📱 Recipe · Intune & Device Management
Create an Intune Remediation Script to Detect Unauthorized Local Administrators
Deploy a PowerShell detection script via Intune Scripts and Remediations to surface abnormal local admin accounts across your Windows endpoint fleet
Complexity
Intermediate
Impact
security + compliance + endpoint-management + least-privilege + audit
Context
Why This Matters
Over time, Windows endpoints accumulate local administrator accounts — added by field technicians for break-fix work, by legacy imaging processes, or by users who briefly needed elevation. These accounts are rarely cleaned up, creating a persistent privilege-escalation and lateral-movement risk.
With Windows LAPS and Endpoint Privilege Management (EPM) now handling just-in-time elevation, there is no legitimate reason for unmanaged local admins to persist on corporate devices. This recipe creates an Intune Remediation (Proactive Remediation) that scans the local Administrators group on every targeted device, compares membership against an allowlist, and reports any abnormal accounts directly in the Intune console for review.
Run this when you are migrating from legacy UEM tooling, performing a security baseline audit, or preparing to enforce a least-privilege standard across your estate.
Expected Outcomes
After completing this recipe you will have:
- A tested PowerShell detection script that enumerates local Administrators group members on Windows endpoints
- An Intune Remediation package deployed to a pilot (and then broader) device group
- Per-device reporting in the Intune console showing which endpoints have unauthorized local admins and the account names found
- An exportable CSV of non-compliant devices for follow-up cleanup or automated remediation
- A repeatable detection pattern you can extend for other local-security audits
Risks & Considerations
Warnings and considerations
- Allowlist accuracy is critical. If you omit a legitimate service or LAPS account from the allowlist, every device will flag as non-compliant and generate noise. Inventory your approved accounts before deployment.
- Run as SYSTEM, not user. The script enumerates a privileged local group. Setting Run this script using the logged-on credentials to Yes will cause failures on standard-user devices.
- Domain-joined devices: the script filters to
PrincipalSource -eq 'Local'so domain and Azure AD accounts in the Administrators group are not flagged. Adjust this filter if your policy prohibits those as well. - Do not combine detection + automatic removal on first run. Deploy in detect-only mode, review results, confirm the allowlist is complete, then enable remediation in a second phase.
- Compliance/audit logging: removing local admin accounts may be a change-controlled action. Coordinate with your security and change-management teams before moving beyond reporting mode.
- Intune Remediations license requirement: requires Intune Plan 1 plus one of Windows 10/11 Enterprise E3/E5, Windows 365, or the standalone Remediations add-on.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| Intune Administrator or Endpoint Security Manager role | Required to create and assign Scripts and Remediations in the Intune admin center |
| DeviceManagementConfiguration.ReadWrite.All | Required when creating or updating deviceHealthScripts via Microsoft Graph API |
| DeviceManagementManagedDevices.Read.All | Required to review remediation script run states and per-device output via Graph |
| Local SYSTEM execution context on target devices | The detection script must run as SYSTEM to enumerate the local Administrators group reliably |
The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin