Hi Basically, I am referring to the following article:https://docs.microsoft.com/en-us/troubleshoot/mem/intune/no-permission-to-enroll-windows-devicesI have devices here that use Office 365 but are not synchronized with Azure AD Connect. This is also not possible (different AD). In order to be able to simplify a few points (conditional access, office installation), I would like to bring the devices into Intune.The easiest way seems to me to be via the Company Portal App. And here's the point: isn't there a way to do this reasonably on existing devices without requiring the user to be a local admin?How do you do this? Or is there a way to "take away" the user's admin rights after the Intune enrollment?I hope I was able to adequately describe my concern. Otherwise just ask please.

What you're trying to do is (user-)enroll the device as BYOD, if I understand your description correctly, and that requires local admin-privileges.For more information on your options, see:https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods#user-self-enrollment-in-intune

It will be assigned to the user you join it with to intune. For example, Local admin user is Xyz and you join it abc@dmain.com, primary user in Intune will be abc@dmain.comMoe

I'm with Moe_Kinani on this one. Both choices or good. Option 2 is the easiest.

RomanK7 in your previous reply you say;2. Login on Device with their on-premise account.3. AD Joined Device with no local Admin rights.4. Right, only MDM enrolled Just checking to make sure if I understand you correctly. You don't want these devices to be Azure AD joined right? If that is the case, you can go for MDM only enrollment like Moe explains. (option 2) Yes, you will have to use a local admin account to do this, and if I'm right, your devices are already domain joined right? If that's true, by default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain. This means you can sign in with a domain admin to the device and then MDM enroll the device using MDM only enrollment. If you don't want to sign-in with a domain admin account. You can create a GPO to update the local administrators group on your devices and add a domain user to this group. Later on, you can update the local administrators group again, and remove the account. Now for the MDM only enrollment part. The best thing you can do issign-in to the device with a domain admin accounthave the user him/herself MDM enroll the device using MDM only enrollmentsign-out the domain admin accountHere's what the https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods#user-self-enrollment-in-intune:This enrollment method isn't recommended because:It doesn't register the device into Azure Active Directory (AD). Users might not get access to organization resources, such as email.It prevents using some Azure AD features, such as Conditional Access. (however... you could use some conditional access policies and target devices using Filter for devices - device.trustType -ne "AzureAD" -and device.trustType -ne "Workplace") The next step could be for the user to actually Azure AD register the device. This will make it easier and more convenient for the users to use the Office apps. Users do not have to be a local admin to register the device. If for what ever reason, the user himself cannot MDM enroll the device, then you could go for a https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#enrollment-methods-supported-by-dem-accounts. However, normally, you would not use a DEM account to enroll devices using MDM only enrollment. I know it works, but I'm not sure if it's supported. Here's what the docs tell:You can use the following methods to enroll devices using DEM accounts:Windows AutopilotWindows devices bulk enrollmentDEM initiated via Company PortalDEM initiated via Azure AD joinIn the end I have to say... just (hybrid)Azure AD joining the devices, will make life a lot easier. Hope this helpsOktay

RomanK7 Not quite clear what the situation is so I have a few questions: Do your users have 2 accounts to deal with? One for on-premises and one for Office 365?Do your users log-in with their on-premise AD account on AD joined devices?Or are we talking about unmanaged devices with local accounts and no admin rights?You don't want the devices to be Azure AD joined but only MDM enrolled. Is that right?Why is Azure AD Connect not possible? Can you clarify?How do users work with Office 365 sources? Browser only?What licenses do your users have?By the way, It's not a requirement to have Intune managed devices to use conditional access. Conditional access can allow or restrict access to Microsoft 365 resources when users sign-in (identity-driven signals) using a managed or unmanaged devices, local apps or the browser. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Enroll a Windows device in Intune with a non-administrator account

11 Replies

Moe_Kinani
Bronze Contributor
May 10, 2022
RomanK7,

You have two ways to do this:

1. Sync the other AD with ADConnect, make them Hybrid Joined and apply gpo to auto enroll them to intune.

https://cloudbymoe.com/f/enrolling-workstations-to-intune-using-gpo

2. Sign in to each PC as a local admin and enroll them to Intune.

Hope this helps!
Moe
- RomanK7
  Brass Contributor
  May 10, 2022
  On point 2: How is the device then assigned to the user in Azure AD / Intune? Enrollment manager?
  - Moe_Kinani
    Bronze Contributor
    May 11, 2022
    It will be assigned to the user you join it with to intune. For example, Local admin user is Xyz and you join it abc@dmain.com, primary user in Intune will be abc@dmain.com
    
    Moe
Oktay Sari
Iron Contributor
May 09, 2022
RomanK7
Not quite clear what the situation is so I have a few questions:

Do your users have 2 accounts to deal with? One for on-premises and one for Office 365?
Do your users log-in with their on-premise AD account on AD joined devices?
Or are we talking about unmanaged devices with local accounts and no admin rights?
You don't want the devices to be Azure AD joined but only MDM enrolled. Is that right?
Why is Azure AD Connect not possible? Can you clarify?
How do users work with Office 365 sources? Browser only?
What licenses do your users have?
By the way, It's not a requirement to have Intune managed devices to use conditional access. Conditional access can allow or restrict access to Microsoft 365 resources when users sign-in (identity-driven signals) using a managed or unmanaged devices, local apps or the browser. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
- RomanK7
  Brass Contributor
  May 10, 2022
  I'm sorry I didn't write everything clearly. I try to answer.
  1. No, only one Account is synced with Azure AD Cloud Sync, not Cloud Connect.
  2. Login on Device with their on-premise account.
  3. AD Joined Device with no local Admin rights.
  4. Right, only MDM enrolled
  5. Other AD (subsidiary)
  6. Apps and Web
  7. Microsoft 365 E3
NielsScheffers
Iron Contributor
May 09, 2022
What you're trying to do is (user-)enroll the device as BYOD, if I understand your description correctly, and that requires local admin-privileges.

For more information on your options, see:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods#user-self-enrollment-in-intune
- RomanK7
  Brass Contributor
  May 10, 2022
  That's how I (unfortunately) see too

Forum Discussion

Enroll a Windows device in Intune with a non-administrator account