This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
How to give a standard user a local admin rights on Windows devices via Intune? What are the ways to do it and how I can achieve this as I tried EPM in Intune but somehow it did not work may be because of the policy or something is not configured correctly?
Try this powershell and deploy it to current user; add-localgroupmember -Group "Administrators" -Member "AzureAD$env:USERNAME" I use the same but with different cmdlet to remove local admin. I highly recommend that you DON'T want to do this :D
Thanks for your answer on this @Pavel yannara Mirochnitchenko Also is there a way to remove it later once the user completes his task
@Pavel yannara Mirochnitchenko How does it work? Does it allows end users to install apps and drivers on devices or what level of permissions it provides on those devices?
Local admin, as you were asking :) .. so everything is allewed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 26%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
@Pavel yannara Mirochnitchenko : Hi, great post—thanks for sharing!
Quick question: I’m planning to deploy this script via Intune and had a few configuration clarifications:
Should I scope it to user groups or device groups? The script modifies system-level settings, so I’m leaning toward device groups—is that correct?
“Run this script using the logged on credentials” – Should this be set to No, since the script requires admin rights?
“Enforce script signature check” – Is it safe to set this to No if we don’t currently sign our internal scripts?
“Run script in 64-bit PowerShell Host” – I assume Yes is the right choice, as the script interacts with system registry paths?
Would appreciate your insights on the best practice configuration. Thanks again!
@Bhushan Hejmady this script is designed to run in user context, so using logged on credential is appropriate.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Vinod Survase, Thanks for posting in Q&A.
For the policy, could you confirm if we tried the policy in the following link to add the user into local administrators group? If not, try this one and see if it works.
However, if the above profile is still not working, please collect the following information to clarify:
If there's any update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Vinod Survase, How's everything going? Were the above suggestions working? If there's any update, feel free to let us know.