When we use AutoPilot with Windows 10 and Intune one of the great benefits is that we can make the enrolling user a standard user and not local admin per default. In some case we of course need to make the users who enrolled the PC a local admin, perhaps after ordering it from a self-service solution. This script can be run as a script from Intune, it reads which user enrolled the Windows 10 device from the following registry location. HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo
We then add it to Intune as a script with the following settings, note that the script must be run as a 64 bit script as for example “Get-LocalGroup” is not available in 32-bit PowerShell on a 64-bit system.
The script will output information to C:\Windows\Temp\localadmin.log, if it is re-run it will check that the user is in the local admin group and output that instead of that is has added the user.
The script works on localized Windows 10 versions, tested on Swedish to make sure. A challenge was that the “Get-localGoupMember” PowerShell command doesn’t work on an AzureAD joined device as there are two unresolved SIDs in the member list. It will throw the following error.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.