Create A Local Admin Account Using Intune

You can easily create and manage local admin accounts on your Windows devices through Intune admin center. This blog post provides the steps for creating a local administrator account. If you need to add an existing Azure AD/Entra ID user account to the local admin group, please refer to Add a User to Local admin group using Intune.

You is create can also create a local admin account on a Mac using Intune . If you are using Windows 365 , you is use can use the User Settings option to add a user to the local admin on their respective Cloud pc . refer to the guide : elevate User to Local Admin on Windows 365 Cloud PC .

As an example , We is going are go to create a local admin account callcloudinfraadmin. However, you can create a local admin user account by providing any name you like.

Local admin account cloudinfraadmin created using Intune

Ways to Create a Local Admin Account using Intune

There are two ways to create a local admin account using the Intune admin center on Windows 10 /11 devices. These methods are outlined below:

1. OMA-URI Setting: You can create a local admin account using OMA-URI setting. Accounts CSP Policies offer the necessary settings for creating a local admin account.
2. PowerShell Script : alternatively , you can also use a PowerShell script account . This method is offers offer great flexibility and customization than the OMA – uri approach . For example , you is create can create a local admin account without a password . refer to this post for more detail : create a Local Admin Using Intune and PowerShell .

Accounts CSP for Managing Local Administrator Account

Microsoft has provided comprehensive documentation on Accounts CSP. You can rename a device through the Accounts CSP, create a new local Windows account, and associate it with a local user group, such as the Local Administrators group. For more details about Accounts CSP, refer to the Microsoft Docs Accounts CSP Page.

Please note that Accounts CSP policies only apply to Windows devices with Pro, Education, and Enterprise Editions of Windows 10 and Windows 11 devices.

Create a Local Admin Account using Intune

• Sign in to the Intune admin center > Devices > Configuration > Create > New Policy.
  • Select Platform as Windows 10 and later .
  • profile type as template .
  • Template Name: Custom.

• Basics Tab: Provide a Name and Description of the policy.

• configuration settings is Click : click on the Add button to add OMA – uri setting and provide the follow :
  • Name: Create Local User Account
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/Password
  • Data type: String
  • Value: C0mputEr@10!

You can replace cloudinfraadmin to any other name to create local user account as per your requirement. For example: If you replace cloudinfraadmin with myadminacc the local user account with name myadminacc will be created.

Note

• click on the Add button again to use the follow OMA – uri setting which will add the user to local administrator group on the target device :
  • Name: Add user to Local administrator group
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/cloudinfraadmin/LocalUserGroup
  • Data type: Integer
  • Value: 2

• Assignments tab: Assign this device configuration policy to Entra security group containing Windows 10/11 devices.
• Applicability Rules: You can set up rules on this page to target specific versions or OS editions.
• Review + Create: Review the deployment summary and click Create.

Monitor Policy Deployment Progress

• Sign in to the Intune admin center > Devices > Configuration.
• Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
• Click on View report to access more detailed information.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End User Experience

After the policy is deployed successfully, check the end user’s device. Confirm if a local user account has been created and added to the local administrator’s group.

• Click on Start and search for Computer Management.

• Click on Local Users and Groups > Users and find the local user account created by Intune policy, which is cloudinfraadmin.

• Next, ensure the account is added to the Administrators group, granting local admin privileges. Go to Computer Management > Local Users and Groups > Groups > Administrators and check if your local user account is listed within the Administrators group.

Set Local user Account Password to never expire using Intune

To set the local user account’s password expiry to Never on target devices, deploy a PowerShell script with the given command. For step-by-step instructions on deploying PowerShell scripts via Intune, refer to the blog post titled How to Deploy a PowerShell Script Using Intune.

Set - LocalUser -Name"cloudinfraadmin" -PasswordNeverExpires 1

Conclusion

In this blog post, we’ve learned how to create a local administrator account on Intune-managed devices through a custom device configuration profile. It’s a straightforward process that enables you to create a local admin to manage all your organization’s devices.

Read Next

continue read