Policies

All policies are created with the App Roles blade in App registrations withing Entra ID/Azure AD.

Policies for assigning group membership.

Parameter Description Value Required Example
Name Name of the policy associated with the group membership. OWNER-LocalAdmin Yes Name=OWNER-LocalAdmin
MachineScope
RegScope
Policy Scope, one of the scopes has to exist. This is the scope of machines against the user that can be applied. OWNER
WIN11.*
Yes MachineScope=OWNER
RegScope=LEEDEVPC
ST Session Time (ST), only applys to group membership default value if not specified is 240 minutes, -1 sets no expire. Value in minutes. 60 No ST=120
LocalGroup Group Name, name of the local group to add user as a member. Administrators Yes LocalGroup=Administrators
LocalGroup=docker-users

Example of full local group role.

MachineScope=OWNER;ST=2;;LocalGroup=Administrators;Name=OWNER-LocalAdmin


Policies for assigning actions.

 

Parameter Description Value Required Example
Name Name of the policy associated with the action See below Actions configuration Yes Name=Action-EditHostfile
MachineScope
RegScope
Policy Scope, one of the scopes has to exist. This is the scope of machines against the user that can be applied. OWNER
WIN11.*
Yes MachineScope=OWNER
RegScope=LEEDEVPC
Action Name of the Action to perform as system on behalf of the user, see adding location actions below. EditHostFile Yes Action=EditHostFil

Example of running Visual Studio Install as action.

MachineScope=OWNER;Action=VS_Installer;Name=Action-VS_Installer


Import PowerShell Module

Import-Module "C:\Program Files\ExchGroup\LocalAdmin\EG_LocalAdmin_PowerShell.dll"

Visual Studio

New-EGLocalAdminAction -Name VS_Installer -Command '"C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe"'

Hyper-v Manager

New-EGLocalAdminAction -Name HyperVManager -Command 'C:\Windows\System32\mmc.exe' -Arguments 'C:\Windows\System32\virtmgmt.msc'

Edit Hosts File

New-EGLocalAdminAction -Name EditHostFile -Command 'C:\Windows\System32\notepad.exe' -Arguments 'C:\Windows\System32\drivers\etc\hosts'

Any of the local policy assignment work can be done by Intune Script/Scripted deployment, all samples are assuming files are based in default location.