Let’s check how to Manage Local Admins using Intune Local User Group Membership Management Policy. There are many ways to manage Local groups on Azure AD Joined Windows 11 or Windows 10 PCs. However, the new Intune MEM policy helps to manage local groups using the native MDM channel.
Local user group membership policies help MEM admin to add, remove, or replace members of local groups on Windows devices. You can manage Local groups with on-prem domain Users/Groups and Azure AD Users/Group SIDs.
I recommend using the SID option wherever possible in the Local user group membership policy. The SIDs will help to avoid regional language issues with Local Group Names. You can use the group name as Administrators for English language Windows PCs but not for French or German Language PCs.
NOTE! – I have not tested the LOCAL Administrator account with non-English language to confirm whether this works fine without any SIDs. I think this is already taken care of by this workflow. There could be a chance that this CSP and workflow might work without SIDs as well for the local administrator scenario.
The local user group management policy in Intune is based on a policy CSP called LocalUsersAndGroups policies. The RestrictedGroups/ConfigureGroupMembership policy setting allows you to configure members (users or AAD groups) to a Windows 10 or Windows 11 local group.
- Collect Intune Logs from MEM Portal Diagnostic Data
- Intune Logs Event IDs IME Logs Details for Windows Client Side Troubleshooting
- Intune Audit Logs Track Who Created Updated Device Compliance Policy
Create Local User Group Membership Policy to Manage Local Admins using Intune
Let’s learn how o create a local user group membership policy to manage local admins of Windows 10 or Windows 11 devices. This local user group membership policy is supported for Hybrid Azure AD joined, and Azure AD joined devices.
To create a local user group membership policy, you will need to login into the endpoint.microsoft.com portal.
- Navigate to Endpoint Security tab.
- Scroll down and on Account Protection tab.
- Click on +Create Policy button to start the policy creation process.
Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy.
- From the create a profile blade – Select Windows 10 and later as the platform.
- Select Local User Group Membership as profile.
Enter the Name and description of the local user group membership management policy from Intune.
- Name – Manage Local Administrators Group
- Description – This policy is to manage Local Administrators Group
Click on the Next button to continue.
Video Tutorial Intune Policies for Managing Local User Groups
Let’s check the video tutorial – Intune Policies for Managing Local User Groups for Azure AD Joined Devices | Hybrid Azure AD Joined.
Supported Local User Groups
Only six (6) local user groups are supported with the Local User Group Management policy. You will need to select any of the following local user groups to manage the membership. You can use any of these groups to remove or add members.
- Power Users
- Remote Desktop Users
- Remote Management Users
NOTE! – This policy allows only for a full replacement of the existing groups with the new members and does not allow selective add or remove.
You can have only ONE LocalUserAndGroups policy deployed to a Windows Device. If you deploy more than one local user group membership policy to the same devices, it will create a Conflict error in Intune.
Local Group and User Actions – Management
There are two actions available for the Local User group management policy. In the XML and event logs, you would be able to see the two actions as U (Update) and R (Replace/Restrict).
- Update action must be used to keep the current group membership intact and add or remove members of the specific group.
- Restrict action must be used to replace current membership with the newly specified groups.
NOTE! – The Restrict action provides the same functionality as the RestrictedGroups/ConfigureGroupMembership policy setting.
The Intune MEM portal has the following list of Group and User Action in place. You can check the options below.
- Add (Update): Adds members to specified group while keeping the current group membership intact.
- Remove (Update): Removes members of specified group while keeping the current group membership intact.
- Add (Replace): Replaces current membership of specified group with newly specified group.
Azure AD Joined Scenario – Add Azure AD Users/Groups to Local User Group
I have selected the add (update) option to add new members to the local user group. To add Azure AD Users/User Groups into Windows 10 or Windows 11 local user groups, you must select Users/Groups from User Selection Type.
Now, click on the Users under selected users/groups to choose the Azure AD users/groups from the search menu below. Click on the Select button to continue.
Hybrid Azure AD Joined – Add Domain Users or SIDs to Local User Groups
Add users to be managed as part of select local groups. Please enter one or more user identifiers as they appear on the device. You can use the following formats:
- SID (security identifier)
You have to select the Manual option from the drop-down menu under the User Selection type. Once selected, click on the link to manually add SIDs/User Names/Group Names of on-prem active directory to Hybrid Azure AD Windows 10 and Windows 11 PCs.
Click on the OK to continue.
Now, you can click on the Next button.
Click on the Next button. From this page, you can perform the assignment actions. I have added the Local User group Management policy to two Azure AD device groups.
You can click on the Create button to complete the Manage Local Administrators Group policy.
Local group – Administrators
Group and user action – Add (Update)
User selection type – Manual
Selected user(s) – memcm\Helpdesk Admins, Local User
Local Admin Management Policy Creation Failed
Local Admin Management Policy creation using local user group membership policy is failed. This policy creation error was mostly because Local Group was shown as NOT Configured on the review page as shown above. This is strange because, in the above screenshot, you can see I have selected the Administrators as the local group name for both.
I deleted the entry that is under the User Selection Type – Manual. And added back to fix the issue with policy creation.
Now, you can see that the local user membership management policy creation issue was fixed, and the policy was successfully created.
Local User Group Management Policy Error 0x80070534
I have received 3 errors with the local user group management policy. I tried this with Cloud PC, and this is a Hybrid Azure AD joined PC. The error 0x80070534 is because of lookup failures.
It seems the name/SID lookup failed for Azure AD users and Local Users. Hence the event log errors as explained below. If there are multiple errors, the last error is returned at the end of the policy processing.
Event Log path for Intune logs – > Applications and Services -> Microsoft->Windows->DeviceManagement-Enterprise-Diagnostics-Provider->Admin
Event ID 806 – MDM PolicyManager: Merge string, Area: (LocalUsersAndGroups), Policy: (Configure), EnrollmentID requesting merge: (A2866686-F537-49AD-86C6-0038967B86C9), Result:(0x80070534) No mapping between account names and security IDs was done..
Event ID 821 – MDM PolicyManager: Merge of policy did not complete successfully, Policy: (LocalUsersAndGroups), Area: (Configure), Result:(0x80070534) No mapping between account names and security IDs was done.
Event ID 810 – MDM PolicyManager: Set policy string, Policy: (Configure), Area: (LocalUsersAndGroups), EnrollmentID requesting set: (A2866686-F537-49AD-86C6-0038967B86C9), Current User: (Device), String: ( ), Enrollment Type: (0x6), Scope: (0x0), Result:(0x80070534) No mapping between account names and security IDs was done.
Event ID 404 – MDM ConfigurationManager: Command failure status. Configuration Source ID: (A2866686-F537-49AD-86C6-0038967B86C9), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure), Result: (No mapping between account names and security IDs was done.).
Intune Error Code 6500 and Fix
I see the Intune error code 6500 when I looked at Intune reports for the local user group membership policy that I have created above. It’s because of the oblivious reasons mentioned below. I explained the issue related to Manage Local Admins using Intune Local User Group Membership Management Policy.
STATE – Error
ERROR TYPE – 2
ERROR CODE – 65000
You should create a separate local user group membership policy for Hybrid Azure AD joined and a separate one for Azure AD joined Windows 11 or Windows 10 devices. This will help to avoid the above-mentioned errors in Intune.
As you can see in the results, the memcm\Helpdesk Admins on-prem Active directory group is added to the local administrators group. Adding the Azure AD user accounts is failed because this is Hybrid Azure AD joined Windows PC.
You can add Azure AD User or Group only to the Local user group of Windows 11, or Windows 10 Azure AD joined device.
I need to perform more tests to understand how the Azure AD joined scenario works with the local user group management policy with Intune. I’ll update the post once I have tested the Manage Local Administrators Group policy.
The “Local User” account configured above didn’t get added to the local Administrators group because of the typo in the policy configuration. The actual Local user account name is LocalUser (there is no space in between).
You can launch CompMgr.msc from the run menu to confirm whether the local user and on-prem AD group are added to the Local Administrators group. The best method to manage the local user group membership is to use Intune policy explained in this post.