Building a Break-Glass Local Admin Solution for Windows 11 using Intune and Defender for Endpoint

by
post views: 3,393

Introduction

I’ve been in situations where I needed local admin access to a device, and I needed it *now*. Users couldn’t log in, LAPS wouldn’t retrieve passwords, or domain connectivity and trust had failed. You’re staring at a locked device with no way in, and waiting isn’t an option.

Modern endpoint management is fantastic until it isn’t. We’ve eliminated persistent local admin accounts, embraced cloud authentication, and deployed LAPS – all best practices. But what happens when all of those fail simultaneously?

This post documents the break-glass solution I built for those “need it now” scenarios: a remotely deployable emergency local administrator account using Intune Remediations, with monitoring through Microsoft Defender for Endpoint.

💡 By default, remediations run on a schedule. However, you can run remediations on-demand in Intune, which triggers the scripts to execute instantly (almost) on targeted devices via Windows Notification Service (WNS). This is critical for true emergencies when you can’t wait.

The Problem

The “need it now” scenarios happen more often than we’d like to admit:

  • LAPS fails – Service disruptions, permission issues, password rotation problems, or the LAPS password simply won’t retrieve
  • Domain connectivity breaks – Whether on-premises or cloud, when trust relationships fail or authentication services go down
  • User accounts are locked – Profile corruption, account lockouts, or authentication loops that lock out everyone
  • Urgent local troubleshooting – Immediate need for local admin access to diagnose hardware, driver, or system-level/security issues

When these happen, the device is online and Intune-managed, but you can’t get in. Even with physical access, you need working credentials.

The Solution: A Monitored Break-Glass Account

The solution consists of four key components:

  1. Detection Script – Validates the emergency account exists, is enabled, and has proper permissions
  2. Remediation Script – Creates or fixes the emergency account
  3. Removal Script – Cleans up the account after the emergency
  4. Defender Monitoring – Alerts when the break-glass account is created and used

Implementation

The solution consists of four PowerShell scripts that work together to provide complete lifecycle management:

1. Detection Script (Detect-EmergencyAdmin.ps1)

The detection script validates three critical conditions:

  • Account exists
  • Account is enabled
  • Account is member of local Administrators group (verified by SID)

2. Remediation Script (Remediate-EmergencyAdmin.ps1)

The remediation script creates or repairs the emergency account:

  • Creates the local user account if it doesn’t exist
  • Sets AccountNeverExpires and PasswordNeverExpires flags
  • Ensures the account is enabled
  • Adds the account to the local Administrators group using SID-based membership
  • Provides status output for Intune logs

3. Removal Scripts

After the emergency is resolved, cleanup is essential:

Detection Script for Removal (Detect-EmergencyAdmin-ForRemoval.ps1)

  • Returns exit code 0 if account does NOT exist (desired state)
  • Returns exit code 1 if account exists (needs removal)
  • Reverse logic from creation detection

Remediation Script for Removal (Remove-EmergencyAdmin.ps1)

  • Removes the break-glass account completely

Deployment in Intune

Creating the Remediation Package

  1. Navigate to Devices > Scripts and remediations > Remediations
  2. Click + Create script package
  3. Configure the package:
    • Name: Emergency-Local-Admin-CREATE
    • Description: Creates emergency local administrator account for break-glass scenarios
    • Detection script: Upload Detect-EmergencyAdmin.ps1
    • Remediation script: Upload Remediate-EmergencyAdmin.ps1
    • Run this script using the logged-on credentials: No (must run as SYSTEM)
    • Enforce script signature check: No
    • Run script in 64-bit PowerShell: Yes

Best Practices for Deployment

Don’t run continuously! This solution should be deployed strategically and on demand. Keep the remediation scripts ready but unassigned. Deploy to affected devices/groups only during an incident.

Removal Deployment

Create a second remediation package for cleanup:

  • Name: Emergency-Local-Admin-REMOVE
  • Detection script: Upload Detect-EmergencyAdmin-ForRemoval.ps1
  • Remediation script: Upload Remove-EmergencyAdmin.ps1
  • Deploy after emergency is resolved

Monitoring with Defender for Endpoint

Creating the account is only half the solution – you need to know when it’s created and when someone uses it.

Custom Detection Rule – Account Creation

Create a custom detection rule in Microsoft Defender for Endpoint:

  1. Navigate to Investigation & response > Advanced Hunting
  2. Create a query to detect account creation:
DeviceEvents
| where ActionType == "UserAccountCreated" and AccountName =~ "Batman"

Custom Detection Rule – Account Usage

Monitor when the break-glass account is actually used:

DeviceLogonEvents
| where ActionType == "LogonSuccess" and AccountName =~ "Batman"

Security Considerations

Password Management

The password is embedded in the script – This is the main security trade-off:

  • Risks:
    • Password is visible in Intune portal and logs
    • No password rotation mechanism
  • Mitigations:
    • Use a complex, unique password
    • Limit who can view Intune scripts (RBAC)
    • Document this is for emergencies only
    • Rotate the password periodically and update the script
    • Remove the account promptly after use
    • Monitor usage via Defender for Endpoint

However, remember this is a break-glass solution – complexity can work against you during an actual emergency. The key is to use it sparingly and responsibly. This is not a replacement for proper access management, LAPS, or privileged access solutions—it’s a last resort for true emergencies.

GitHub Repository

All scripts referenced in this post, along with deployment instructions and examples, are available in my GitHub repository:

🔗 imabdk/Break-Glass-Local-Admin-Solution-for-Windows-11

The repository includes:

  • Detect-EmergencyAdmin.ps1 – Creation detection script
  • Remediate-EmergencyAdmin.ps1 – Account creation/repair script
  • Detect-EmergencyAdmin-ForRemoval.ps1 – Removal detection script
  • Remove-EmergencyAdmin.ps1 – Account removal script
  • Defender for Endpoint KQL queries

ENJOY 🙂

5 thoughts on “Building a Break-Glass Local Admin Solution for Windows 11 using Intune and Defender for Endpoint”

  1. Thanks for the article – it got me thinking about monitoring account creation events on PCs in general. I’ve never come across a situation where all local admin options weren’t available, but I’ll keep it in mind! I’d probably just store the account creation script on OneDrive or SharePoint, add a password if needed, and then set up the task. That said, I do understand that sometimes time is of the essence!

    Reply

    • Thank you. Truth be told. I’ve also tried to lock myself out of the device because troubleshooting the local policy ‘allow logon locally’ and someone interrupted me while doing so. Pressed WIN + L in a situation where I just removed myself from the policy and I couldn’t get back without an option to push a new local admin from Intune or ConfigMgr 🙂

      Reply

  2. I’ve just put all this in place to realise we don’t have the ability to do ‘On demand’ running of remediation scripts. Is this in a newer update to Intune that might be coming at a later date?

    Reply

    • Are you sure? It’s a preview feature though, but when looking up a given device it’s located as a device action, similar to where you would initiate a wipe. Perhaps some RBAC is preventing you access to device actions? 🙂

      Reply
  3. Pingback: [m365weekly] #208 – M365 Weekly Newsletter

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.