Forum Discussion
Enroll a Windows device in Intune with a non-administrator account
Moe
- That's all well and good.
However, I have to somehow get rid of the admin rights.
Local admin user is Xyz should after enrollment with abc@dmain.com no longer be local admin.RomanK7 in your previous reply you say;
2. Login on Device with their on-premise account.
3. AD Joined Device with no local Admin rights.
4. Right, only MDM enrolledJust checking to make sure if I understand you correctly. You don't want these devices to be Azure AD joined right? If that is the case, you can go for MDM only enrollment like Moe explains. (option 2)
Yes, you will have to use a local admin account to do this, and if I'm right, your devices are already domain joined right? If that's true, by default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain.
This means you can sign in with a domain admin to the device and then MDM enroll the device using MDM only enrollment. If you don't want to sign-in with a domain admin account. You can create a GPO to update the local administrators group on your devices and add a domain user to this group. Later on, you can update the local administrators group again, and remove the account.
Now for the MDM only enrollment part. The best thing you can do is
- sign-in to the device with a domain admin account
- have the user him/herself MDM enroll the device using MDM only enrollment
- sign-out the domain admin account
Here's what the https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods#user-self-enrollment-in-intune:
This enrollment method isn't recommended because:
It doesn't register the device into Azure Active Directory (AD). Users might not get access to organization resources, such as email.
It prevents using some Azure AD features, such as Conditional Access.(however... you could use some conditional access policies and target devices using Filter for devices - device.trustType -ne "AzureAD" -and device.trustType -ne "Workplace")
The next step could be for the user to actually Azure AD register the device. This will make it easier and more convenient for the users to use the Office apps. Users do not have to be a local admin to register the device.
If for what ever reason, the user himself cannot MDM enroll the device, then you could go for a https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#enrollment-methods-supported-by-dem-accounts. However, normally, you would not use a DEM account to enroll devices using MDM only enrollment. I know it works, but I'm not sure if it's supported.
Here's what the docs tell:
You can use the following methods to enroll devices using DEM accounts:
- Windows Autopilot
- Windows devices bulk enrollment
- DEM initiated via Company Portal
- DEM initiated via Azure AD join
In the end I have to say... just (hybrid)Azure AD joining the devices, will make life a lot easier.
Hope this helps
Oktay
I try to explain better.
We have connected companies with "Azure Active Directory Connect cloud sync". (NOT Azure Active Directory Connect sync)
http://I%20try to explain better. We have connected companies with "Azure Active Directory Connect cloud sync". (NOT Azure Active Directory Connect sync) https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync
The identity can be synchronized. But unfortunately not the devices.
In order to be able to manage these now (limited), the idea is to bring them to intune via the company portal.
Some of these devices are in the domain of the other company and the users do not have local admin rights. Now my question is what is the best way to do it?
I'm with Moe_Kinani on this one. Both choices or good. Option 2 is the easiest.
