Forum Discussion
Intune Enrollment for Remote Users - No VPN - No Local Admin
Trying to find a way to get devices enrolled with Endpoint Manager without the need for local admin or VPN. Does anyone have suggestions on how to get devices enrolled during this time of remote work? everything i have checked on either requires connection to the local network or local admin.
Help is greatly appreciated.
What i have done:
- Setup AutoPilot profile
- Imported test device
- Connected work account through Store App
- Installed Company Portal
- Attempted enrollment (fail, no local admin)
I tested this yesterday and it seemed to work by adding the autopilot profile but today i cant get it to work at all. Do any of you have suggestions on how to handle enrollment of
Unsure if autopilot profile assignment will force devices to enroll or not.
I tested the above yesterday and it seemed to work but today when i tried to reverse engineer what i did, nothing seems to work.
Thanks
8 Replies
- Chatted with one of my buddies that works at MS and he confirmed that Local admin is required to manually enroll a device with Endpoint Manager. thanks for the replies
- HI,
Now you know why I was a little bit hammering on the question about local admins 🙂 .. Nice to hear you have the final answer now- oh i get it, i was basically trying to see if anyone in the community had found a way around this requirement. its really a pain with Covid and all the people that are working remote. Appreciate the replies though.
- Hi
Could you explain it a little bit better?
Are the devices already azure ad joined or domain joined or standonline devices. Can't tell for sure when I am reading your question.
Do you only want the devices to azure ad joined and enrolled into intune? Or only registered and enrolled into intune?
Autopilot is only used/triggered when you reset/wipe a device before the oobe screen
Local admin permissions are needed when you manually want to enroll your device into intune by usng the company app
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/no-permission-to-enroll-windows-devices
You can use this option as it uses the local system account:
https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-join-device-on-network- Devices are remote domain joined devices. they do not have VPN are not in the office and are not AAD Joined. Hybrid Join is something we are rolling out but again that requires direct LoS of the Domain Controllers for the SCP.
What i need is a way to get the devices that are remote and not connected to the network enrolled in Intune. This is to be able to push out the SCCM client to them with the CMG configuration. I know there are ways to get the SCCM Agent installed (primarily by directly contacting the users or by having the devices on the network).
The issue we have is that the devices will not have VPN and will not have local admin access. I am trying to find options to get them enrolled without the VPN or Local admin.Hi,
-IS there any important data on the devices. IS it okay to reset/wipe the devices-You are telling you want to enroll the devices into Intune and not in azure ad? You are also talking about Autopilot
So if you only want to enroll them into Intune
https://www.ntweekly.com/2018/12/14/enroll-windows-10-devices-to-intune-without-azure-ad/
-Do the devices have a local admin account that can be used?
