All policies are created with the App Roles blade in App registrations withing Entra ID/Azure AD.
Policies for assigning group membership.
| Parameter | Description | Value | Required | Example |
|---|---|---|---|---|
| Name | Name of the policy associated with the group membership. | OWNER-LocalAdmin | Yes | Name=OWNER-LocalAdmin |
| MachineScope RegScope |
Policy Scope, one of the scopes has to exist. This is the scope of machines against the user that can be applied. | OWNER WIN11.* |
Yes | MachineScope=OWNER RegScope=LEEDEVPC |
| ST | Session Time (ST), only applys to group membership default value if not specified is 240 minutes, -1 sets no expire. Value in minutes. | 60 | No | ST=120 |
| LocalGroup | Group Name, name of the local group to add user as a member. | Administrators | Yes | LocalGroup=Administrators LocalGroup=docker-users |
Example of full local group role.
MachineScope=OWNER;ST=2;;LocalGroup=Administrators;Name=OWNER-LocalAdmin
Policies for assigning actions.
| Parameter | Description | Value | Required | Example |
|---|---|---|---|---|
| Name | Name of the policy associated with the action | See below Actions configuration | Yes | Name=Action-EditHostfile |
| MachineScope RegScope |
Policy Scope, one of the scopes has to exist. This is the scope of machines against the user that can be applied. | OWNER WIN11.* |
Yes | MachineScope=OWNER RegScope=LEEDEVPC |
| Action | Name of the Action to perform as system on behalf of the user, see adding location actions below. | EditHostFile | Yes | Action=EditHostFil |
Example of running Visual Studio Install as action.
MachineScope=OWNER;Action=VS_Installer;Name=Action-VS_Installer
Import PowerShell Module
Import-Module "C:\Program Files\ExchGroup\LocalAdmin\EG_LocalAdmin_PowerShell.dll"
Visual Studio
New-EGLocalAdminAction -Name VS_Installer -Command '"C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe"'
Hyper-v Manager
New-EGLocalAdminAction -Name HyperVManager -Command 'C:\Windows\System32\mmc.exe' -Arguments 'C:\Windows\System32\virtmgmt.msc'
Edit Hosts File
New-EGLocalAdminAction -Name EditHostFile -Command 'C:\Windows\System32\notepad.exe' -Arguments 'C:\Windows\System32\drivers\etc\hosts'
Any of the local policy assignment work can be done by Intune Script/Scripted deployment, all samples are assuming files are based in default location.