SOLVED

creating a local account when using ONLY intune no AD link

%3CLINGO-SUB%20id%3D%22lingo-sub-2093752%22%20slang%3D%22en-US%22%3Ecreating%20a%20local%20account%20when%20using%20ONLY%20intune%20no%20AD%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093752%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWas%20wondering%20if%20you%20can%20help%20I%20want%20to%20create%20a%20policy%20or%20rule%20to%20create%20a%20local%20admin%20account%20on%20devices%20when%20enrolled%20to%20intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cant%20seem%20to%20find%20anything%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-01-25%20at%2012.34.24%20PM.png%22%20style%3D%22width%3A%20717px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F249104i38B29672624D0A99%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-01-25%20at%2012.34.24%20PM.png%22%20alt%3D%22Screenshot%202021-01-25%20at%2012.34.24%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20something%20that%20is%20possible%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2093752%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Friday%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESoftware%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2109459%22%20slang%3D%22en-US%22%3ERe%3A%20creating%20a%20local%20account%20when%20using%20ONLY%20intune%20no%20AD%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2109459%22%20slang%3D%22en-US%22%3EYou%20can%20achieve%20this%20using%20the%20Accounts%20CSP%20and%20a%20custom%20OMA-URI%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Faccounts-csp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Faccounts-csp%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EMichael%20Niehaus%20has%20a%20good%20blog%20about%20it%20and%20why%20you%20may%20not%20want%20to%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Foofhours.com%2F2020%2F05%2F07%2Fyou-can-use-intune-to-create-a-local-admin-account-but-that-doesnt-mean-its-a-good-idea%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foofhours.com%2F2020%2F05%2F07%2Fyou-can-use-intune-to-create-a-local-admin-account-but-that-doesnt-mean-its-a-good-idea%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOr%20try%20something%20like%20Serverless%20LAPS%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.srdn.io%2F2018%2F09%2Fserverless-laps-powered-by-microsoft-intune-azure-functions-and-azure-key-vault%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.srdn.io%2F2018%2F09%2Fserverless-laps-powered-by-microsoft-intune-azure-functions-and-azure-key-vault%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2110101%22%20slang%3D%22en-US%22%3ERe%3A%20creating%20a%20local%20account%20when%20using%20ONLY%20intune%20no%20AD%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2110101%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F575283%22%20target%3D%22_blank%22%3E%40AB21805%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Euse%20any%20of%20the%20community%20LAPS%20solutions%20out%20there%20as%20mentioned%20for%20Admin%20Password%20Management%20or%20if%20you%20are%20fine%20with%20additional%20AAD%20groups%20in%20the%20local%20Administrators%20group%20for%20example%2C%20you%20should%20have%20a%20look%20at%20the%20new%2020H1%20Policy%20CSP%20%22LocalUsersAndGroups%22.%20This%20CSP%20will%20not%20create%20a%20user%20for%20you%20but%20as%20mentioned%20you%20can%20add%20AAD%20groups%20for%20example%20to%20local%20groups.%3C%2FP%3E%0A%3CP%3EHave%20a%20look%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-localusersandgroups%23localusersandgroups-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fclient-management%2Fmdm%2Fpolicy-csp-localusersandgroups%23localusersandgroups-policies%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ebest%2C%3C%2FP%3E%0A%3CP%3EOliver%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2110968%22%20slang%3D%22en-US%22%3ERe%3A%20creating%20a%20local%20account%20when%20using%20ONLY%20intune%20no%20AD%20link%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2110968%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174439%22%20target%3D%22_blank%22%3E%40Oliver%20Kieselbach%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20want%20a%20local%20admin%20account%20to%20basically%20bypass%20any%20restrictions%20i%20have%20set%20for%20the%20device%20etc%20so%20an%20example%20would%20be%20if%20I%20set%20the%20device%20to%20not%20show%20display%20settings%20but%20the%20local%20admin%20cans%20still%20bypass%20this%3F%20Also%20I%20really%20dont%20understand%20the%20XML%20stuff!%20is%20there%20no%20way%20of%20doing%20it%20in%20End%20point%20manager%20%2F%20intune%3F%20(I%20am%20so%20new%20to%20this!)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Hi all!

 

Was wondering if you can help I want to create a policy or rule to create a local admin account on devices when enrolled to intune.

 

I cant seem to find anything:

Screenshot 2021-01-25 at 12.34.24 PM.png

 

Is this something that is possible? 

 

 

7 Replies
best response confirmed by AB21805 (Regular Contributor)
Solution

Hi @AB21805,

 

use any of the community LAPS solutions out there as mentioned for Admin Password Management or if you are fine with additional AAD groups in the local Administrators group for example, you should have a look at the new 20H1 Policy CSP "LocalUsersAndGroups". This CSP will not create a user for you but as mentioned you can add AAD groups for example to local groups.

Have a look here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups#localu...

 

best,

Oliver

Hi @Oliver Kieselbach 

 

So I want a local admin account to basically bypass any restrictions i have set for the device etc so an example would be if I set the device to not show display settings but the local admin cans still bypass this? Also I really dont understand the XML stuff! is there no way of doing it in End point manager / intune? (I am so new to this!)

If you create a local admin it will not be effected by the user policies as he is not a AAD user in fact. But device restrictions are applied at device level, would still be active. I guess for your case the easiest way would be a LAPS community solution.
Here is a blog article listing several of the LAPS community solutions: https://www.vansurksum.com/2020/02/11/challenges-while-managing-administrative-privileges-on-your-az...

@AB21805 

Have you looked into the option of using Azure AD > Devices > Device Settings > additional local administrators

Hi @Pa_D,

 

I havent? How does this work?