In this tutorial, we will look at the steps to enable and disable the built-in administrator account using Intune on Windows 10/11 devices.
It is widely known that the built-in administrator account on Windows devices is disabled. That is because the administrator account has complete control over the computer and can bypass all user access control (UAC) safeguards.
The built-in administrator account has a specific and well-known security identifier, and some attacks target that particular SID. As a security measure, Microsoft disables the Administrator account on new Windows installations. Read the following guide to find out the reasons why you should not enable the default administrator account.
Although you can manually enable the built-in administrator account on Windows devices, Intune can do it for you on multiple devices, which saves the time of your IT team. If your organization requires it, you can also disable the built-in administrator account either through Intune or Group Policy.
On Intune-managed Windows 10/11 devices, there are three ways to enable or disable the built-in local administrator account: device configuration profile, OMA-URI settings, and device remediations. With each method, you need to make different changes, but the result stays the same.
Some organizations prefer to rename the local administrator account on Windows devices via Intune instead of disabling it. This is done to avoid creating an additional administrator account for the IT team for troubleshooting.
When do you enable the administrator account on a Windows device?
So, in what situations does an organization use Intune to enable the built-in administrator account? If the organization has enabled Windows LAPS in Intune, it is important that the administrator account be enabled before utilizing the LAPS policies. You cannot manage the built-in administrator account password via LAPS if the account is in a disabled state.
Windows LAPS allows for the management of a single local administrator account per device. You can manage the Windows Local Administrator Password Solution (Windows LAPS) on Windows 10/11 devices you manage with Microsoft Intune.
Enable built-in administrator account using Intune
Use the following steps to create a new policy in Intune to enable the built-in administrator account on Windows 10/11 devices:
Step 1: Create a device configuration profile
Sign in to the Intune admin center. Select Devices > Windows > Configuration Profiles. To create a new policy, select Create > New Policy.
On the Create a profile window, configure the following settings and select Create.
- Platform: Windows 10 and later
- Profile Type: Settings Catalog
Step 2: Configure the Profile Name and Description
In this step, you enter the basic details about the configuration profile. In the Basics tab, enter the following details:
- Name: Enter a descriptive name for the profile that can be easily identified later. In the below example, we have set the profile name to “Enable built-in administrator account using Intune.”
- Description: Enter a brief description of the profile. This setting is optional but recommended.
Click Next.
Step 3: Configure Accounts Enable Administrator Account Status
In the Configuration Settings section, under Settings Catalog, click Add Settings. In the Settings picker window, type “Enable Administrator Account” in the search box and click Search. From the search results, select “Local Policies Security Options.”
In the bottom pane, select the following setting: “Accounts Enable Administrator Account Status.” Close the Settings Picker.
The built-in administrator account will either be enabled or disabled based on the configuration of the following settings in the Intune admin center:
- Accounts Enable Administrator Account Status = Enabled. This will enable the built-in administrator account on Windows devices.
- Accounts Enable Administrator Account Status = Disabled. This will disable the built-in administrator account on Windows devices.
Set the Accounts Enable Administrator Account Status to Enabled. Click Next.
Step 4: Scope Tags and Profile Assignments
In Intune, Scope tags determine which objects admins can see. In the Scope tags section, you specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.
In the Assignments window, select the device or user groups to which you want to assign this policy. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.
Step 5: Review and Create Policy
On the Review + Create page, review all the settings that you have configured for enabling the built-in administrator account via Intune and select Create.
After you create a configuration policy in Intune, a notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The profile that we created appears in Intune’s list of configuration profiles.
Synchronize Intune Policies
Once you have assigned a policy to your devices, you must wait for the policy to be applied to the targeted groups, and the devices will receive your profile settings once they check in with the Microsoft Intune service. To receive policies from Intune, the devices must be online. You can also force sync Intune policies using different methods, such as PowerShell, on your computers to get the latest policies and settings from Intune.
Monitor the policy deployment
To monitor the policy in Intune that you applied to Windows devices and users, select the policy and review the device and user check-in status.
Under the device and user check-in status, we see the total number of devices and users that succeeded in receiving the policy. In some cases, the policy may fail to apply to certain devices. To resolve the issues, you will need to troubleshoot the issue by reviewing Intune logs on computers.
As illustrated by the screenshot below, our groups have successfully applied the built-in administrator account policy that was assigned through Intune. Click on View Report to view all the Windows devices that have received the policy settings to enable the built-in administrator account.
Verify the built-in administrator account status
In this section, we will demonstrate several methods for determining whether the built-in administrator account has been successfully enabled as per the Intune policy applied to our Windows devices.
You can check to see if Intune has enabled the built-in administrator account on your Windows devices using one of three methods:
- Local Users and Groups
- Windows Event Viewer
- Windows Registry
Local Users and Groups
Accessing the local users and groups is one of the simplest ways to check if Intune has enabled the built-in administrator account. Press the Win + R keyboard shortcut. Type “lusrmgr. msc” and press Enter to launch the Local Users and Groups window. Go to the Users directory, and you will notice that the Administrator account has been enabled, as per the Intune policy.
Windows Event Viewer
The event viewer IDs 813 and 814 indicate whether Intune has successfully enabled the built-in administrator account policy settings. The Intune MDM event logs can be viewed on client devices using the Event viewer.
Launch the event viewer on the Windows device by running the shortcut command eventvwr. Next, browse the following path in the event viewer to view Intune MDM event logs:
Application and Services Logs: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Once you have navigated to the above path in Event Viewer, you may filter the current log with ‘Event ID 813.’ This will give you quick access to the event logs that you’re looking for. In the screenshot below, the event ID 813 confirms that the Windows device has successfully received the Accounts_EnableAdministratorAccountStatus policy settings from Intune.
MDM PolicyManager: Set policy int, Policy: (Accounts_EnableAdministratorAccountStatus), Area: (LocalPoliciesSecurityOptions), EnrollmentID requesting merge: (A4A38B7F-5820-4F93-8981-DEB32C194D7B), Current User: (Device), Int: (0x1), Enrollment Type: (0x0), Scope: (0x0).
Windows Registry
Check the Windows Registry on the client device to see if the Intune policy enabled the built-in administrator account. Run the regedit.exe command to open the registry editor on a Windows device. In the registry editor, navigate to the below path.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\AdministratorGUID\default\Device\LocalPoliciesSecurityOptions
Here you’ll see the Accounts_EnableAdministratorAccountStatus registry key with the value “1.” This confirms that you can use the Windows registry to check whether the administrator account was enabled as per the Intune policy.
Policy CSP – Accounts_EnableAdministratorAccountStatus
An alternate way to enable or disable the administrator account via Intune on Windows devices is to use the OMA-URI settings. The Policy CSP – Accounts_EnableAdministratorAccountStatus includes the settings to enable or disable the built-in administrator account with Intune.
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
You can enable or disable the built-in administrator account using the following OMA-URI settings in Intune.
- Name: Enable Administrator Account
- Description: Specify a brief description
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
- Data type: Integer
- Value:
- Specify 1 to enable the administrator account
- Specify 0 to disable the administrator account
Troubleshooting
After deploying the policy to enable the built-in administrator account using Intune on some Windows devices, the policy may fail to apply. To resolve the issues, we recommend reviewing Intune logs on Windows computers.
Listed below are some common errors that you may encounter during the process of enabling the administrator account via Intune.
- Error code 65000: When you apply the policy to enable the administrator account via Intune, the policy settings may fail to apply on some Windows devices. During our testing on one of our devices, we encountered the error code 65000 in the Intune admin center. This error code appears either because the current Windows device does not accept the policy settings or because the current Administrator password doesn’t meet the password requirements. You’ll need to first configure the password requirements policy via Intune and then enable the administrator account.
- Error code 0x87D1FDE8: This is a known issue in Microsoft Intune. Microsoft says this error is a temporary error that appears in the Intune admin center and goes away after the device checks in again.
