• Mission: to have an administrator user assigned to an Intune deployed workstation

• Symptoms
  • Helpdesk operators are not able to elevate permissions or run administrative tasks
    • OR
  • It is impossible to install or uninstall a application due to lack of admin account

From Intune console go to Endpoint security then Account protection

In the Account protection view click on Create Policy and select the platform Windows 10 and later and the profile Local user group membership

For the next steps you’ll need to name your new policy and optionally give it a description. Then you go to step nº 2 which consists to add an user or a group to the Administrators local group

Clicking on Select users/groups will launch a select box to your right where you’ll be able to select the users or groups to be added as administrator. I suggest you to have a group for your administrators instead of adding scattered users as the administration task become way easier (just add or remove the account from the group)

I will skip the scope tags configuration (just do Next) but if you use it on your environment you can set this.

In the assignments pane you can assign the policy to all your windows workstation (Add all devices) or groups of devices (it depends on how your environment is configured). After selecting the devices will receive the policy, in the 5th step click on Create.

After the workstations are synced to Intune the user or group will be added to the administrator group and you’ll be able to elevate permissions or install applications with it.