cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configure Local Admins on Intune Hybrid joined devices, per device

clubbing80s
Copper Contributor

‎May 04 2022 01:33 PM

‎May 04 2022 01:33 PM

Configure Local Admins on Intune Hybrid joined devices, per device

Hi, 

I'm looking for a way to manage local administrators on the Windows Endpoint devices. These devices are currently in a hybrid joined configuration. 

We have a hand full of users that use VPN and a majority the don't, they consume online services. 

The original plan was to use AD groups one per machine and then where required assign user the user to the group for the target machine. In reality this only works reliable for users who are on site as the VPN causes issue with the user membership not being updated. The vpn is not running until after login. and obviously users who do not use the vpn will never be able to have the group added. 

I have been looking to see if I can use groups in AAD, but I'm not seeing any clear examples except for managing groups of machines. 

I have found that it can be done via policy, but I have my doubt about how good it may be to have hundreds of policies for this purpose. 

Has anyone else had experience solving this or similar, and can make suggestions ? 

Thanks

3,635 Views
0 Likes
3 Replies
Reply
3 Replies
Mr_Helaas

‎May 09 2022 01:53 AM

‎May 09 2022 01:53 AM

Re: Configure Local Admins on Intune Hybrid joined devices, per device

Hi @clubbing80s 

 

did you already look at an always on vpn based on device authentication? 

Another option is setup an autopilot profile and make the user local admin during enrollment. 

And you can also create a PowerShell script that makes your user a local admin 

 

kind regards,

 

rene 

 

0 Likes
Reply
clubbing80s

‎May 10 2022 04:54 PM

‎May 10 2022 04:54 PM

Re: Configure Local Admins on Intune Hybrid joined devices, per device

@Mr_Helaas,
Thanks for that.
- Always on VPN is on the roadmap, distant horizon, years away.
- Going to be using AutoPilot, scheduled for later this year.
- with regard to using PowerShell I tried to add my user to my machines Local admins and the lookup for my azure UPN fails on the lookup. I have tried an number of different ways to do the lookup but all fail, I suspect this is because of the Hybrid domain join.
0 Likes
Reply
Mr_Helaas

‎May 10 2022 10:11 PM

‎May 10 2022 10:11 PM

Re: Configure Local Admins on Intune Hybrid joined devices, per device

Hi @clubbing80s ,

 

I am not a PowerShell expert but did you already try this method to get the logged in users? This scripts will create for every logged in user a firewall rule for teams. 

 

Source : https://docs.microsoft.com/en-us/microsoftteams/client-firewall-script

 

If the below code is working you can change the script and replace the firewall rule to local admin. 

$users = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users') -Exclude 'Public', 'ADMINI~*'
if ($null -ne $users) {
    foreach ($user in $users) {
        $progPath = Join-Path -Path $user.FullName -ChildPath "AppData\Local\Microsoft\Teams\Current\Teams.exe"
        if (Test-Path $progPath) {
            if (-not (Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue)) {
                $ruleName = "Teams.exe for user $($user.Name)"
                "UDP", "TCP" | ForEach-Object { New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Profile Domain -Program $progPath -Action Allow -Protocol $_ }
                Clear-Variable ruleName
            }
        }
        Clear-Variable progPath
    }
}


Another option is to implement autopilot earlier. This is the easiest method in my opinion.

   

Kind regards,

 

rene 

0 Likes
Reply