Forum Discussion
Enroll existing Azure AD Joined W10 Devices into Intune
In the Access work/school account you can enroll into MDM only.
I just tested this in my lab and it works great
Thijs Lecomte Do users needs to be local admin? or can user without admin permission able to execute this? I have about over 5k computers, is there automatically like powershell i can enroll?
- There are a lot of options (ehh not that much but 🙂 ) you can join your existing devices to azure.. but are you sure there arent any weird left overs on the device? if not you youlc crate a bulck enrollment package and join them to azure... And your local admin can be solved with a nice powershell script... And... there are scripts which looks at the logged on user to change the primary user if I am not mistaken
Thijs Lecomte Hi! I have some 500 working corporate laptops in a company. By Auto-enrolling, I can join all of them to Intune while joining to AAD. But is there a way to join all those devices to AAD in bulk with satisfying the conditions of
1. No wiping or loss of data or present configuration of the device.
2. No local admin rights for the user
3. A primary user associated with each managed device.
Please, advise and thanks in advance
- Every MDM will have this problem if you don't have a current Management system in place to automate the enrollment
Thijs Lecomte I see big failure here if MS won't change this. This would be lack of security and compliance of many companies especially with financial companies. I think i would suggest my company to look for 3rd party MDM solution...good luck everyone.
- Auto enrollment enrolls into Intune when you join to AAD
This is the solution that Microsoft recommends.
For your case, there is no solution and no solution will come probably Thijs Lecomte How??
Microsoft came out and we move all computers AAD (there is no onpremise or sccm left)..
Now want to enroll all devices to Intune....how ? without giving user local admin
- Well Microsoft solutions is autoenrollment, which doesn't require local admin actually
Thijs Lecomte This is the reason i had mentioned above that Intune enrollment is unprofessional and not acceptable. How many corporates will give users to local admin rights to enroll Intune? If your corporate does, good luck with compliance and Auditors.
Why not create right click on endpoint.microsoft.com on devices and select to enroll MDM device? or with powershell?
otherwise it is total Failure...
- I totally hear you.... You don't want to give out local admin.
I think it's the current logged on user who needs to executes these tasks, but I am not sure. IT's something you would have to test Thijs Lecomte we can't give every user to admin permission, My auditor will yell at me and i don't think any corporation will be able to give local admin rights to users. So enrollment would failed here..
Can a separate user account with local admin (not a login user)enroll this while user (non admin) login
- The user has to be local admin.
Which makes sense, as you wouldn't want regular users to enroll into every MDM system they like.
Every way of enrolling into MDM, will require some kind of admin access to a device.
I don't think there is a way to automate this.
