Forum Discussion

  • Adir_Moshe's avatar
    Adir_Moshe
    Brass Contributor
    Hi,

    If you need to assist someone on site you could "run as admin" and use admin credential.
    admin would be Azure AD user who has the Global Administrator role or the Azure AD Joined Device Local Administrator Role.
    You could read more about that role in the following link :
    https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#azure-ad-joined-device-local-administrator

    For remote assistant you could use the new Remote Help from intune (that product have a cost)
    adding a link about that new product.
    https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-help

    Best regards,
  • Hi mmchx,

     

    Adding to Adir_Moshe, for more granular configuration you can leverage the Policy CSP - LocalUsersAndGroups - Windows Client Management | Microsoft Docsthis will allow you to add specific user account to specific Local groups an specific managed devices.

     

    Managing Local Admin account, although have it's benefits, has a lot of security and management disadvantages and I would not recommend that.

     

    For remote control, the new tool from Microsoft does sound promising but still in preview and no cost estimation in sight, so you can fallback to a third party such as TeamViewer which in my opinion provides good integration, until Remote Help is GA.

     

    Best regards,

    Michael Moshkovich

     

  • Hi,

    I would go for the additional local admin like I am mentioning in this blog. because in my opinion using one azure ad account to manage each workstation ... mmm not my cup of tea. I would rather use a local admin and add LAPS to it..

     

    (even while this blog is more about the remediation error it could give you 🙂 )

    https://call4cloud.nl/2021/12/i-kill-remediation-errors/

    • gerardoamadeus's avatar
      gerardoamadeus
      Brass Contributor
      Hi,
      Your best optionis either add admins to device administrators group (which is added to Administrators on all devices) or if you want to be more specific if you have several countries or groups of administrators you can use the following CSP to add azure users or groups:
      https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
      You can add and remove users from the local Administrator group.
      To add azure groups you will need the azure SID which can be found using graph explorer.
      Regards,
      • Mr_Helaas's avatar
        Mr_Helaas
        Steel Contributor

        Hi gerardoamadeus

         

        From a security perspective add admin to a device administrator group is not save. If one of your admins are hacked they have local admin rights on al your Azure Ad Joined machines. 

         

        So, I agree with Rudy_Ooms_MVP. My advice is to use always a Local admin account to the specific device with LAPS and none of your device will have the same admin password. 

         

        Kind regards,

         

        Rene

  • Mr_Helaas's avatar
    Mr_Helaas
    Steel Contributor

    Hi mmchx

     

    I think you have enabled the Microsoft Security Baseline or you have set it up in Endpoint Protection policy and now you are not able to Run as Administrator, right? 

     

    If so, you can change the following setting in the security baseline: "Standard user elevation prompt behavior" to Prompt for credentials on the secure desktop or change the setting "Elevation prompt for standard users" in your Endpoind Protection policy to Prompt for credentials on the secure desktop. 

     

    Kind regards,

     

    Rene

Resources