ℹ️
Use case: Deploy a standardised local admin account to all managed devices via Intune for break-glass access — without embedding credentials in Group Policy or using a single shared password across the fleet.
01
The PowerShell Script
Copy this script and save as
create-local-admin.ps1. Update the username and password before deploying.$Username = "LocalAdmin" # Change to your desired username
$Password = ConvertTo-SecureString "Net@admin$1" -AsPlainText -Force
$Description = "Local Admin Account created via Intune"
# Only create if the account does not already exist
if (-not (Get-LocalUser -Name $Username -ErrorAction SilentlyContinue)) {
New-LocalUser -Name $Username `
-Password $Password `
-FullName $Username `
-Description $Description `
-PasswordNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member $Username
Write-Output "Created: '$Username' added to Administrators group."
} else {
Write-Output "Account '$Username' already exists — no action taken."
}
02
Upload the Script to Intune
Log in to endpoint.microsoft.com → Devices → Scripts and remediations → Platform scripts → + Add → Windows 10 and later. Name it and upload the .ps1 file.
03
Set Execution Settings
Configure these three settings on the Script settings tab:
Run this script using the logged-on credentials: No
Enforce script signature check: No
Run script in 64-bit PowerShell Host: Yes
04
Assign to Device Group and Create
On the Assignments tab, add your target device group under Required. Test on a pilot group first. Click through to Create.
05
Verify the Account Was Created
On a test device, verify the script ran and the account exists:
# Run locally on the device to verify:
Get-LocalUser -Name 'LocalAdmin'
Get-LocalGroupMember -Group 'Administrators'
💡
Security tip: Use a different password per environment (dev/prod) and consider rotating it with a follow-up Intune remediation script. Never use the same local admin password across all devices — if one is compromised, all are.