Local admin account creation error

Bronze Contributor

Hi all,

 

I have set a policy to create a local admin which is erroring out on intune: 

 

Screenshot 2023-05-25 at 15.41.17.png

 

 

However the account logs in and is part of the admin group. 

 

Any ideas why it is erroring out? 

17 Replies
Known bug related to the CSP. GET function not supported so the compliance is never reported as success. But the local admin account will apply.

Thank you! I have a script to enable built in password which works on device as admin but via intune it doesnt is there something easy why? @rahuljindal-MVP 

 

$Username = "Administrator"
$Password = "my password" # Set your desired password

# Enable the built-in Administrator account
Enable-LocalUser -Name $Username

# Set the password for the Administrator account
$SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force
Set-LocalUser -Name $Username -Password $SecurePassword

# Verify the Administrator account
Get-LocalUser $Username

Better to create a custom admin account instead of using the built-in. Here is a something you can look at..https://rahuljindalmyit.blogspot.com/2021/05/intune-different-ways-of-setting-local.html
I want to use LAPS but this doesnt seem to work though and I am unsure why
As in I cant get the LAPS to appear in intune

I have set the policy with the correct user name

@rahuljindal-MVP 

 

How do I find the official release on the known bug? Where did you see this as I need this information for a project I'm working on. 

 

Thanks!

 

Mark

Might i see what have you enter in the properties of that Configuration Profile please?

@Mathg76 

 

LocalUserGroup [./Device/Vendor/MSFT/Accounts/Users/localadmin/LocalUserGroup]

 

and

 

Password [./Device/Vendor/MSFT/Accounts/Users/localadmin/Password]

 

Same old standard as everyone uses. Same result. This works, but the report shows it failed in intune. 

 

 

@mbuonassissi-toyota 

 

Here are the settings that i use:

Mathg76_0-1691608694022.png

 

@Mathg76 

 

Yep. We're not implementing LAPS at this time. We're directed to stay with the local managed password. I noticed the title of this thread was "Local admin account creation error" and @AB21805 stated perfectly what the result is, namely, that the process works but Intune reports an error. 

 

At that point @rahuljindal-MVP commented that it was a "Known bug related to the CSP. GET function not supported so the compliance is never reported as success. But the local admin account will apply."

 

So, my question was, where did he see documentation of this "Known Bug" from Microsoft. I'd like to provide this to our Stakeholders so they can be confident that this is in fact a known bug. 

If those stakeholders can read the documentation :) ... I am explaining "the why" on my own blog about this error
https://call4cloud.nl/2021/12/i-kill-remediation-errors/

So looking at the Users/UserName/Password. It is telling us that the supported operation is Add and the GET operation is not supported. Also to add... in my opinion its not a bug, its just how it was designed....  Otherwise we could use the csp to fetch passwords?

And the link to the official ms doc mentioning it

https://learn.microsoft.com/en-us/windows/client-management/mdm/accounts-csp

Awesome. Thank you guys so much for this!
I was looking for this! thanks
So I wonder what use is this? We wish to use that CSP and configuraiton profile to create a new local admin and set the password and this works but now our devices always shows as having a config error. I guess is the onyl secure method of doing this so I'll have to live with it :(