Intune reporting with Log Analytics: list local admin accounts on your devices and who added them
In this post I will show you how to create a report of local admin found on your devices using Intune, PowerShell and Log Analytics.
The solution
This will resume in few steps:
- Creating a remediation script
- Script is executed on all devices
- Checks if local admin account are found
- If yes, checks who added them and when
- Send info to Log Analytics
Sometimes the report won't display when local admin account has been added. Indeed the script will check for each account if there is a corresponding event report 4732 .
This event log is located in Security event which is often purge.
The Power BI way
You can see on my post there, how to do the same with Power BI.
Get the files
Click on the below GitHub picture to get required below files:
- LocalAdmin_Workbook.json
- Detection_script.ps1
How it looks like ?
The Log Analytics will display below information about devices with local admin account found.
Devices with local admin status
It shows a pie chart with devices count with and without local admin account
Devices with local admin overview
It shows a table with all devices that have local admin account(s).
It displays device name, user name, count of local admin account found on the device, device model, serial number.
Devices with local admin details
It shows a table with all devices that have local admin account(s) with more details about account(s).
It displays all info about local admin account(s) found. You will see for information local admin account name, creation date, who created this account...
Log Analytics information
In order to create this report we will need some information relative to the Log Analytics workspace.
See below required info:
- Workspace ID
- Primary key
- Name of the custom log to create or update
In this example, the custom log is named: LocalAdminReport.
To get those information go to Log Analytics Workspace > Agents management
You will find both Workspace ID and Primary key.
Then we will proceed as below:
1. Open the file Detection_script.ps1
2. Fill below variables:
- $CustomerID: workspace ID
- $ShareKey: Primary key
Authorized account
The detection script will check if there are some local admin account on your devices.
You may have configured some local admin group or account on your devices.
For instance we can imagine below needs:
- Local admin group allowing your help desk to do task with privileges
- Local admin account Administrator
- Azure AD roles for
You can configure the script to bypass those accounts and not displayed them in the report.
This will allow you to list only not wanted local admin accounts.
To add authorized account(s) proceed as below:
1. Search variable $Authorized_Accounts
2. Add account, group, SID there
3. Separates each one with a ";"
4. See below an example:
Creating remediation script
1. Go to the Microsoft Endpoint Manager admin center
2. Go to Devices
3. Go to Remediations
4. Click on Create script package
5. Type a name
6. Click on Next
7. Click on Detection script file
8. Browse the script Detection_script.ps1
9. Select run as 64
10. Click on Next
11. Select the group
12. In the Schedule part, choose when the package should be run.
13. Click on Apply
14. Click on Next
15. Click on Create
Log Analytics workbook
In this part we will create the report.
1. Go to the Azure portal
2. Go to Log Analytics workspace
3. Go to workbook
4. Click on New
5. Go to Advanced editor
6. Search line "fallbackResourceIds": [
7. Above this part add content from LocalAdmin_Workbook.json
8. If you have changed the name of the local admin report, replace it in the json with yours
3 commentaires
Harrah's Cherokee Casino & Hotel - MapYRO
Harrah's Cherokee 안산 출장안마 Casino & Hotel is situated 파주 출장안마 near 태백 출장샵 Harrah's 부산광역 출장마사지 Cherokee Casino & Hotel and offers gaming, live 충주 출장안마 entertainment, restaurants.
Thanks is it correct that even if i authorize the AAD Sids I still see them in the report?
On the Workbook:
"Local Admin details" error project' operator: Failed to resolve scalar expression named 'PasswordLastSet_t'...
"Account Creation details" what is meaning the error "'project' operator: Failed to resolve scalar expression named 'PasswordLastSet_t'..."
Enregistrer un commentaire