Enable/Disable built-in Administrator account using Intune

-

In this tutorial, we will look at the steps to enable and disable the built-in administrator account using Intune on Windows 10/11 devices.


It is widely known that the built-in administrator account on Windows devices is disabled. That is because the administrator account has complete control over the computer and can bypass all user access control (UAC) safeguards.


The built-in administrator account has a specific and well-known security identifier, and some attacks target that particular SID. As a security measure, Microsoft disables the Administrator account on new Windows installations. Read the following guide to find out the reasons why you should not enable the default administrator account.


Although you can manually enable the built-in administrator account on Windows devices, Intune can do it for you on multiple devices, which saves the time of your IT team. If your organization requires it, you can also disable the built-in administrator account either through Intune or Group Policy.

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=5918

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=35447

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=35498

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=35111

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=850

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=36883

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=35976

https://www.forum.vuwpgsa.ac.nz/viewtopic.php?t=4995

http://junlinro520.gain.tw/viewthread.php?tid=1083919

http://junlinro520.gain.tw/viewthread.php?tid=1083827

http://junlinro520.gain.tw/viewthread.php?tid=1229859

http://junlinro520.gain.tw/viewthread.php?tid=1218885

http://junlinro520.gain.tw/viewthread.php?tid=1080391

http://junlinro520.gain.tw/viewthread.php?tid=1226617

https://zin.neverendless-wow.com/forums/topic/5a24f6ce-f07e-483c-8172-ff9eace242e2

https://bonuscloud.club/viewtopic.php?t=45732

https://bonuscloud.club/viewtopic.php?t=56229

https://bonuscloud.club/viewtopic.php?t=48905

https://bonuscloud.club/viewtopic.php?t=51950

https://bonuscloud.club/viewtopic.php?t=59300

On Intune-managed Windows 10/11 devices, there are three ways to enable or disable the built-in local administrator account: device configuration profile, OMA-URI settings, and device remediations. With each method, you need to make different changes, but the result stays the same.


Some organizations prefer to rename the local administrator account on Windows devices via Intune instead of disabling it. This is done to avoid creating an additional administrator account for the IT team for troubleshooting.


Table of Contents


When do you enable the administrator account on a Windows device?

So, in what situations does an organization use Intune to enable the built-in administrator account? If the organization has enabled Windows LAPS in Intune, it is important that the administrator account be enabled before utilizing the LAPS policies. You cannot manage the built-in administrator account password via LAPS if the account is in a disabled state.


Windows LAPS allows for the management of a single local administrator account per device. You can manage the Windows Local Administrator Password Solution (Windows LAPS) on Windows 10/11 devices you manage with Microsoft Intune.


Enable built-in administrator account using Intune

Use the following steps to create a new policy in Intune to enable the built-in administrator account on Windows 10/11 devices:

http://kick.gain.tw/viewthread.php?tid=1898325&extra=

http://kick.gain.tw/viewthread.php?tid=4106353&extra=

http://kick.gain.tw/viewthread.php?tid=2448362&extra=

http://kick.gain.tw/viewthread.php?tid=1591115&extra=

http://kick.gain.tw/viewthread.php?tid=4103106&extra=

http://kick.gain.tw/viewthread.php?tid=4103117&extra=

http://kick.gain.tw/viewthread.php?tid=3540313&extra=

https://www.forum.mybahaibook.com/showthread.php?tid=2694

https://www.forum.mybahaibook.com/showthread.php?tid=4043

https://datcang.vn/viewtopic.php?t=650740

https://datcang.vn/viewtopic.php?t=672208

https://datcang.vn/viewtopic.php?t=672165

https://datcang.vn/viewtopic.php?t=672337

https://datcang.vn/viewtopic.php?t=672167

https://datcang.vn/viewtopic.php?t=672182

https://datcang.vn/viewtopic.php?t=672322

https://muabanvn.net/threads/dell-r450.42217/#post-47607

https://muabanvn.net/threads/lam-dep-vung-bikini.42006/

https://muabanvn.net/threads/tay-trang-vung-bikini.41843/

Step 1: Create a device configuration profile

Sign in to the Intune admin center. Select Devices > Windows > Configuration Profiles. To create a new policy, select Create > New Policy.


On the Create a profile window, configure the following settings and select Create.


Platform: Windows 10 and later

Profile Type: Settings Catalog

Enable built-in administrator account using Intune

Enable built-in administrator account using Intune

Step 2: Configure the Profile Name and Description

In this step, you enter the basic details about the configuration profile. In the Basics tab, enter the following details:


Name: Enter a descriptive name for the profile that can be easily identified later. In the below example, we have set the profile name to “Enable built-in administrator account using Intune.”

Description: Enter a brief description of the profile. This setting is optional but recommended.

Click Next.


Enable built-in administrator account using Intune

Enable built-in administrator account using Intune

Step 3: Configure Accounts Enable Administrator Account Status

In the Configuration Settings section, under Settings Catalog, click Add Settings. In the Settings picker window, type “Enable Administrator Account” in the search box and click Search. From the search results, select “Local Policies Security Options.”


In the bottom pane, select the following setting: “Accounts Enable Administrator Account Status.” Close the Settings Picker.


Enable built-in administrator account using Intune

Enable built-in administrator account using Intune

The built-in administrator account will either be enabled or disabled based on the configuration of the following settings in the Intune admin center:


Accounts Enable Administrator Account Status = Enabled. This will enable the built-in administrator account on Windows devices.

Accounts Enable Administrator Account Status = Disabled. This will disable the built-in administrator account on Windows devices.

Set the Accounts Enable Administrator Account Status to Enabled. Click Next.


Enable built-in administrator account using Intune

Enable built-in administrator account using Intune

Step 4: Scope Tags and Profile Assignments

In Intune, Scope tags determine which objects admins can see. In the Scope tags section, you specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.


In the Assignments window, select the device or user groups to which you want to assign this policy. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.

http://joscha.x10host.com/phpbb/viewtopic.php?f=1&t=79933

http://joscha.x10host.com/phpbb/viewtopic.php?f=1&t=567122

http://joscha.x10host.com/phpbb/viewtopic.php?t=762540

https://dev-forum.vmssoftware.com/viewtopic.php?t=27961

https://dev-forum.vmssoftware.com/viewtopic.php?t=29787

https://stock.talktaiwan.org/index.php?topic=479317.0

https://stock.talktaiwan.org/index.php?topic=479310.0

https://stock.talktaiwan.org/index.php?topic=453373.0

https://stock.talktaiwan.org/index.php?topic=185541.0

https://stock.talktaiwan.org/index.php?topic=200741.0

https://stock.talktaiwan.org/index.php?topic=435925.0

https://www.eediscuss.com/forum.php?mod=viewthread&tid=18710

https://www.eediscuss.com/forum.php?mod=viewthread&tid=15405

https://www.eediscuss.com/forum.php?mod=viewthread&tid=8862

Configuration Profile Assignments

Configuration Profile Assignments

Step 5: Review and Create Policy

On the Review + Create page, review all the settings that you have configured for enabling the built-in administrator account via Intune and select Create.


After you create a configuration policy in Intune, a notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The profile that we created appears in Intune’s list of configuration profiles.


Create Intune Policy to enable built-in administrator account

Create Intune Policy to enable built-in administrator account

Synchronize Intune Policies

Once you have assigned a policy to your devices, you must wait for the policy to be applied to the targeted groups, and the devices will receive your profile settings once they check in with the Microsoft Intune service. To receive policies from Intune, the devices must be online. You can also force sync Intune policies using different methods, such as PowerShell, on your computers to get the latest policies and settings from Intune.


Monitor the policy deployment

To monitor the policy in Intune that you applied to Windows devices and users, select the policy and review the device and user check-in status.



Under the device and user check-in status, we see the total number of devices and users that succeeded in receiving the policy. In some cases, the policy may fail to apply to certain devices. To resolve the issues, you will need to troubleshoot the issue by reviewing Intune logs on computers.


As illustrated by the screenshot below, our groups have successfully applied the built-in administrator account policy that was assigned through Intune. Click on View Report to view all the Windows devices that have received the policy settings to enable the built-in administrator account.


Monitor the policy deployment

Monitor the policy deployment

Verify the built-in administrator account status

In this section, we will demonstrate several methods for determining whether the built-in administrator account has been successfully enabled as per the Intune policy applied to our Windows devices.


You can check to see if Intune has enabled the built-in administrator account on your Windows devices using one of three methods:


Local Users and Groups

Windows Event Viewer

Windows Registry

Local Users and Groups

Accessing the local users and groups is one of the simplest ways to check if Intune has enabled the built-in administrator account. Press the Win + R keyboard shortcut. Type “lusrmgr. msc” and press Enter to launch the Local Users and Groups window. Go to the Users directory, and you will notice that the Administrator account has been enabled, as per the Intune policy.


Verify the built-in administrator account status

Local Users and Groups: Verify the built-in administrator account status

Windows Event Viewer

The event viewer IDs 813 and 814 indicate whether Intune has successfully enabled the built-in administrator account policy settings. The Intune MDM event logs can be viewed on client devices using the Event viewer.


Launch the event viewer on the Windows device by running the shortcut command eventvwr. Next, browse the following path in the event viewer to view Intune MDM event logs:


Application and Services Logs: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

Once you have navigated to the above path in Event Viewer, you may filter the current log with ‘Event ID 813.’ This will give you quick access to the event logs that you’re looking for. In the screenshot below, the event ID 813 confirms that the Windows device has successfully received the Accounts_EnableAdministratorAccountStatus policy settings from Intune.


MDM PolicyManager: Set policy int, Policy: (Accounts_EnableAdministratorAccountStatus), Area: (LocalPoliciesSecurityOptions), EnrollmentID requesting merge: (A4A38B7F-5820-4F93-8981-DEB32C194D7B), Current User: (Device), Int: (0x1), Enrollment Type: (0x0), Scope: (0x0).

Verify the built-in administrator account status

Verify the built-in administrator account status using Event Viewer

Windows Registry

Check the Windows Registry on the client device to see if the Intune policy enabled the built-in administrator account. Run the regedit.exe command to open the registry editor on a Windows device. In the registry editor, navigate to the below path.

https://www.eediscuss.com/forum.php?mod=viewthread&tid=18365

https://www.eediscuss.com/forum.php?mod=viewthread&tid=15148

https://www.eediscuss.com/forum.php?mod=viewthread&tid=17527

https://www.eediscuss.com/forum.php?mod=viewthread&tid=8580

http://forum.infinite-soul.org/viewtopic.php?f=64&t=11374

http://forum.infinite-soul.org/viewtopic.php?f=64&t=11371

http://forum.infinite-soul.org/viewtopic.php?f=64&t=11013

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\AdministratorGUID\default\Device\LocalPoliciesSecurityOptions

Here you’ll see the Accounts_EnableAdministratorAccountStatus registry key with the value “1.” This confirms that you can use the Windows registry to check whether the administrator account was enabled as per the Intune policy.


Verify the built-in administrator account status

Verify the built-in administrator account status



Policy CSP – Accounts_EnableAdministratorAccountStatus

An alternate way to enable or disable the administrator account via Intune on Windows devices is to use the OMA-URI settings. The Policy CSP – Accounts_EnableAdministratorAccountStatus includes the settings to enable or disable the built-in administrator account with Intune.


./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus

Policy CSP - Accounts_EnableAdministratorAccountStatus

Policy CSP – Accounts_EnableAdministratorAccountStatus

You can enable or disable the built-in administrator account using the following OMA-URI settings in Intune.


Name: Enable Administrator Account

Description: Specify a brief description

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus

Data type: Integer

Value:

Specify 1 to enable the administrator account

Specify 0 to disable the administrator account

Enable or disable built-in administrator account using Intune OMA-URI Settings

Enable or disable built-in administrator account using Intune OMA-URI Settings

Troubleshooting

After deploying the policy to enable the built-in administrator account using Intune on some Windows devices, the policy may fail to apply. To resolve the issues, we recommend reviewing Intune logs on Windows computers.


Listed below are some common errors that you may encounter during the process of enabling the administrator account via Intune.


Error code 65000: When you apply the policy to enable the administrator account via Intune, the policy settings may fail to apply on some Windows devices. During our testing on one of our devices, we encountered the error code 65000 in the Intune admin center. This error code appears either because the current Windows device does not accept the policy settings or because the current Administrator password doesn’t meet the password requirements. You’ll need to first configure the password requirements policy via Intune and then enable the administrator account.

Error code 0x87D1FDE8: This is a known issue in Microsoft Intune. Microsoft says this error is a temporary error that appears in the Intune admin center and goes away after the device checks in again.

Comments

Post a Comment

Popular posts from this blog

How to optimize your boot volume using Norton?

-
 For those who are not aware of the benefits of using the Optimize option in Norton, this article will enlighten you with a brief description of using the Optimize option with Norton. By enabling the Optimize option you will be able to optimize your boot volume that is very much essential to improve the boot time of your computer. https://www.actioncams.com.br/forum/showthread.php?tid=161619 https://mysourcetelevision.com/forum/showthread.php?tid=109639 http://concerns.sportshouse.com.ph/showthread.php?tid=6730 https://youradblaster.com/showthread.php?tid=15041&pid=24822#pid24822 https://forum.mukhronus.com/thread-404241.html https://secondlifestorage.com/showthread.php?tid=4400 https://forum.viewcomiconline.com/showthread.php?tid=62&pid=66#pid66 http://jirpg.net/showthread.php?tid=1043&pid=6965 https://forum.tenno-inside.com/showthread.php?tid=9125 https://www.colmisan.com/board/showthread.php?tid=3492 https://www.youradblaster.com/showthread.php?tid=8862&pid=17848...
Read more

2020 Cord Cutting Guide: Best Cable TV Alternatives to Save Money

-
Link and satellite month to month charges keep crawling up, yet because of new innovation and huge amounts of spilling administrations, there are heaps of digital TV choices out there. This string cutting aide will assist you with choosing if it will work for you, give you how you can in any case observe live TV and system TV, spread out the mainstream spilling administrations you might need to include, and let you know how you can even now watch your preferred sporting events. It might sound self-evident, yet you truly need to ensure that line cutting is directly for you before you dive in. On the off chance that you hulu.com/activate alter your perspective, new agreements and actuation charges will get costly. https://sites.google.com/site/agentbooth227/ http://www.godry.co.uk/profiles/blogs/how-might-i-fix-some-of-the-basic-norton-antivirus-errors-and#.XmsLu1Qza1s http://webanalog221.mozello.com/ https://www.trendiee.com/?p=226521&snax_post_submission=success http...
Read more

How to Start a Chat Session in Gmail

-
 This article explains how to start a chat session in Gmail Chat. How to Start a Chat in Gmail Follow these steps to initiate a Gmail Chat session. https://synoxtr.net/showthread.php?tid=16557 https://australiantravelforum.com/travel/showthread.php?tid=175302 http://pedelecforum.epowerbikes.at/viewtopic.php?f=16&t=695897 http://pedelecforum.epowerbikes.at/viewtopic.php?f=11&t=110794 https://www.tnfnorth.com/viewtopic.php?t=80786 http://pr.lgubiz.net/bbs/board.php?bo_table=free&wr_id=351297 http://vshop.livek.tv/yc/bbs/board.php?bo_table=user_feed&wr_id=57705 http://suprememasterchinghai.net/bbs/board.php?bo_table=free&wr_id=350335 http://www.sugunpo.net/bbs/board.php?bo_table=Linux&wr_id=3 https://www.cnmontessori.co.kr/bbs/board.php?bo_table=free&wr_id=388693 http://www.iscope.co.kr/bbs/board.php?bo_table=free&wr_id=152803 http://en.innern.co.kr/bbs/board.php?bo_table=free&wr_id=347328 https://peppanews.com/bbs/board.php?bo_table=free&wr_id=...
Read more