As you know, Windows devices come with built-in local groups:
- Administrators
- Users
- Guests
- Power Users
- Remote Desktop Users
- Remote Management Users
Until now, it was almost impossible to manage local groups memberships with Intune.
Well, good news, you can now do it.
To start managing local groups memberships, connect to your Intune/Endpoint Configuration Manager portal (https://endpoint.microsoft.com/) and access the Endpoint Security\Account protection blade to create a new Account Protection configuration profile.
There you can select one or more local group to manage and define the action between Add (update), Add (Replace) or Remove (Update)
If a local group is manage by different profile with different actions – conflict between Update and Replace – the Replace action wins.
The option User selection type allows you to either browse your Azure AD to select users/groups (Users) or manually type either the username, domain/username or SID of the users/groups (Manual) to be added/removed to/from the local group .
NOTE don’t forget you are already able to manage local administrator privileges using the Azure AD joined device local administrator, so you should stick with this option to manage local administrator group membership.