Add a user to a local group on your device via Intune

I saw we have added the option to create a custom policy in MEM Admin Center to add users to restricted groups. Requirement for it to work is Windows 10 2004. But I’ve read a few comments indicating that it’s not doing exactly what it’s supposed to. If that’s the case it will be fixed shortly. You can read about it in this great blog by Peter Klapwijk. If you’re not on v.2004 yet and still want to be able to do the same, you may use my script.

You can either download the script from my GitHub repository or install my PowerShell module LARSINUS and use the function “Add-LocalGroupMember”.

The script has a .SYNOPSIS section so just type “Get-Help Add-LocalGroupMember -Full” to get all the details on how to use it.

The twist for getting it to work with MEM Admin Center is to add a line at the very end of the script. Since the “add a new script” wizard doesn’t allow us to use parameters. The line should just call the function “Add-LocalGroupMember” with the required parameter “-LocalGroup” which now can only be ‘Administrators’ or ‘Remote Desktop Users’. Feel free to add additional groups as you please. If you want to add the user to ‘Remote Desktop Users’ change the last line in the script to reflect that (“RemoteDesktopUsers”).

There’s also an optional parameter named “-UserName”. If you skip this it will add the currently logged on user to the group, you selected. To use it just add the user after the parameter in the format of either DOMAIN\UserName [e.g. LARSINUS\Jamie] or AzureAD\UPN [e.g. AzureAD\]

Add script to MEM Admin Center

Run it as SYSTEM since adding a user to ‘Administrators’ group require elevated privileges. The script will still find the logged-on user and add it.

I’ve done a few tests adding a user during Autopilot which works fine there as well.



Leave a Reply