![Thomas' [insert something catchy] Blog](https://blogger.googleusercontent.com/img/a/AVvXsEhS8GpCgv6XrthlM6yk83QRMLhw3N-t-T7QC5e2xkElAyFOdKxrHBtlBm1JAcXwJ8yoREOLZIQVGzlBJYcGzbpN5MoJylSohJgXI2qWTeIuLfOupK48G8FVeH5FYa-orAALT8J3sBSWb75EiTS1xCi-ik4uhVgX9ouwjGw1KTmk2lPi258tyzaNU9vu=s800)
The main aim (hey, that rhymed!) is to give a quick introduction to custom profiles via OMA-URIs rather than going all theory heavy. If you’re interested in that, check out some of the other posts on this blog!
First of all, by
default, all AzureAD devices will have two roles automatically assigned as
Device Administrators.
- Global Administrators
- Local Administrators
Now if the device
wasn’t enrolled
via an Autopilot profile
where you defined that the user account type is standard, then the first user
to login/register the device will also be made a local administrator.
Which isn’t so great for the security-minded administrator. So make sure to
click the link above and learn how to avoid this 😉.
But again, that’s not the main aim (there’s
that rhyme again!) of this post. So onwards and upwards to your OMA-URI
introduction!
Custom Policy Profile Configurations
This method is going to be split into two as the first part will add a
generic local user to the device. This is not recommended in a
production environment as having a standard "universal" account is no
bueno in terms of zero-trust and the password requires a reset the first time
you login with this account (you can get around this requirement by pushing out
a PowerShell script but, for now, that's outside the
scope of this post).
Head over to Intune > Devices > Configuration profiles
> + Create profile > Select Windows 10 and later >
Profile type Templates > Custom.
Type in a name for
your profile:
And select add a role. The values you want to add are as followed:
Name: Add Local Administrator [It doesn’t
actually matter what you name it.]
Description: Optional but useful
especially if you’re a dope and gave it a stupid name that you won’t be able to
remember the meaning of months down the line.
OMA-URI: ./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure [See
this post
if you want to see how OMA-URIs are constructed]
Data type: String [as I’m
keeping the theory light, all you need to know is that string essentially means
you’re entering in text]
Value: [The following is
the XML definition you’ll be using to tell your Intune enrolled device what to
do]
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "AzureAD\thomas@MSDx933083.onmicrosoft.com"/>
</accessgroup>
</GroupConfiguration>
OK I know I said I
was keeping this theory-lite but this last part (the value) is important
to understand. Breaking down
- <accessgroup
desc> – This element
specifies the name (or
SID) of the local group that should be
configured-
- <group
action> – This element
specifies the action that should be taken on the on the local group that should
be configured.
- U – This action can be used to add or remove
members of the local group that should be configured
- <add
member> – This element
specifies the name or SID of the member that should be added to the local group
Hit save. Go
ahead and assign the profile to the device groups you want your policy to
target.
Review your
settings and, if you’re happy, create it.
Congratulations! Your Local Admin policy has
been created! Hit up the link under “Monitor” to make sure they hit the devices
you’ve targeted and also for any eventual troubleshooting.
But remember that I meant for this post to be a
super quick introduction and I really encourage you to check out the
other posts on this blog.
Edit: No really. This was one of the first blog
posts I wrote and I personally feel that I have gotten a lot better at this
stuff 😉.