Create a Local Admin Account using Intune

In this article, we’ll show you how to create a local admin account using Intune. You can use a PowerShell script or a custom profile in Microsoft Intune to create a new local Windows administrator account and join it to a local user group.

In our earlier article, we demonstrated the steps to create a local admin account on macOS using Intune. On Windows devices enrolled in Intune, you have the option to either use a PowerShell script or OMA-URI settings to create a local administrator account. On Windows devices, you cannot create an administrator account using the Settings Catalog.

The local administrator account that comes installed with Windows devices is typically disabled because most businesses do not think it should be used. This is done as a security measure to prevent IT or other users from performing administrative tasks using the built-in administrator account. On Windows 11, a local admin account is by default disabled, but it is possible to enable it using various techniques.

A temporary admin account can be created using Intune on Windows devices for troubleshooting purposes or during some emergencies. The IT team can use this local administrator account on remote Windows devices with Intune to perform specific tasks. Because there is a security risk if the administrator account is compromised, we advise getting business approval before creating the account.

Also Read: Disable Windows Copilot using Intune Policy

Ways to Create a local admin account using Intune

Using Intune, there are two approaches that you can use to create a local admin account on Windows 10 and Windows 11 devices:

  1. OMA-URI Settings: The Account CSP settings in Intune can help you easily create a local administrator account and add it to the Administrators group on Windows devices. This method is recommended as it is reliable, easy to deploy and easy to troubleshoot.
  2. PowerShell Script: A PowerShell script can not only help to create a local admin account, but you can also set the admin password to never expire and other account properties. However, a PowerShell script may not work correctly in most cases, and it may be complex to troubleshoot the script execution failures. If you have a PowerShell script that creates a local admin account, you can refer to the guide on how to deploy PowerShell script with Intune.

In this article, we will create a local administrator account named “LocalAdmin” on Windows devices using the account CSP OMA-URI settings provided by Microsoft. We will also define a complex password for this account and add this “LocalAdmin” account to the local administrators group. In your case, the account name can be changed to something like IT Admin, Local Admin, Temp Admin, or something similar.

Useful Article: How to Configure Power Options using Intune

Accounts CSP for Managing Local Administrator Account

According to Microsoft documentation, organizations can use the Accounts configuration service provider (CSP) to rename a device, create a new local Windows account, and join it to a local user group. This CSP was first added in Windows 10, version 1803, and you can use the settings on newer versions of Windows 10 and Windows 11.

It is important to note that the policy to create a local admin account through Intune will apply to Windows devices running Enterprise, Pro, Education, and Business editions only. Furthermore, ensure the Windows devices are enrolled in Intune before applying the custom configuration profile.

Also Read: Add User or Groups to Local Admin in Intune

Create a Windows Local Admin Account using Intune

Perform the following steps to create a local admin account on Windows 10/11 devices using Intune:

  • Sign in to the Microsoft Intune Admin Center.
  • Navigate to Devices > Windows > Configuration Profiles.
  • To add a new custom profile, select Create Profile.

On the Create a Profile pane, configure the following and select Create.

  • Platform: Windows 10 and later
  • Profile Type: Templates
  • Template Name: Custom
Create a Local Admin Account using Intune
Create a Local Admin Account using Intune

In the Basics tab, enter the following properties:

  • Name: Enter a descriptive name for the profile, which you or other IT admins can easily identify later. For example, a good profile name is “Create a local admin account on Windows using Intune“.
  • Description: Enter a brief description of the profile. This setting is optional, but recommended. The following description is entered in the screenshot below: “Create a local administrator account on your Windows devices for IT“.

Click Next.

Create a Local Admin Account using Intune
Create a Local Admin Account using Intune

On the Configuration Settings tab, we will use OMA-URI settings to create a local administrator account on Windows devices. Click on the Add button to define a new OMA-URI settings.

Add OMA-URI Settings in Intune
Add OMA-URI Settings in Intune

OMA-URI Settings to Create Local Admin Account and Set Password

Configure the below OMA-URI settings in Intune to create a local admin account and set a complex password for that account.

  • Name: Create a local admin account on Windows using Intune
  • Description: This is optional, but you can add a brief description
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/LocalAdmin/Password (Replace LocalAdmin with your admin account name)
  • Data Type: String
  • Value: Specify a complex password for the local admin account

Once you have entered the above data, click on Save.

OMA-URI Settings to Create Local Admin Account and Set Password
OMA-URI Settings to Create Local Admin Account and Set Password

OMA URI Settings for adding account to Local User Group

On the OMA-URI settings page, click on Add. Configure the below OMA-URI settings in Intune to add the local admin account to the Local User Group (Administrators Group). This gives our “LocalAdmin” account administrative privileges on Windows devices.

  • Name: Add a local admin account to Local User Group
  • Description: Adds the user account to Local Administrators Group
  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/LocalAdmin/LocalUserGroup
  • Data Type: Integer
  • Value: 2

Note: In the OMA-URI settings defined above, the value ‘2‘ adds the local Windows admin account to the built-in Administrators group. Whereas the value “1” adds the local Windows admin account to the built-in Users group.

After adding the above details, click on Save.

OMA URI Settings for adding account to Local User Group
OMA URI Settings for adding account to Local User Group

So, now we have successfully added two OMA-URI settings that will create a local admin account called “LocalAdmin” and add this account to the built-in Administrators group on Windows devices. Once you have added the above OMA-URI settings, they are visible on the screen. Click Next.

On the Assignments tab, select and add the Entra ID groups for whom you want to target this policy. If you are testing the policy on Windows devices for the first time, we recommend creating a pilot group. Once you find the policy assignments successful, you can then expand them to a larger group. Click Next.

Create a Local Admin Account using Intune
Create a Local Admin Account using Intune

On the Applicability Rules tab, you can specify the rules for this profile to be assigned within a group. For example, you can add a rule to target this profile to devices running Windows 10 or Windows 11. Or you can apply this profile to devices running a specific version or build of Windows. For now, we will not configure any applicability rules here; click Next.

Create a Windows Local Admin Account using Intune
Applicability Rules: Create a local admin account using Intune

On the Review+Create tab, review all the account CSP settings that you have defined to create a Windows local admin account. Click Create.

After you create a custom policy in Intune, a notification appears: “Profile Create a Windows local admin account using Intune created successfully“. This confirms that the policy has been created and is being applied to the groups we chose.

In the Intune admin center, go to Devices > Windows > Configuration Profiles, and you should see the new custom profile that we created above along with other profiles.

Create a Local Admin Account using Intune
Create a Local Admin Account using Intune

The OMA-URI settings that we defined in the configuration profile will apply to the Windows devices once they check in with Intune. You can wait for the policy settings to apply, or to accelerate the sync, you can manually sync Intune policies on your Windows computers to sync with Intune.

Monitor the Windows Local Admin account policy in Intune

After you have assigned the local admin account creation policy to Windows devices, you can monitor the overall status in the Intune admin center. To monitor the configuration profile deployment, select the “Create a Windows Local Admin Account using Intune” policy and review the device and user check-in status. This will assist you in identifying the Windows devices to which the policy has been successfully assigned. You will also learn about the devices on which policy assignments failed, as well as the specific error code.

Interestingly, after assigning the Windows local admin account policy in Intune, we noticed that all the devices showed an error in the Intune admin center. In the below screenshot, under the device and user check-in status, we see several devices reporting an error.

Monitor the Windows Local Admin account policy in Intune
Monitor the Windows Local Admin account policy in Intune

Clicking the View Report button showed the device names on which the Windows local admin account policy failed. Selecting one of the devices from the list revealed that both the OMA-URI settings failed to apply with an error, and the error code was -2016281112.

That was a weird error code, and we double-checked both the OMA-URI settings by editing the configuration profile. We can confirm that both the OMA-URI settings were correctly configured and there were no mistakes. Additionally, whenever you encounter profile assignment errors, we recommend reviewing Intune logs on Windows devices for troubleshooting.

Monitor the Windows Local Admin account policy in Intune
Monitor the Windows Local Admin account policy in Intune

End User Experience

When we logged in to our Windows devices, we discovered that a Windows account with the name “LocalAdmin” had already been created. We verified on all devices that the LocalAdmin account was created in accordance with the Intune policy settings.

What we realized was that even though the policy to create a Windows local admin account using Intune was successfully applied to the devices, the error -2016281112 appeared due to an unknown reason. Most likely, a bug caused it, or Intune neglected to check that the settings were implemented properly on Windows devices.

From the screenshot below, you can see that on the Windows device, a new local admin account with the name “LocalAdmin” appears under Local Users and Groups > Users. The account name has been created as per the OMA-URI settings defined in Intune.

Create a Windows Local Admin Account using Intune
Create a Windows Local Admin Account using Intune

As per the Accounts CSP OMA-URI settings defined in the Intune policy, the LocalAdmin account is also added to the built-in Administrators group on the Windows device. Congratulations, you have now mastered the technique for setting up a local admin account on Windows devices using Intune.

Create a Windows Local Admin Account using Intune
Create a Windows Local Admin Account using Intune

4 Comments

  1. Avatar photo Tony Calkins says:

    Is there a way to add an Azure group to the Local Administrators group using this method?

    1. Avatar photo Tony Calkins says:

      Never mind. I figured it out :D.

  2. Had an issue. When I added the local admin account, my end users lost local admin priv. How can I fix this? Right now, I had to revert back and remove what I had done here.

  3. Avatar photo Stuart McColgan says:

    You can also create one by activating laps in Intune and creating remediation scripts

Leave a Reply

Your email address will not be published. Required fields are marked *