Forum Discussion

Kavindu Asanga Dayananda's avatar
Kavindu Asanga Dayananda
MCT
Nov 16, 2020

Can device administrator install local software/applications on a device

    Hi,   We have some PCs deployed via a "Standard User" autopilot profile (Hybrid Azure AD). However we have created a policy to get a elevated prompt when a user wants to install a software an...
Intune
Mobile Application Management (MAM)
Oliver Kieselbach's avatar
Oliver Kieselbach
MVP
Nov 16, 2020

Hey Kavindu Asanga Dayananda,

 

there are a few options, a good summary of the native MS functionality is found here: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

You don't need to use the Global Admins, you can assign Device Admins, but they can't be scoped they are admins on all your devices. With 2004 we got an option via a config profile (OMA-URI) to control membership in local Administrators group on Windows 10. That's all build in. If that is not sufficient, you need to use a LAPS solution out there. 

Here is a good blog about various LAPS community solutions: Challenges while managing administrative privileges on your Azure AD joined Windows 10 devices | Modern Workplace Blog (vansurksum.com)

and finally there are official products providing LAPS functionality, to mention a few, RealmJoin | Companion to Intune (it has also a LPAS component) or Admin By Request.

 

best,

Oliver

Resources