Forum Discussion

Ion Zubia's avatar
Ion Zubia
Brass Contributor
May 11, 2018

Is there anyway of using none-admin users on compliant devices?

Hi,   When working with Intune and Conditional access you need to use an administrator account to make any device compliant. However, is there anyway to use an standard user once the device is regi...
Conditional Access
Intune
mobile device management (mdm)
Paul Cunningham's avatar
Paul Cunningham
Steel Contributor
May 14, 2018

What do you mean that you need to use an admin user to make it compliant?

 

Are you auto-registering and auto-enrolling the devices in Intune?

 

I have Windows 10 clients here with non-admin users, and they're marked as compliant in Intune. No extra steps by an admin user were needed to get to that state.

  • Ion Zubia's avatar
    Ion Zubia
    Brass Contributor
    May 14, 2018

    Hi,

     

    I believe a hybrid environment is needed to accomplish this scenario. At the moment our premise infrastructure has 0 connection to our 365 and Azure AD.

     

    I'm forcing compliance to a few users, however, even if their Windows 10 machines are marked as compliant, these users will only be able to access their data if they're logged in with a local admin account. Otherwise access is denied and the device detected as non compliant.

     

    And no, I'm enrolling the devices manually.

    • Paul Cunningham's avatar
      Paul Cunningham
      Steel Contributor
      May 15, 2018

      I'm confused why they are logging in with local admin accounts and then accessing Office 365 services. Can you explain why they are doing that?

      • Ion Zubia's avatar
        Ion Zubia
        Brass Contributor
        May 15, 2018

        Hi,

         

        They don't, we make the computers compliant manually and then hand it to the users (this hasn't been deployed yet, so we are still testing it).

         

        To make the device compliant you need to use an administrator account, a regular user will  not be able to go thru the enrolment process to make the PC compliant. However, I do not want the end user to use a device with local admin rights. I can manually make a Windows 10 machine compliant with the Intune policies (making the machine Azure registered and Intune compliant). To do this you need a user with local admin rights.


        Once the device is compliant, if I switch to a regular user's account with no local admin rights, it then fails to access data (e.g, logging into Office 365). If I, however, access the device with a user with local admin rights, I'll be able to access the data successfully.

         

        We need to do this manually because our on premise 2012 AD has absolutely no connection to our Azure AD. 

         

        If I may ask, do you work on a hybrid environment, on premise or cloud solution (Azure)?

         

        Thank you.

Resources