Starting with Windows 10 version 20H2, you can use Azure AD groups to manage local administrators group privileges on Azure AD joined devices with the Local Users and Group MDM policy. Organizations can use Microsoft Intune to manage these policies using Custom OMA-URI Settings or Account protection policy.
As of now following local groups can be managed using Local Users and Groups MDM policy.
- Power Users
- Remote Desktop Users
- Remote Management Users
In this blog post, we will see how to manage local administrator members on Azure AD (Entra ID) joined devices using Azure AD Group and Intune Local Users and Group MDM policy.
Create an Azure AD Group
We will create an Azure AD (Entra ID) Security Group. We will be add to local administrator group on AAD join devices. Using AAD group simplify the management as you simply need to add the user to AAD group to provide them local admin rights on devices.
Create an Azure AD group with below details.
- Group Type : Security
- Group Name: IT – Helpdesk
- Azure AD roles can be assigned to the group : Select Yes.
- Membership Type: Assigned
- Members: Add the user if you want to add any at this point of time.
Follow Create Azure AD Group if you need any help in creating the group.
Create Account Protection Policy to manage Local Administrators Group Membership Using Intune
The next step is to create an account protection policy. To create a local users group membership policy, you need to login to Intune portal endpoint.microsoft.com
- Navigate to Endpoint security
- Select Account protection
- Click on + Create Policy to start policy creation process
- From Create a profile, select the following
- Platform: Windows 10 and later
- Profile: Local user group membership
- Click on Create
Enter the Name and Description for profile and click on Next to move to Configuration Settings.
On the Configuration Settings page, select all required settings. The following settings are available and need to be selected.
Select Administrator as we are adding users / AAD group to local admin group in this example.
Other local groups which can be managed by Local Users and Group MDM policy are: Users, Guest, Power Users, Remote Desktop Users, Remote Management Users.
Local Group and user action:
The local group and user management policy have two actions available. They are called Update (U) and Replace / Restrict (R).
- Update Group Membership: Update a group and add / remove members. When using update, existing group members that are not specified in the policy remain untouched.
- Replace Group Membership: Restrict a group by replacing group membership. When using Replace, existing group membership is replaced by the list of members specified in policy. Any member not specified in the policy are removed.
In Microsoft Intune, you need to select one of below options.
- Add (Update) : Add members to the specified group. The other member already present in local group will not touched.
- Remove (Update): Remove members from specified group. The other members already in group and not listed in policy will remain intact.
- Add (Replace): Replace the existing members of group with the members provided in policy.
User Selection Type:
- Users / Groups : Allow you to select Azure AD users / Azure AD Group
- Manual: Allow you to add following
- SID (Security Identifier)
Selected users / groups:
Select Users / Groups or provide details manually based on User Selection Type.
On the Assignment page, you can assign the policy to Azure AD group, All users or All devices based on your requirement. Since we are doing this in test environment, we selected All devices. You can also use Assignment Filters for more granular targeting of policy.
Click on Next.
On the Review + create, review the details and click on Create button to create the policy.
To verify the result, perform below steps on one of targeted device.
- launch Compmgmt.msc
- Navigate to Local Users and Groups / Groups
- Double click on Administrator
- Verify if required AAD groups / users are now member of local Administrator group.
The highlighted SID is for Azure AD group which we have selected in Local User and Group policy.
- Block USB Device Access with Exceptions | Microsoft Intune
- Deny Write Access to USB Devices Using Intune Catalog Settings
- Manage Windows Local Administrator Password with Intune & Windows LAPS
- Check OS Version Compliance with Device Compliance Policy & Notify User | Microsoft Intune
- How to manage the local administrators group on Azure AD joined devices | Intune
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.