Forum Discussion
Intune + OOBE without local Admin permission on Device
Hi,
I have a question about the enrollment method because something is unclear. Now I try to describe it.
In Intune, I created a new profile under Windows Enrollment > Windows Autopilot Deployment Program > Windows Autopilot deployment profiles > Under Assignments a group where my user is in it.
Now I reset a VM and log in with the account. The device comes after Azure AD and Intune.
However, I notice that the setting regarding "User account type: Standard" has not been adopted and my user is admin.
Is the device joined to Azure via the "normal" enrollment and brought to Intune?
Do I have to register the device in Intune to have the OOBE experience?
What is my goal:
Bring devices that are not synchronized from on-prem to Azure AD without the user admins being on the devices
Hi... are you 10000% sure the device went through the autopilot enrollment? seeying the esp is something else than the autopilot enrollment (even when its a part of it) 99,9% of the time when a device ends up with being a local admin or the old device name, the device didn't went through the autopilot enrollment
Besides the autopilot standard user setting you could also deploy some additional configuration to make sure the user isnt becoming a local admin
Manage your local administrator with Intune / MDM (call4cloud.nl)
- RomanK7Brass ContributorThank you for your reply. No, I'm just not sure.
I reset Windows 10 from the OS via Settings.
Does the device for Autopilot have to be registered under "Windows Autopilot Deployment Program" > "Devices"?
If I reset the device in the OS and then log in to the OOBE (without autopilot) with the business E-Mail address, is this a "normal" AD join and the device is then enrolled to Intune (if I have that activated)?- Hi.. yes the device needs to be shown in Intune in that section... if not... the device iits hash isnt uploaded or registered in your tenant.
If you don't use Autopilot , the device would prompt you for your email address (depends on win 10 or 11) and after entering your credentials the device will be azure ad joined and intune intune enrolled if you have the proper license and not blocking personal devices to be enrolled
So if you want to be sure that only autopilot devices can be enrolled into azure and configure intune restrictions to block personal devices