🖥️ Automating Local Admin Account Creation with Intune Remediations & Windows Autopilot

-

 

When deploying kiosk or shared devices with Windows Autopilot, having a consistent and secure local administrator account is essential for maintenance and troubleshooting. This PowerShell script is designed for use with Microsoft Intune Remediations and automatically creates (or updates) a predefined admin account during or after device provisioning. 📌 Key points to consider:
  1. The account is created only if missing, or updated if it already exists.
  2. It enforces a secure password policy (minimum 12 characters).
  3. The account is automatically added to the correct localized Administrators group, regardless of OS language.
  4. It writes an event entry in Windows Event Viewer for audit tracking.
💡 Note: Using Intune Remediations for local admin provisioning ensures consistent configurations across all Autopilot-enrolled devices. This approach eliminates manual steps during deployment and keeps your kiosk endpoints secure, standardized, and easy to manage. This script is a great way to automate administrative account setup and strengthen security in your Intune-managed environment. 🚀
PowerShell Script 

# ================== CONFIG ==================
# Set the password you want to use here:
$PlainPassword = 'Choose your password'
# ===========================================

$AdminUser = "kioskadmin"
$FullName  = "Kiosk Admin"
$Desc      = "Maintenance account (shared)"

function Get-AdministratorsGroupName {
    # Retrieve the localized Administrator group name via the well-known SID S-1-5-32-544
    $adm = Get-LocalGroup | Where-Object { $_.SID -eq 'S-1-5-32-544' }
    if (-not $adm) { throw "Could not find the Administrators group via SID S-1-5-32-544." }
    return $adm.Name
}

function Ensure-Admin {
    param([string]$User,[string]$Plain,[string]$Full,[string]$Description)

    # Must be run as Administrator
    $isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).
        IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
    if (-not $isAdmin) { throw "This script must be run as Administrator/System." }

    if ([string]::IsNullOrWhiteSpace($Plain) -or $Plain.Length -lt 12) {
        throw "Password is empty or too short. Use at least 12 characters."
    }

    $Secure = ConvertTo-SecureString $Plain -AsPlainText -Force
    $existing = Get-LocalUser -Name $User -ErrorAction SilentlyContinue
    if ($existing) {
        Write-Host "The account '$User' already exists. Updating properties and password..."
        Set-LocalUser -Name $User -FullName $Full -Description $Description -ErrorAction Stop
        Set-LocalUser -Name $User -Password $Secure -ErrorAction Stop
        Enable-LocalUser -Name $User -ErrorAction Stop
    } else {
        Write-Host "Creating local account '$User'..."
        New-LocalUser -Name $User -Password $Secure -FullName $Full -Description $Description -AccountNeverExpires:$true -ErrorAction Stop
    }

    # Add to the localized Administrators group
    $AdminsGroupName = Get-AdministratorsGroupName
    Write-Host "Using Administrators group: '$AdminsGroupName'"

    # Check membership
    $isMember = $false
    try {
        $isMember = (Get-LocalGroupMember -Group $AdminsGroupName -ErrorAction Stop |
            Where-Object { $_.Name -ieq $User -or $_.Name -ieq "$env:COMPUTERNAME\$User" }).Count -gt 0
    } catch {
        throw "Failed to read group members for '$AdminsGroupName': $($_.Exception.Message)"
    }

    if (-not $isMember) {
        Write-Host "Adding '$User' to group '$AdminsGroupName'..."
        # Use explicit local qualification for safety
        Add-LocalGroupMember -Group $AdminsGroupName -Member "$env:COMPUTERNAME\$User" -ErrorAction Stop
    } else {
        Write-Host "'$User' is already a member of '$AdminsGroupName'."
    }

    # Verify after addition
    $verify = (Get-LocalGroupMember -Group $AdminsGroupName -ErrorAction Stop |
        Where-Object { $_.Name -ieq $User -or $_.Name -ieq "$env:COMPUTERNAME\$User" }).Count -gt 0
    if (-not $verify) {
        throw "Verification failed: '$User' does not appear as a member of '$AdminsGroupName' after addition."
    }
}

try {
    Ensure-Admin -User $AdminUser -Plain $PlainPassword -Full $FullName -Description $Desc

    # (Optional) simple event log entry without the password
    $src = "KioskAdminProvisioning"
    if (-not [System.Diagnostics.EventLog]::SourceExists($src)) {
        New-EventLog -LogName Application -Source $src -ErrorAction SilentlyContinue
    }
    Write-EventLog -LogName Application -Source $src -EntryType Information -EventId 1001 `
        -Message "The account '$AdminUser' was created/updated and is a member of Administrators (localized)."

    Write-Host "Done." -ForegroundColor Green
    exit 0
}
catch {
    Write-Error $_.Exception.Message
    exit 1
}

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 Force Reinstallation of an Intune App

-
Bild
  – When Intune refuses to reinstall a program you’ve already removed Sometimes an application deployed through Microsoft Intune won’t reinstall even after you’ve manually uninstalled it. That’s because Intune tracks installation status using both registry entries and detection rules to decide whether an app is already present. Here’s how to fully reset that state and force a reinstallation — step by step. 💡 Why Intune won’t reinstall the app When a Win32 app is deployed via Intune, the Intune Management Extension stores app metadata in the Windows registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps This registry data tells Intune which apps are installed, when, and by which user. On every policy sync, Intune checks the detection rule defined for the app. If the detection rule still reports the app as “installed” — even though you removed it — Intune will skip reinstallation . 🔧 Step-by-Step Guide 1️⃣ Uninstall the App F...
Read more »

🚀 Windows Autopilot Self-Deploying Mode — Zero-Touch Setup That Feels Like Magic

-
Bild
Just imagine this: You unwrap a brand-new PC or reinstall Windows 11 from scratch… and before you even touch the keyboard, the device automatically: ✅ Joins Microsoft Entra ID (Azure AD) ✅ Syncs all Intune apps, settings, and policies ✅ Lands straight on the sign-in screen — ready for the user No technician. No clicks. No wasted time. That’s Windows Autopilot Self-Deploying Mode — effortless, hands-free provisioning that just works. The only prerequisite? Register the device’s Hardware Hash (HWID) in Intune first. Here’s the cleanest 10-minute setup guide to make it happen — perfect for brand-new or freshly reinstalled devices. ⚡ Step-by-Step: Configure Windows Autopilot Self-Deploying Mode in Under 10 Minutes 1️⃣ Start Fresh Use a new PC or perform a clean Windows 11 installation (OOBE stage). 2️⃣ Insert a USB Drive 3️⃣ Identify the Drive Letter Press Shift + F10 , open PowerShell, and run: Get-Volume Find your USB drive letter (e.g., E:). 4️⃣ Run the Script Execute: .\auto...
Read more »

Boost Your Graphics Power med GPU-acceleration i Azure Virtual Desktop!

-
Bild
  🎯 Purpose Optimize performance for Remote Desktop sessions by enabling GPU acceleration and video optimization via Microsoft Intune or Group Policy (GPO). 🧠 Prerequisites & Requirements Required skills: Basic knowledge of Windows device management Experience with Microsoft Intune or Group Policy Understanding of Remote Desktop (RDP/AVD) concepts Technical requirements: Windows 10/11 on session hosts GPU-enabled VMs (e.g., NVv3, NVadsA10 v5, NCasT4_v3) Microsoft HEVC codec installed on client devices Proper GPU drivers installed (NVIDIA GRID or AMD) 1. Sign in Go to: https://intune.microsoft.com 2. Create or edit a configuration profile Go to Devices > Configuration profiles Click Create profile Select: Platform: Windows 10 and later Profile type: Settings catalog 3. Add settings Click Add settings and browse to: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host ...
Read more »