cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

creating a local account when using ONLY intune no AD link

AB21805
Steel Contributor

‎Jan 25 2021 04:38 AM

‎Jan 25 2021 04:38 AM

creating a local account when using ONLY intune no AD link

Hi all!

 

Was wondering if you can help I want to create a policy or rule to create a local admin account on devices when enrolled to intune.

 

I cant seem to find anything:

Screenshot 2021-01-25 at 12.34.24 PM.png

 

Is this something that is possible? 

 

 

13.2K Views
0 Likes
7 Replies
Reply
7 Replies
best response confirmed by AB21805 (Steel Contributor)
Oliver Kieselbach

‎Feb 01 2021 09:06 AM

‎Feb 01 2021 09:06 AM

Solution

Re: creating a local account when using ONLY intune no AD link

Hi @AB21805,

 

use any of the community LAPS solutions out there as mentioned for Admin Password Management or if you are fine with additional AAD groups in the local Administrators group for example, you should have a look at the new 20H1 Policy CSP "LocalUsersAndGroups". This CSP will not create a user for you but as mentioned you can add AAD groups for example to local groups.

Have a look here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups#localu...

 

best,

Oliver

1 Like
Reply
AB21805

‎Feb 02 2021 02:46 AM

‎Feb 02 2021 02:46 AM

Re: creating a local account when using ONLY intune no AD link

Hi @Oliver Kieselbach 

 

So I want a local admin account to basically bypass any restrictions i have set for the device etc so an example would be if I set the device to not show display settings but the local admin cans still bypass this? Also I really dont understand the XML stuff! is there no way of doing it in End point manager / intune? (I am so new to this!)

0 Likes
Reply
Oliver Kieselbach

‎Feb 02 2021 04:09 AM

‎Feb 02 2021 04:09 AM

Re: creating a local account when using ONLY intune no AD link

If you create a local admin it will not be effected by the user policies as he is not a AAD user in fact. But device restrictions are applied at device level, would still be active. I guess for your case the easiest way would be a LAPS community solution.
Here is a blog article listing several of the LAPS community solutions: https://www.vansurksum.com/2020/02/11/challenges-while-managing-administrative-privileges-on-your-az...
1 Like
Reply
Pa_D

‎Feb 02 2021 12:00 PM

‎Feb 02 2021 12:00 PM

Re: creating a local account when using ONLY intune no AD link

@AB21805 

Have you looked into the option of using Azure AD > Devices > Device Settings > additional local administrators

0 Likes
Reply
AB21805

‎Feb 04 2021 02:11 AM

‎Feb 04 2021 02:11 AM

Re: creating a local account when using ONLY intune no AD link

Hi @Pa_D,

 

I havent? How does this work? 

0 Likes
Reply