This week is back in the Windows platform. This week is another time about managing local administrators on Windows 10 devices and later. That subject has been discussed multiple times before – either by using custom device configuration profiles or by using proactive remediations – and this time it’s about a new configuration option within Microsoft Intune that provides a friendly configuration experience for the IT administrator around the custom device configuration profile option. That configuration relies on the LocalUsersAndGroups policy that is available with Windows 10 20H2 or later, or Windows 11. This blog post will provide an introduction to a new profile type and will show how to use that new profile type to easily manage local administrators. This blog post will end by showing the configuration results.
Important: This post relies on preview functionality and requires Windows 10 20H2 or later, or Windows 11.
Introducing local user group membership profile
With the latest service release of Microsoft Intune (2201), a new profile for account protection policies is introduced. That profile is the Local user group membership profile and can be used to manage the memberships of built-in local groups on Windows 10 and later devices. Basically, that profile is a friendly user interface (UI) around the LocalUsersAndGroups policy. That policy was introduced with Windows 10 20H2 and later and enables the IT administrator to configure the membership of built-in local groups, as shown in this post about managing local administrators. The UI does limit the configuration options a little bit, but does provide the most common configuration options. The following options are available (as shown below in Figure 1):
- Local group: This drop-down enables the IT administrator to select one or more groups that will be configured with the same configuration line. At this moment the following groups are available for configuration: Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users.
- Group and user action: This drop-down enables the IT administrator to select the action that will be applied to the selected groups. At this moment the following actions are available for configuration: Add (Update) to add members to the selected group, Remove (Update) to remove members from the selected group and Add (Replace) to replace the members of the selected group.
- User selection type: This drop-down enables the IT administrator to select how to add users and groups to the selected groups. At this moment the following options are available: Users/Groups to select the users and groups that are available from Azure AD and Manual to manually specify users and groups that are available from Azure AD by specifying username, domain\username, or the groups security identifier (SID).
- Selected users/groups: This selection enables the IT administrator to select, or specify, the users and groups that should be added to the selected groups. Depending on the previous choice, one of the following options is available: Select users/groups to select the users and groups that are available from Azure AD, or Add user(s) to manually specify users and groups that are available from Azure AD.
Important: As the local group membership profile relies on the LocalUsersAndGroups policy, only a single policy (XML) can be applied to a device. Multiple policies with result in a conflict.
Note: The Users user selection type is only supported for Azure AD joined devices and the Manual user selection type is supported for Azure AD joined devices and hybrid Azure AD joined devices.
Configuring local user group membership profile
The local user group membership profile can be used to configure the membership of the built-in local administrators group. And the configuration steps are actually pretty straight forward. The following eight steps walk through the process of adding an additional user and group to the built-in local administrators group by simply selecting the required options.
- Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security > Account protection
- On the Endpoint security | Account protection blade, click Create Policy
- On the Create a profile page, provide the following information and click Create
- Platform: Select Windows 10 and later as value
- Profile: Select Local user group membership as value
- On the Basics page, provide a valid name for the local user group membership profile and click Next
- On the Configuration settings page, as shown below in Figure 2, provide the following information and click Next
- Local group: Select Administrators to configure the membership of the administrators group
- Group and user action: Select Add (Update) to update the membership of the administrators group
- User selection type: Select Users/Groups to enable the easy selection of the new members
- Selected users/groups: Click Select users/groups to open an additional blade to easily select the required new users and/or groups that should be member of the administrators group
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, add the required user/device group and click Next
- On the Review + create page, review the configuration and click Create
Note: Optionally use a filter to make sure to only target this new profile to the minimal required Windows versions.
Experiencing the configuration result
Once the local user group membership profile has been applied, it’s time to have a look at the configuration results. The easiest method to experience the results of that configuration, is by having a look in the Event Viewer and comparing that information with the members of the local administrators group. The Event Viewer will show the applied configuration and its results (as shown below on the left in Figure 3). That contains the XML configuration that’s automatically created by using the new profile. The members of the local administrators group will show the newly added members (as shown below on the right in Figure 3).
Important: At the moment of writing, there are still issues with using this new profile on non-English Windows devices. For the latest status of that, keep an eye on this Microsoft blog post.
Note: The other members of the local administrators group are the built-in administrator, the primary user and the SIDs that are representing the Global administrator role and the Device administrator role.
For more information about managing local administrators on Windows devices, refer to the following docs.
31 thoughts on “Even easier managing local administrators”
as always great article. Have you got during the test an issue with assigning the group to any role?
On one of my test tenants, I try to assign the group to local administrators and get error: “Please review policy.” and under the group information “The field for Selected user(s) is required. “. I test the scenario where I have only Intune role without any additional roles like GA, Security Admin etc. It’s like the wizard doesn’t select the group what I want to add 🙂
I personally didn’t have that issue, but I’ve read on the article mentioned earlier that others are seeing that issue.
Great article with super detail, does this have the same effect as using Device Settings ‘manage additional local administrators’ but with more granular control and should I disable the Device Settings config after applying this policy.
Thanks – Gerry
That setting basically configures device administrators role that applies to all devices. This configuration can be a bit more granular, and can also configure more than just administrators.
Thanks for this create article. But its not working when you select a group in step 5 Selected users/groups.
When i select a group i get the following message:
Please review policy. The field for Selected user(s) is required.
If i only add some users than its works.
Could you let me know if this i not working yet?
See my earlier comment. Haven’t seen it myself, but I’ve read it on the earlier mentioned article.
If you want the user to only be member of the local administrators group on their own device (so not on any other device that gets the policy) how would you do that? With a classic GPO we added the account INTERACTIVE to the Administrators group. Is that still an option for Intune Manage devices (no Hybrid Join, just a Azure AD join)?
That would require some custom scripting. Using the INTERACTIVE user is not really a solution, as it would apply to every user that is logged on..
Hi Peter, thanks for the great post, very informative! One question, how do I use this functionality remove the current user from the Administrators group so they get converted to standard users? I have some systems configured before we rolled out autopilot that we need to modify. Thanks!
You could just replace the current members with a new set of members.
I would like to change primary users to standard user and make our IT’s as local admins/admin to prevent our user to install softwares.
So which option do you have to select, remove (update) or select add (replace)?
In that case I would probably use Add (Replace), to simply replace anything that was configured.
Hej Peter, thank you for this article. I tried it but I kept on getting an error “No mapping between account names and security IDs was done” actually i got 3 different errors i the log that looks very much like described in this blog: https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/
All my devices are registered i only in AAD (no hybrid) and I was trying to add an AAD group to the local administrators group.
I think that the reason for the error was because I am using a ‘Danish talking’ system… ‘Administrators’ are called ‘administratorer’ in danish… I tried therefor to use the OMA-URI version (thank you for that article as well! 🙂 ) where I used the SID of the administrators group instead, and it worked. I think though that there has been a little error in your article: https://www.petervanderwoude.nl/post/easier-managing-local-administrators-via-windows-10-mdm-on-windows-10-20h2-and-later/
You mentioned the string: ./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure and it didn’t work for me. Kept getting errors. I changed it to: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure – and i worked.
Besides, when i tried to use the policy described here (under account protection). I got other problems when i tried to add the groups. kept on getting errors in the graphic interface… I think this policy is not working as i should… Something is wrong with it I am afraid.. 🙂
best regards, Ido Yavin
Thank you for the information Ido. It’s indeed correct that some methods don’t handle different languages that well yet..
Any reason the groups populate as the SID and not the resolved name. Mine is applying the policy, the SID shows up, but it still seems like it didn’t give that group admin rights. I’m still troubleshooting but was wondering if you had thoughts.
The permissions are not immediately applicable in all scenarios. For example a user that is already logged on, and is added to the group, won’t immediately recieve local admin permissions.
Is the issue with non-english devices already resolved?
I haven’t recently tried that. What are your latest results?
Does the policy update after it’s applied? For instance, we would like to use a Azure group to allow LocalAdmin access temporarily, then removing the users when they no longer need access. (Not elegant, certainly, but for lack of a better solution, that’s what we have.) Would the endpoint policy update on the next check-in and remove their permissions?
My experience with using an Azure AD group is very wonky. This policy will only configure the Azure AD group as a member of the local administrators. An update of that policy will not help with the permissions of the users of that group.
This is achievable by combining PIM with the above solution. You can use a PIM role and require activation of the role, for example the built in Local Device Administrator role. This allows for an approval workflow too. You can set an expiry date on the elevation. It isn’t perfect, as there can be a delay with the role activating. Also, it will persist the access until you log off. But it may help you to achieve the desired result, or close to it. We use PIM for all of our privileged access.
I’ve set my policy to Remove the user who joined the device in Azure AD from the admin group so that they don’t have local admin permissions and in Intune I see the policy status as OK, even when I go to view the admin group in my devices, I no longer see the user I deleted with my policy, i.e. the user who enrolled the device should no longer have local admin permissions, is that correct? However, it still has the permissions and they are only changed when I log out or restart the device. Is this normal behavior? Will it only work after reboot or logout?
There indeed might be a delay in the permissions getting effective.
Does this settings take precedence if I am on Azure Hybrid Join and my MDM is WorkSpace ONE? We are having issue removing administrator with WS1 and want to remove users who are local admin on their machines at the moment?
Will this sold our problem?
That’s hard for me to judge, as I don’t know much about WS1. I do know that this setting is based on a CSP, which means that you can also address that by using another MDM (like WS1). Besides that, I can also imagine that an on-premise GPO would overwrite that information.
We have an issue where the first user that logs into the new device gets added to local administrators account. We have no policies set as per above. Any idea how this happens?
Can you provide some more details? Are you using Autopilot, Azure AD join, etc.?
Hi, this is AAD joined devices only.
I found a solution below:
The technology can also be used for hybrid Azure AD joined devices. See the example in the docs: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups?WT.mc_id=EM-MVP-5001447
Hi, if I am using Add (Replace), it also removes the Device Administrators and Global Administrators SID on the devices… Would you know how to keep them? Do I need to manually get these 2 SID from a device and then add them in the policy?
Thank you very much for the help!
To keep what was available, simply use Add(Update).