Forum Discussion
Enroll existing Azure AD Joined W10 Devices into Intune
Thijs Lecomte totally understand what you have said. If your Intune is setup enrolled for AllUsers and you joined AAD with user, it will automatically enrolled to Intune.
But if you didn't configure Intune, devices will only joined AAD as shown below.
Now you mentioned i can enroll into Intune without unjoined\rejoined AAD, looking at picture below, like to know How?
In the Access work/school account you can enroll into MDM only.
I just tested this in my lab and it works great
Thijs Lecomte this is NOT the solution.
If the device is already JOINED to Azure AD, and then if you select "Enroll only in device management", the device will join Intune as a personal device. This is bad. Don't do it.
The only real solution to this, is to do one of the following:
- Reset the device
- Create a local user account with admin privs, log into it, Disconnect the Azure AD Joined account in "Access work or school" settings, run this MS deep link "ms-device-enrollment:?mode=aadj&ownership=3" which will join it to AAD and Intune as corporate device, log back into Windows via AAD account, remove local account.
So in reality, the easiest way is to reset the device. But if that's not possible, you'll have to drag the end user through option #2 to fix it.
Hi
Could you please give an advise?
In our company we've a bunch of local users, at least 10 users / devices with local account ( no admin rights) and now we need to move then to AAD / Intunes for purpose of management, we don't have any on-prem domain or infrastructure, user they have only the O365 license set to their Windows 10 devices (Outlook, OneDrive, Excel file etc...)
I was planning to "Join this device to Azure Active Directory" from Set up a work or school account. but my question is once this done, do I need to copy the local profile ? There is another way to manage my scenario smoothly as reset pc is not an option.
Thank you in advance.
Luis Loreiro
To AAD Join and Enroll in Intune as you mentioned, will require local admin privileges. If end users do not have local admin rights, an IT admin will need to help with it. Someone with local admin rights can run the command to AAD Join the device. If an end-user without admin rights runs it, it will not work. The end-user then uses their AAD credentials to enroll. After enrollment, reboot and log in to Windows with AAD email/password. Then the IT admin needs to help the end-user migrate over their old user profile. Ensure the end-user is Intune licensed before enrolling. Auto-enrollment is nice to have set up as well.
There's two supported scenarios in your case:
- AAD Joined + Intune enrolled device: you must log in to Windows using your AAD email/password. This is considered corporate joined / corporate owned.
- AAD Registered + Intune enrolled: you continue logging in to Windows with your local user account, the device is AAD registered and is considered a personal / BYOD in AAD and personal owned in Intune.
- AAD Joined + Intune enrolled device: you must log in to Windows using your AAD email/password. This is considered corporate joined / corporate owned.
Thijs Lecomte Do users needs to be local admin? or can user without admin permission able to execute this? I have about over 5k computers, is there automatically like powershell i can enroll?
- The user has to be local admin.
Which makes sense, as you wouldn't want regular users to enroll into every MDM system they like.
Every way of enrolling into MDM, will require some kind of admin access to a device.
I don't think there is a way to automate this.Thijs Lecomte we can't give every user to admin permission, My auditor will yell at me and i don't think any corporation will be able to give local admin rights to users. So enrollment would failed here..
Can a separate user account with local admin (not a login user)enroll this while user (non admin) login
