Apr 13 2020 08:18 PM
Hi Guys,
There's a requirement from on of our clients to grant Admin privilege to all users who logs into their devices. I understand this is achievable via Autopilot.
My question is what would be the best solution for the users who has already logged into the devices? How can the requirement can be achieved via Autopilot or any other method? Would appreciate any help.
Cheers!
Apr 13 2020 11:07 PM
Apr 14 2020 02:35 AM
The solution I described on the article your referencing to only does work for Hybrid AAD joined devices.
I haven`t been successful with the same on AAD joined devices. Don`t know what situation you have @sheiksaad ?
Apr 14 2020 02:37 AM - edited Apr 14 2020 03:47 AM
It's almost the same of hybrid or AAD => https://www.scconfigmgr.com/2018/08/30/configure-restricted-groups-with-intune-policy-csp/
EDIT: Only for individual users
Apr 14 2020 03:22 AM
@Thijs Lecomte Yes, with user accounts.
With AAD Groups, it doesn`t work.
Apr 14 2020 04:48 AM - edited Apr 14 2020 04:51 AM
I have used the screenshot attached for small size company in the past, not ideal solution because it hits all the devices, but achieves your objective until the support of adding group to Local Admin with Intune.
Moe
Apr 14 2020 05:47 PM
Apr 14 2020 05:48 PM
Apr 14 2020 05:51 PM
Apr 14 2020 05:57 PM
Apr 15 2020 12:48 AM
@sheiksaad If I read the documentation; https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups#restricte...
"The member SID can be a user account or a group in AD, Azure AD, or on the local machine."
A group in AAD. But it doesn`t work for me. I opened a support call for this, I want it to work either with a AAD group.
Apr 16 2020 04:51 AM
@Peter Klapwijk Hey Peter, Thanks for the link.
In that case, do you reckon a Powershell script can used to add - let's a Dynamic Security group where all the students reside in under additional local administrators for Azure Ad joined devices?
Appreciate the response.
Cheers!
Apr 18 2020 11:29 AM
@sheiksaad seems to work fine on the new Windows 10 2004 release. During my first testing on that OS I thought the results where varying, but didn't realise one of the machines failed the upgrade and was running 1909.
On 2004 version it does work in my environment on multiple devices!
Have a look at this article https://www.inthecloud247.com/add-an-azure-ad-group-to-the-local-administrators-group-with-microsoft...
Let me know if it does work in your environment.