Last year, I wrote an article about securing local administrators in Workspace ONE. It wasn’t easy by any means, but I’ve started having my Intune clients request the same capabilities. Today, we’re going to talk about how easy it is to secure local administrator with Microsoft Intune. Today we’ll cover the following:

• Creating the Local Admin in Intune
• Deploying the LAPS (Local Admin Password Solution) Policy in Intune
• Local Administration Group Protections in Intune
• Working with Entra Users and Groups with Local Administrator Groups
• Overall Thoughts on the Solution

Creating the Local Admin in Microsoft Intune

I want to start by letting everyone know this won’t be a long-term requirement. As you can find in the LAPS CSPs, we will soon be able to use the LAPS policy to create the local admin account. For the time being, we can easily create the local admin account with a few steps.

We just need to deploy a custom configuration profile:

The details of the OMA-URI Settings can be seen below. One note, it will say it failed, but if you check the device, you will find your local admin account is present.

OMA-URI:./Device/Vendor/MSFT/Accounts/Users/{{AdminAccountName}}/Password
Data Type: String
Value: {{Password}}

Deploying the LAPS (Local Admin Password Solution) Policy in Intune

The brilliance of Microsoft Intune is all of the account protections are in a single area, which makes setting this up really easy. In the video demo below, I will cover configuring your LAPS policy, which just has a few items in it.

A few notes to think about:

• Ideally pick Entra as your Backup Directory unless you have organizational requirements to use On-Prem AD.
• Only use grace periods if your security team is okay with them. Most people will want a short grace period e.g. a 1h rotation.
• Match the password age with your password policy.

Check out the video below for implementing LAPS in your environment:

Locking Down the Local Administrators Group on PCs with Intune

One of the features of account protection that many people overlook is the local user group membership profile. My demo will show you more but it’s really easy to work with.

You pick a local group to modify e.g. admins, remote desktop users, etc. and you can either add, replace, or update the existing group with members you specify. They can be either local accounts or Entra users/groups.

An amazing resource when working with these is the LocalUsersAndGroups CSP found here. They cover how it works overall.

A few of the rules are:

• Replace and Update can’t co-exist. Replace will always win out.
• Specify Entra users like AzureAD\[email protected] and groups with their SID (which you can get from the graph API). Oliver also wrote a cool script here to conversion if needed.
• SIDs are not resolved, so there’s no error checking there so be careful.
• Check Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin to look for errors.

Check out my demo to show you how to make it happen:

Working with Entra Users and Groups with Local Administrator Groups

We have seen some challenges when working with Entra Users and Groups for local administration. This presumes you are using “automatically deny elevation requests” which is a good best practice.

The TL:DR is that using Entra users is good and using Entra groups is not great. When you use users, you can easily elevate and it’s no big deal:

However, when you try to use Entra groups they will instantly bomb out and fail. The only way I have been able to get admin access in this scenario is with this code:

##Run PowerShell as Entra User##
runas /user:azuread\[email protected] powershell
##Bounce PowerShell up to admin##
Start-Process powershell.exe -Verb RunAs

It’s not a huge deal for me, but it appears that Entra groups cannot be enumerated in UAC. Something I will be working on is looking more at the event logging to see if I can figure out the exact why this week.

Overall Thoughts

I think overall the solution is really strong. Many clients need to fulfill their customers’ requirements to ensure people cannot run around with local admin unfettered. This is a great solution to couple with Microsoft’s new EPM solution. Nothing is one size fits all, but I think many companies will have huge value from leveraging EPM alongside this.