Proactive Remediation – recover local admin

Hi there

I hope you’re enjoying other posts related to Intune today I’m publishing a Proactive Remediation script (detection and remediation) to assist with local admin credential recovery for any environment size. This will probably be replaced by LAPS when it comes to Intune in GA (General Availability).

If you have worked with companies where Intune Windows Autopilot Deployment Profiles OOBE user account type is set to Administrator you probably need to know which users have been created all over the place.

I’m assuming all devices are managed by Intune and are communicating properly. These detection and remediation scripts support be used in GPOs (Group Policy Objects) if you allow users to VPN and get access to available Domain Controllers.

This Script will help you to:

  1. detect if New Local Admin exists in the device (and always update its password to New Standard Password)
  2. creates the New Local Admin if doesn’t exist in the device
  3. add the New Local Admin user to the Local Administrators group
  4. lists all existing Local Users members of the Local Administrator group and updates their password to a New Standard Password

🥷 Download Proactive Remediation script

TIP: you can also work with a CSP policy to Deny Logon Locally to a specific account and allow only the New Local Admin to make sure the physical device access is preserved and no one is accessing the device if that’s part of the user termination process.

More about LAPS preview and, here.


Thiago Beier
Toronto, CA


One thought on “Proactive Remediation – recover local admin

Comments are closed.