Create a local user account on Windows 10 with Microsoft Intune

After last weeks blog post about restricting which users can logon into a Windows 10 device, today another post about managing local users and local rights. In this post I show how we can create a local user account on a Windows 10 device with Microsoft Intune. Optional we can assign the local account Administrator rights.

Like in the previous post we need to use a Configuration Service Provider (CSP) policy and a Custom configuration profile to get the job done. This time we need to use the Accounts CSP.

All info we need can be found at the Microsoft docs here.

Configure the Custom Configuration profile

  • Choose Windows 10 and later as Platform
  • Choose Custom as Profile type
  • Click Create
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Click the Settings tab
  • Click Add

A part of the OMA-URI contains the username for the local account we create: Users/{UserName}/LocalUserGroup
Replace UserName with the username of your choice. In my example I create a new user account with the username LocalUser.
The Data type is String.
As value we need to provide the password of the local user account.

In my example I create a local user account with the username LocalUser.

Enter below information to the policy;
Name: RestrictedGroups – ConfigureGroupMembership
OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/LocalUser/Password
Data Type: String
Value: Your Password

Click OK.

Optional is the second Row we can add to assign the local user Administrator rights on the device. If this setting is not set, the user account will be a standard user account.

Click Add.

Enter below information to the policy if you want to assign Administrator rights;
Name: RestrictedGroups – ConfigureGroupMembership
OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/LocalUser/LocalUserGroup
Data Type: Integer
Value: 2

Click OK (twice) and click Create.

Assign the profile to a security group and we`re ready to check the end result.

End result

When we check the local Users via Computer Management, we see a new local user account is created. In this example LocalUser.

And I have added a second row to assign the new local user account Administrator rights. The local user account is member of the local Administrators group.

NB: If you want to sign-in with a local account into a Windows 10 Azure AD joined device, as with a AD joined device, put “.\” before the username.

That`s it for this post, thank you for reading!

NB: In the Endpoint Manager admin center, the policy shows an Error state even if the policy is applied successful.


  1. hi
    i think there is some mistake in your post
    the 2nde one to assing local admin rights, i think the oma-uri is not good.

    Also you said “replace UserName with the username of your choice. But on the oma-uri, it is “localuser” that we should replace right ?

    Could you please be more specific ? or detail it more ? thanks 🙂

    • Hi Dan,

      Thanks for pointing me on the wrong URL.

      I hope the text is now more clear, if note please let me know. Than I will replace the text + screen shorts with a more clear example. I can imagine LocalUser as example isn`t very clear 🙂

      • thanks for the reply. By the way, great article, because, it works.
        Just a tip : i would have put LocalUser (without S ! typo in your text 🙂 ) between brackets . This way, when we see the command line (the Oma-uri) we know that this text has to be changed.

        Also, i would have mentioned that to login on a pc joined to AAD (with intune), you need to put “.\”. Without that, it will only accept AAD login, not a local one (at least on my computers…i don’t know if it is the common behavior).

        Many thanks 🙂

  2. Hi 🙂
    It works but on intune it shows remediation failed. Dont know why…
    But the policy is applied.

    • Same here, policy applied successfully only its keeps showing remediation failed.
      Any idea why? or how to make it success @Peter

        • Just want to check if this “remediation failed” is still showing up on your end? We’re trying to use the same steps and the deployment status always shows error -remediation failed. Thanks mate!

      • Hi guys!

        I noticed the same, therefor the very first note of the article:
        NB: In the Endpoint Manager admin center, the policy shows an Error state even if the policy is applied successful.

        Seems that the GET part of the policy is not available in Windows and therefor Intune is not able to query the status of the setting.
        Have seen that before with other policies, which was confirmed by MS the GET part was missing. So I guess that`s the same for this setting.

      • I had this issue when applying the policy to the user group because I was adding it to the user group, and the signed-in user was a standard account. Once I changed it to the dynamic device group the policy applied correctly.

  3. Hi Peter – This is awesome, thanks for the comprehensive post.

    Is there a way to set the account password to never expire? I’m currently having isssues where when I create the local admin account, and I try to login/elevate, it forces me to update the password, and also it doesn’t check the box “Password never expire”

    Thanks again

    • Hi,

      I`m not aware of a possibility to set the password to never expires.
      The account is targeted with the local password policy. You can target the machine wit a password policy, using a device restrictions profile, but there is no setting in that to set it to never expire.

    • Use the following in PS-script. Succesfully tested this:

      Set-LocalUser -Name “ACCOUNT_NAME” -PasswordNeverExpires:$true

  4. Hi Peter! This is terrific. One question for you…

    Say you assign this policy to a device and the local admin account is created. Is it possible to reverse this policy and remove that account at a later date?

    Appreciate your thoughts/knowledge. Thanks!

    • Same here…. I created a script to run to add a local account, give admin rights and set the password not to expire but that also fails to run (both in device context and user context – the latter because the user isn’t an admin).

  5. Hello All,
    I created the Local account – LocalUser, with the same steps as mentioned. It worked fine with the Admin rights but when I tried to change the name of the account, it did not appear with Admin rights. What wrong am I doing? Can someone please guide me?

Leave a Reply

Your email address will not be published.