only%20Azure%20AD%20joined%20-%20Windows%2010%20computers%2C%20with%20Intune%20MDM%20management.%20Only%20one%20user%20is%20using%20Windows%2010%20PC%20device%2C%20and%20has%20local%20admin%20rights.%20Additional%20Azure%20AD%20users%20are%20deployed%20as%20local%20administrators%20to%20the%20device.%20There%20is%20also%20Bitlocker%20encryption%20and%20secure%20boot%20implemented.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChallenge%3A%3C%2FP%3E%3CP%3EWhat%20if%20user%20forgets%20the%20password%20(or%20user%20is%20no%20longer%20active%20in%20organization)%2C%20and%20device%20goes%20offline%20(example%20network%20card%20driver%20issue)%2C%20how%20can%20other%20users%20%2F%20Azure%20AD%20users%2C%20login%20to%20the%20device%2C%20to%20fix%20the%20issue%20on%20local%20windows%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPossible%20solution%20would%20be%20to%20deploy%20always%20additional%20local%20windows%20account%2C%20with%20admin%20rights%2C%20but%20this%20always%20has%20sign-in%20disabled%20(since%20Intune%20enforces%20this).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20do%20you%20recommend%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-643883%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-689278%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20Win10%20local%20admin%20user%20when%20computer%20offline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-689278%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280793%22%20target%3D%22_blank%22%3E%40hkusulja%3C%2FA%3E%26nbsp%3BWhen%20a%20device%20gets%20transferred%20from%20one%20user%20to%20another%20I%20reccomend%20you%20do%20a%20wipe%2Freset%20of%20the%20device.%20That%20way%20the%20new%20user%20will%20become%20the%20primary%20user%20of%20the%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20password%20issue%2C%20add%20a%20password%20reset%20option%20to%20the%20logon%20screen%20by%20adding%20the%20following%20custom%20policy%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EName%3C%2FSTRONG%3E%3A%26nbsp%3BWindows%2010%20Password%20Reset%3C%2FP%3E%3CP%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3A%26nbsp%3BAdd%20Password%20Reset%20to%20Windows%2010%20Logon%3C%2FP%3E%3CP%3E%3CSTRONG%3EOMA-URI%3C%2FSTRONG%3E%3A%26nbsp%3B.%2FDevice%2FVendor%2FMSFT%2FPolicy%2FConfig%2FAuthentication%2FAllowAadPasswordReset%3C%2FP%3E%3CP%3E%3CSTRONG%3EData%20Type%3A%3C%2FSTRONG%3E%20Integer%3C%2FP%3E%3CP%3E%3CSTRONG%3EValue%3C%2FSTRONG%3E%3A%201%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CP%3EIn%20my%20opinion%20a%20local%20account%20isn't%20needed.%20I%20use%20Intune%20a%20lot%20of%20years%20now%20and%20never%20had%20to%20cope%20with%20an%20issue%20where%20users%20couldn't%20logon%20to%20their%20devices.%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-689360%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20Win10%20local%20admin%20user%20when%20computer%20offline%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-689360%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F320165%22%20target%3D%22_blank%22%3E%40RobdeRoos%3C%2FA%3E%26nbsp%3BI%20do%20have%20enable%20this%20CSP%20Policy%2C%20but%20it%20does%20not%20have%20nothing%20with%20this%20question.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%20scenario%3A%3CBR%20%2F%3E%26nbsp%3B-%20intune%20user%20is%20using%20windows%2010%20device%2C%20everything%20works%2C%20the%20user%20is%20only%20local%20user%20with%20local%20admin%20rights%3C%2FP%3E%3CP%3E%26nbsp%3B-%20device%20is%20updated%20and%20network%20card%20driver%20is%20broken%3C%2FP%3E%3CP%3E%26nbsp%3B-%20user%20and%20user-admin%20can%20not%20login%20with%20their%20intune%20accounts%2C%20since%20there%20is%20no%20network%20connectivity...%3C%2FP%3E%3C%2FLINGO-BODY%3E
hkusulja
MVP

I have question about your best practices for organizations.

 

Scenario:

You have only Azure AD joined - Windows 10 computers, with Intune MDM management. Only one user is using Windows 10 PC device, and has local admin rights. Additional Azure AD users are deployed as local administrators to the device. There is also Bitlocker encryption and secure boot implemented.

 

Challenge:

What if user forgets the password (or user is no longer active in organization), and device goes offline (example network card driver issue), how can other users / Azure AD users, login to the device, to fix the issue on local windows?

 

Possible solution would be to deploy always additional local windows account, with admin rights, but this always has sign-in disabled (since Intune enforces this).

 

What do you recommend?

2 Replies

@hkusulja When a device gets transferred from one user to another I reccomend you do a wipe/reset of the device. That way the new user will become the primary user of the device.

 

For the password issue, add a password reset option to the logon screen by adding the following custom policy:

Name: Windows 10 Password Reset

Description: Add Password Reset to Windows 10 Logon

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset

Data Type: Integer

Value: 1

 

In my opinion a local account isn't needed. I use Intune a lot of years now and never had to cope with an issue where users couldn't logon to their devices.

@RobdeRoos I do have enable this CSP Policy, but it does not have nothing with this question.

 

Example scenario:
 - intune user is using windows 10 device, everything works, the user is only local user with local admin rights

 - device is updated and network card driver is broken

 - user and user-admin can not login with their intune accounts, since there is no network connectivity...

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies