Configure Local Admins on Intune Hybrid joined devices, per device

Copper Contributor


I'm looking for a way to manage local administrators on the Windows Endpoint devices. These devices are currently in a hybrid joined configuration. 

We have a hand full of users that use VPN and a majority the don't, they consume online services. 

The original plan was to use AD groups one per machine and then where required assign user the user to the group for the target machine. In reality this only works reliable for users who are on site as the VPN causes issue with the user membership not being updated. The vpn is not running until after login. and obviously users who do not use the vpn will never be able to have the group added. 

I have been looking to see if I can use groups in AAD, but I'm not seeing any clear examples except for managing groups of machines. 

I have found that it can be done via policy, but I have my doubt about how good it may be to have hundreds of policies for this purpose. 

Has anyone else had experience solving this or similar, and can make suggestions ? 


3 Replies

Hi @clubbing80s 


did you already look at an always on vpn based on device authentication? 

Another option is setup an autopilot profile and make the user local admin during enrollment. 

And you can also create a PowerShell script that makes your user a local admin 


kind regards,




Thanks for that.
- Always on VPN is on the roadmap, distant horizon, years away.
- Going to be using AutoPilot, scheduled for later this year.
- with regard to using PowerShell I tried to add my user to my machines Local admins and the lookup for my azure UPN fails on the lookup. I have tried an number of different ways to do the lookup but all fail, I suspect this is because of the Hybrid domain join.

Hi @clubbing80s ,


I am not a PowerShell expert but did you already try this method to get the logged in users? This scripts will create for every logged in user a firewall rule for teams. 


Source :


If the below code is working you can change the script and replace the firewall rule to local admin. 

$users = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users') -Exclude 'Public', 'ADMINI~*'
if ($null -ne $users) {
    foreach ($user in $users) {
        $progPath = Join-Path -Path $user.FullName -ChildPath "AppData\Local\Microsoft\Teams\Current\Teams.exe"
        if (Test-Path $progPath) {
            if (-not (Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue)) {
                $ruleName = "Teams.exe for user $($user.Name)"
                "UDP", "TCP" | ForEach-Object { New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Profile Domain -Program $progPath -Action Allow -Protocol $_ }
                Clear-Variable ruleName
        Clear-Variable progPath

Another option is to implement autopilot earlier. This is the easiest method in my opinion.


Kind regards,