In this blog post, we will learn multiple ways to Add an existing Entra user account or Entra security group into the Local administrator’s group on Windows 10 and Windows 11 devices using the Intune admin center.
If you require to create a local administrator account on Windows 10/11 devices, then you can refer to this step-by-step guide: Create a Local Admin Account Using Intune.
Note
Table of Contents
Method 1 – Using a Powershell Script
You can use a Powershell script to add a user to the local administrator group on target Windows devices. Let’s check the steps:
Step 1 – Create a Powershell Script
Open a Notepad file and paste the following line of code. Replace the user email account name with the one you intend to add to the local admin group on target devices. Save the file as Add_Local_Admin.ps1.
For example, the following command will add the user [email protected] to the local administrator group.
Add_Local_Admin.ps1
Net localgroup administrators "AzureAD\[email protected]" /add
Step 2 – Deploy the Powershell Script
The next step is to deploy the PowerShell script file ‘Add_Local_Admin.ps1,’ which will add [email protected] to the local administrator group.
You can refer to the step-by-step guide below for deploying PowerShell scripts using the Intune admin center: How to deploy a Powershell script using Intune.
Step 3 – Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
Step 4 – Monitoring Script Deployment Status
To monitor the deployment progress of the script deployment, follow below steps:
- Sign in to the Microsoft Intune admin center.
- Click on “Devices” and then select “Scripts“.
- Click on the Script deployment created in the previous step.
- From the Overview page, you can find the Device and User status of this deployment.
Step 5 – End-User Experience
The script deployment has been completed successfully. Now, let’s check if our user account, [email protected], has been added to the local administrator’s group on the target devices.
To check and confirm, follow below steps:
- Press the Windows key + R to open the Run dialog box.
- Type
compmgmt.mscand press Enter to open the Computer Management console. - Navigate to Local Users and Groups > Groups.
- Double-click on the Administrators group, and you will find your Entra User account added to it.
Method 2 – Using an Autopilot Deployment Profile
If you are utilizing an Autopilot deployment profile, you can elevate a user to a Local Administrator using this method. The user will automatically become an administrator when you provision a device using the Autopilot profile, which has been configured with the user account type set as Administrator.
To check the Autopilot Deployment profile, Navigate to Intune admin center > Devices > Enroll Devices > Windows enrollment > Deployment profiles.
Method 3 – Using Local User Group Membership
You can add an Entra user account or an Entra security group using the Local User Group Membership setting available on the Intune admin center.
- Sign in to the Intune admin center.
- Go to Endpoint Security > Account protection.
- Click on Create Policy.
- Platform: Windows 10 and later
- Profile: Local user group membership and click on Create.
For complete information and step-by-step instructions on adding a user or group to the local admin group using Intune, refer to the guide: ‘Add a User to Local Admin Group Using Intune‘.
