Admin Roles, Windows Hello, Windows LAPS, and Local Groups
Key Takeaways
- Intune RBAC combines permissions, admin member groups, scope groups, and scope tags; roles define what admins can do, while scope tags affect which Intune objects they can see.
- Windows Hello for Business can be configured tenant-wide during Windows enrollment or after enrollment with endpoint security Account protection, security baselines, or the settings catalog.
- Windows Hello for Business replaces passwords with strong device-bound authentication using a PIN or biometric gesture tied to the device.
- Windows LAPS managed through Intune can back up a local administrator password to Microsoft Entra ID for Microsoft Entra joined or hybrid joined devices, or to Windows Server Active Directory for domain-supported scenarios, but not both at the same time.
- The Local user group membership profile can add, remove, or replace built-in local group members on Windows devices; Replace wins over Update and should be used carefully for Administrators.
Least privilege is part of endpoint infrastructure
The current MD-102 objectives include managing Intune roles, configuring Windows Hello for Business, implementing Windows Local Administrator Password Solution (Windows LAPS), and managing local group membership with Intune. These are all infrastructure topics because they define who can administer the endpoint platform and how users or admins authenticate to Windows.
Intune RBAC and scope tags
Microsoft's Intune RBAC and scope tags guidance is clear: roles determine what access admins have, and scope tags determine which objects admins can see. A complete role assignment includes the administrators who receive permissions, the users/devices they can manage, and the scope tags that control object visibility.
| RBAC piece | Meaning | Example |
|---|---|---|
| Role | The permissions granted | Policy and Profile Manager, Help Desk Operator, custom least-privilege role. |
| Admin Groups or Members | Who receives the role | Seattle IT admins security group. |
| Scope Groups | Which users or devices they can manage | Seattle users or Seattle devices. |
| Scope Tags | Which Intune objects they can see | Policies, profiles, and devices tagged Seattle. |
Two exam traps matter. First, Intune RBAC does not limit Microsoft Entra roles in the same way; a broad Entra role can still grant broad Intune access. Second, scope tags are visibility controls for supported Intune objects, not policy assignment filters. If a regional admin must manage only regional policies and devices, use a role assignment with the proper role, scope groups, and matching scope tags.
Windows Hello for Business
Windows Hello for Business with Intune can be configured in two common ways. The tenant-wide Windows enrollment policy applies when Windows devices enroll, including Autopilot out-of-box experience. After devices are enrolled, use Endpoint security > Account protection, security baselines, or the settings catalog to target discrete groups.
Windows Hello for Business replaces password sign-in with strong two-factor authentication tied to the device. The user proves possession of the device and knowledge or presence through a PIN or biometric gesture. A PIN is not the same as a reusable password; it unlocks credentials protected by the device, preferably with a Trusted Platform Module (TPM).
Common settings include:
- Configure Windows Hello for Business as enabled, disabled, or not configured.
- Require or prefer TPM use.
- Set minimum and maximum PIN length.
- Allow, require, or block uppercase, lowercase, and special characters in the PIN.
- Configure PIN expiration and PIN history.
- Allow biometrics and enhanced anti-spoofing when available.
- Enable security keys for sign-in where appropriate.
MD-102 often asks where to configure the policy. Use the tenant-wide enrollment policy when every newly enrolled Windows device should receive the same Windows Hello behavior during enrollment. Use Account protection or the settings catalog when the requirement targets selected groups after enrollment.
Windows LAPS with Intune
Windows LAPS manages the password of a local administrator account on Windows devices. Intune exposes this through Endpoint security > Account protection > Local admin password solution (Windows LAPS). Windows LAPS is different from Windows Hello: Hello hardens user sign-in, while LAPS manages local admin password rotation and retrieval.
Important Windows LAPS facts for MD-102:
| Requirement or decision | What to know |
|---|---|
| Backup directory | Intune policy can configure backup to Microsoft Entra ID or Windows Server Active Directory, but a device can use one directory type, not both. |
| Join state | Microsoft Entra joined devices can back up to Microsoft Entra ID. Hybrid joined devices can be supported. Workplace-joined devices are not supported by Intune for LAPS. |
| Entra enablement | For Microsoft Entra joined devices, enable LAPS in Microsoft Entra device settings before relying on Entra backup. |
| Retrieval permissions | By default, Global Administrator, Cloud Device Administrator, and Intune Administrator can retrieve clear-text passwords stored in Microsoft Entra ID. |
| Account scope | Intune Windows LAPS manages a single local administrator account per device and can specify the administrator account name. |
A common exam distinction: if the requirement is to rotate and escrow local administrator passwords, choose Windows LAPS. If the requirement is passwordless or stronger user sign-in, choose Windows Hello for Business. If the requirement is local Administrators membership, choose Local user group membership.
Local user group membership
Microsoft's Account protection policy includes a Local user group membership profile for Windows. It uses the LocalUsersAndGroups policy CSP to manage built-in groups such as Administrators, Users, Guests, Power Users, Remote Desktop Users, and Remote Management Users.
The policy can apply these actions:
| Action in Intune | Effect |
|---|---|
| Add (Update) | Adds specified members and leaves other existing members in place. |
| Remove (Update) | Removes specified members and leaves other existing members in place. |
| Add (Replace) | Replaces group membership with the specified members, similar to restricted groups. |
Use Add (Replace) carefully. If Replace and Update target the same local group, Replace wins. For the built-in Administrators group, include the built-in Administrator account plus the intended admin members to avoid breaking required local membership. For hybrid joined devices, manual member selection can use domain accounts or SIDs; for Microsoft Entra joined devices, Microsoft Entra users or groups are supported, but Microsoft notes that Entra groups deployed through this policy do not apply to remote desktop connections.
Exam checklist
- For delegated Intune administration, identify role, admin group, scope groups, and scope tags.
- For stronger Windows user sign-in, choose Windows Hello for Business.
- For rotating local admin passwords, choose Windows LAPS.
- For controlling local Administrators, Remote Desktop Users, or similar groups, choose Local user group membership.
- For least privilege, prefer scoped custom roles and targeted assignments over broad tenant-wide administrators.
A regional support team should manage only configuration profiles and compliance policies for devices in the Chicago office. They should not see or edit policies for other regions. Which Intune design best meets the requirement?
All newly enrolled corporate Windows devices should prompt users to set up Windows Hello for Business during the enrollment experience. Which Intune location is the best fit?
You need Microsoft Entra joined Windows 11 devices to rotate the local administrator account password and store the recoverable password in Microsoft Entra ID. What should you configure?
Security wants the local Administrators group on Windows devices to contain only the built-in Administrator account and a specific Entra security group. Existing extra local admins should be removed. Which Intune profile/action should you use?