This week is back in the Windows platform. This week is another time about managing local administrators on Windows 10 devices and later. That subject has been discussed multiple times before – either by using custom device configuration profiles or by using proactive remediations – and this time it’s about a new configuration option within Microsoft Intune that provides a friendly configuration experience for the IT administrator around the custom device configuration profile option. That configuration relies on the LocalUsersAndGroups policy that is available with Windows 10 20H2 or later, or Windows 11. This blog post will provide an introduction to a new profile type and will show how to use that new profile type to easily manage local administrators. This blog post will end by showing the configuration results.
Important: This post relies on preview functionality and requires Windows 10 20H2 or later, or Windows 11.
Introducing local user group membership profile
With the latest service release of Microsoft Intune (2201), a new profile for account protection policies is introduced. That profile is the Local user group membership profile and can be used to manage the memberships of built-in local groups on Windows 10 and later devices. Basically, that profile is a friendly user interface (UI) around the LocalUsersAndGroups policy. That policy was introduced with Windows 10 20H2 and later and enables the IT administrator to configure the membership of built-in local groups, as shown in this post about managing local administrators. The UI does limit the configuration options a little bit, but does provide the most common configuration options. The following options are available (as shown below in Figure 1):
- Local group: This drop-down enables the IT administrator to select one or more groups that will be configured with the same configuration line. At this moment the following groups are available for configuration: Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users.
- Group and user action: This drop-down enables the IT administrator to select the action that will be applied to the selected groups. At this moment the following actions are available for configuration: Add (Update) to add members to the selected group, Remove (Update) to remove members from the selected group and Add (Replace) to replace the members of the selected group.
- User selection type: This drop-down enables the IT administrator to select how to add users and groups to the selected groups. At this moment the following options are available: Users/Groups to select the users and groups that are available from Azure AD and Manual to manually specify users and groups that are available from Azure AD by specifying username, domain\username, or the groups security identifier (SID).
- Selected users/groups: This selection enables the IT administrator to select, or specify, the users and groups that should be added to the selected groups. Depending on the previous choice, one of the following options is available: Select users/groups to select the users and groups that are available from Azure AD, or Add user(s) to manually specify users and groups that are available from Azure AD.
Important: As the local group membership profile relies on the LocalUsersAndGroups policy, only a single policy (XML) can be applied to a device. Multiple policies with result in a conflict.
Note: The Users user selection type is only supported for Azure AD joined devices and the Manual user selection type is supported for Azure AD joined devices and hybrid Azure AD joined devices.
Configuring local user group membership profile
The local user group membership profile can be used to configure the membership of the built-in local administrators group. And the configuration steps are actually pretty straight forward. The following eight steps walk through the process of adding an additional user and group to the built-in local administrators group by simply selecting the required options.
- Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security > Account protection
- On the Endpoint security | Account protection blade, click Create Policy
- On the Create a profile page, provide the following information and click Create
- Platform: Select Windows 10 and later as value
- Profile: Select Local user group membership as value
- On the Basics page, provide a valid name for the local user group membership profile and click Next
- On the Configuration settings page, as shown below in Figure 2, provide the following information and click Next
- Local group: Select Administrators to configure the membership of the administrators group
- Group and user action: Select Add (Update) to update the membership of the administrators group
- User selection type: Select Users/Groups to enable the easy selection of the new members
- Selected users/groups: Click Select users/groups to open an additional blade to easily select the required new users and/or groups that should be member of the administrators group
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, add the required user/device group and click Next
- On the Review + create page, review the configuration and click Create
Note: Optionally use a filter to make sure to only target this new profile to the minimal required Windows versions.
Experiencing the configuration result
Once the local user group membership profile has been applied, it’s time to have a look at the configuration results. The easiest method to experience the results of that configuration, is by having a look in the Event Viewer and comparing that information with the members of the local administrators group. The Event Viewer will show the applied configuration and its results (as shown below on the left in Figure 3). That contains the XML configuration that’s automatically created by using the new profile. The members of the local administrators group will show the newly added members (as shown below on the right in Figure 3).
Important: At the moment of writing, there are still issues with using this new profile on non-English Windows devices. For the latest status of that, keep an eye on this Microsoft blog post.
Note: The other members of the local administrators group are the built-in administrator, the primary user and the SIDs that are representing the Global administrator role and the Device administrator role.
For more information about managing local administrators on Windows devices, refer to the following docs.