Can device administrator install local software/applications on a device

Copper Contributor



We have some PCs deployed via a "Standard User" autopilot profile (Hybrid Azure AD). However we have created a policy to get a elevated prompt when a user wants to install a software and if we enter global administrator credentials, it will install the application. But we don't want to give helpdesk users this GA permissions and want to know whether "Device Administrator" in Azure AD can perform this?




1 Reply

Hey @Kavindu Asanga Dayananda,


there are a few options, a good summary of the native MS functionality is found here:

You don't need to use the Global Admins, you can assign Device Admins, but they can't be scoped they are admins on all your devices. With 2004 we got an option via a config profile (OMA-URI) to control membership in local Administrators group on Windows 10. That's all build in. If that is not sufficient, you need to use a LAPS solution out there. 

Here is a good blog about various LAPS community solutions: Challenges while managing administrative privileges on your Azure AD joined Windows 10 devices | Mod...

and finally there are official products providing LAPS functionality, to mention a few, RealmJoin | Companion to Intune (it has also a LPAS component) or Admin By Request.