Intune: Different ways of setting a Local Admin account, but is it a good idea?

-
Security has always been and will always be an important subject and with the increasing number of recent security attacks, I felt compelled to cover the topic of setting local admin accounts on endpoints.

Before the landscape of Modern workplace even came into picture, setting a local admin account (aka break glass account) has been a common practice. Now that more and more organizations are adopting Modern Workplace framework, this requirement has just evolved. I must point out that even though setting a local admin account is extremely useful and the fact that it allows administrators to perform elevated admin tasks, from a security standpoint it is not such a good idea. But more on that later. Let's see what are the different ways to set the local admin account using Intune.

In case of a Domain Account -

When you connect a Windows device with Azure AD using Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:

- The Azure AD global administrator role
- The Azure AD device administrator role
- The user performing the Azure AD join

However, if you want to add any other domain account outside the ones mentioned above, then you can do so using following methods.

Additional Local Administrators

In the Azure portal, you can manage the device administrator role on the Devices page. To open the Devices page:

1. Sign in to your Azure portal as a global administrator.
2. Search for and select Azure Active Directory.
3. In the Manage section, click Devices.
4. On the Devices page, click Device settings.

To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.

Please note that this feature requires Azure AD Premium Tenant. Also, local administrators in here will get added to all the devices that get joined to Azure AD. There is no way to scope this at a device level.

Which brings us to the next couple of methods that leverage different CSPs.

Restricted Groups CSP starting Windows 10 2004

When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. Therefore, it is important to add the default accounts in the custom configuration. I have highlighted them below. 

1. Navigate to the Microsoft Endpoint Manager admin center portal. 
2. Head over to Devices > Windows > Configuration profiles.
3. Click Create profile to open the Create a profile blade and select Platform as Windows 10 and later.
4. Select templates and chose Custom. Fill in the name and other necessary details and click on settings.
5. Here we are going to be using the following values -

Name - Local Admin

Description - Set Local Admin

OMA-URI - ./Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership

Data Type - String

Value - 

<groupmembership>
 <accessgroup desc = "Administrators">
 <member name = "Administrator" />
 <member name = "S-1-12-1-1163434852-1197172539-44796078-500235900" />
 <member name = "S-1-12-1-3146799803-1163991935-2384276401-1043884363" />
                <member name = "AzureAD\LocalAdmin1@sampledomain.com" />
                 <member name = "AzureAD\LocalAdmin2@sampledomain.com" />
 </accessgroup>
</groupmembership>

6. We are only going to run this on devices running Windows 10 2004 so use the following applicability rule.

Rule - Assign profile if

Property - OS version

Value - 10.0.19041.0 to 10.0.19041.985

7. Deploy to a user\device based group.

LocalUsersandGroups CSP starting Windows 10 20H2

Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy as RestrictedGroups policy replaces all of the existing users & groups with the new members and it does not allow selective add or remove.

Please note that The LocalUsersAndGroups policy setting and the RestrictedGroups policy setting should not be used together, as the behavior will be unpredictable. Both policy settings will be applied in no particular order.

The different elements used are -

<accessgroup desc> – This element specifies the name or SID of the local group that should be configured.

<group action> – This element specifies the action that should be taken on the on the local group that should be configured. Those actions can be update (U) or restrict (R) and can be used to achieve the following:

U – This action can be used to add or remove members of the local group that should be configured.
R – This action can be used to replace current members of the local group that should be configured. 

<add member> – This element specifies the name or SID of the member that should be added to the local group.

<remove member> – This element specifies the name or SID of the member that should be removed from the local group. This element is not processed when the restrict action is used.

For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using Graph API for Groups. The SID is present in the securityIdentifier attribute.

1. Navigate to the Microsoft Endpoint Manager admin center portal. 
2. Head over to Devices > Windows > Configuration profiles.
3. Click Create profile to open the Create a profile blade and select Platform as Windows 10 and later.
4. Select templates and chose Custom. Fill in the name and other necessary details and click on settings.
5. Here we are going to be using the following values -

Name - Local Admin

Description - Set Local Admin

OMA-URI - ./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure

Data Type - String

Value - 

<GroupConfiguration>
    <accessgroup desc = "Administrators">
        <group action = "U"/>
            <add member = "AzureAD\LocalAdmin1@sampledomain.com"/>
            <add member = "AzureAD\LocalAdmin2@sampledomain.com"/>
    </accessgroup>
</GroupConfiguration>

6. We are only going to run this on devices running Windows 10 20H2 so use the following applicability rule.

Rule - Assign profile if

Property - OS version

Value - 10.0.19042.0 to 10.0.19042.985

7. Deploy to a user\device based group.

Note from the field: I encountered an issue where the UPN of the accounts were not getting mapped to fetch the relevant SID. If this happens then you will see an event id 1202 in eventvwr stating - "No mapping between account names and security IDs". Even though I found out later that the issue was related to the fact that the accounts were disabled in AD, you do have the option to use the SID values instead. Why this works you ask? This is because when specifying a SID in the <add member> or <remove member>, member SIDs are added without attempting to resolve them.

In case you do decide to use SID values, then you can head over to the post by Oliver Kieselbach who has covered the process of converting the user object id to SID perfectly and also visa-versa. I used his script and credits to him for sharing it with the community.

In case of a non-domain account -

Accounts CSP to create a local Windows account

1. Navigate to the Microsoft Endpoint Manager admin center portal. 
2. Head over to Devices > Windows > Configuration profiles.
3. Click Create profile to open the Create a profile blade and select Platform as Windows 10 and later.
4. Select templates and chose Custom. Fill in the name and other necessary details and click on settings.
5. We are going to be creating 2 OMA-URI settings here so refer to values below -

OMA-URI 1

Name - Local Admin

Description - Set Local Admin

OMA-URI - ./Device/Vendor/MSFT/Accounts/Users/rahuljindallocaladmin/LocalUserGroup

Data Type - Interger

Value - 2

OMA-URI 2

Name - Local Admin Password

Description - Set Local Admin Password

OMA-URI - ./Device/Vendor/MSFT/Accounts/Users/rahuljindallocaladmin/Password

Data Type - String

Value - P@55w0rd

6. Deploy to a user\device based group.

Powershell Script to add Local Windows account

Note: Configuring Password for local admin account using PS is not a good security practice as the credentials will be visible in plain text.

Here is the PS script that you can use to create a local Windows account.

$LocalUser = "rahuljindaladmin"
$Password = ConvertTo-SecureString "P@55w0rd" -AsPlainText -Force
Function Create_LocalWindowsAccount
{
    New-LocalUser $LocalUser -Password $Password -FullName "Local Admin" -Description "Local Administrator account."
    Add-LocalGroupMember -Group "Administrators" -Member $LocalUser
    Set-LocalUser -Name $LocalUser -PasswordNeverExpires:$true
}
{
Create_LocalWindowsAccount
}

1. Sign-in to the Microsoft Endpoint Manager admin center portal. 
2. Browse to Devices – Windows – PowerShell Scripts
3. Click on Add
4. Give a Name
5. Select the script
6. Set Run this script using the logged on credentials as No
7. Set Enforce script signature check to No
8. Set Run script in 64 bit PowerShell Host as Yes
9. Deploy to the user\device based group.

Now coming to the point as to why setting a local account is not such a great idea; since the same account will get configured on multiple devices (depends on which method you use) and if the account gets compromised, then you risk your devices of being exposed to all kind of hacking scenarios. If there is a business need to set a local admin account, then a strict and aggressive password rotation policy should be adopted at the very least.

Comments

  1. BobbyAugust 31, 2021 at 4:44 PM

    Hmmm CSP applies great. But we have a use case where we want to add primary user to local admin of machine. The restricted group policy even once removed from intune seems to be tatttooed to the device and the user keeps getting pulled from the local admin group. Any thoughts on how to se the CSP policy for restricted groups to "unconfigured" or to clear whatever has been tattooed?

    ReplyDelete
    Replies
    1. Rahul JindalSeptember 3, 2021 at 5:20 AM

      It will depend on how you are adding members in the list. Just by removing the policy will not do anything to the local admin group. However, if you are on 20h2 or later then consider using localusersandgroups csp instead.

      Delete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more