Enroll a Windows device in Intune with a non-administrator account

Brass Contributor

Hi

 

Basically, I am referring to the following article:

You don't have permissions to enroll a Windows device in Intune - Intune | Microsoft Docs

I have devices here that use Office 365 but are not synchronized with Azure AD Connect. This is also not possible (different AD). In order to be able to simplify a few points (conditional access, office installation), I would like to bring the devices into Intune.
The easiest way seems to me to be via the Company Portal App. And here's the point: isn't there a way to do this reasonably on existing devices without requiring the user to be a local admin?

How do you do this? Or is there a way to "take away" the user's admin rights after the Intune enrollment?

I hope I was able to adequately describe my concern. Otherwise just ask please.


11 Replies
What you're trying to do is (user-)enroll the device as BYOD, if I understand your description correctly, and that requires local admin-privileges.

For more information on your options, see:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods#user-self-enrollme...


@RomanK7 

Not quite clear what the situation is so I have a few questions:

 

  1. Do your users have 2 accounts to deal with? One for on-premises and one for Office 365?
  2. Do your users log-in with their on-premise AD account on AD joined devices?
  3. Or are we talking about unmanaged devices with local accounts and no admin rights?
  4. You don't want the devices to be Azure AD joined but only MDM enrolled. Is that right?
  5. Why is Azure AD Connect not possible? Can you clarify?
  6. How do users work with Office 365 sources? Browser only?
  7. What licenses do your users have?

By the way, It's not a requirement to have Intune managed devices to use conditional access. Conditional access can allow or restrict access to Microsoft 365 resources when users sign-in (identity-driven signals) using a managed or unmanaged devices, local apps or the browser. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview 

RomanK7,

You have two ways to do this:

1. Sync the other AD with ADConnect, make them Hybrid Joined and apply gpo to auto enroll them to intune.

https://cloudbymoe.com/f/enrolling-workstations-to-intune-using-gpo

2. Sign in to each PC as a local admin and enroll them to Intune.

Hope this helps!
Moe
That's how I (unfortunately) see too
I'm sorry I didn't write everything clearly. I try to answer.
1. No, only one Account is synced with Azure AD Cloud Sync, not Cloud Connect.
2. Login on Device with their on-premise account.
3. AD Joined Device with no local Admin rights.
4. Right, only MDM enrolled
5. Other AD (subsidiary)
6. Apps and Web
7. Microsoft 365 E3
On point 2: How is the device then assigned to the user in Azure AD / Intune? Enrollment manager?
It will be assigned to the user you join it with to intune. For example, Local admin user is Xyz and you join it abc@dmain.com, primary user in Intune will be abc@dmain.com

Moe

I'm with @Moe_Kinani on this one. Both choices or good. Option 2 is the easiest.

That's all well and good.
However, I have to somehow get rid of the admin rights.
Local admin user is Xyz should after enrollment with abc@dmain.com no longer be local admin.

@RomanK7 in your previous reply you say;

2. Login on Device with their on-premise account.
3. AD Joined Device with no local Admin rights.
4. Right, only MDM enrolled

 

Just checking to make sure if I understand you correctly. You don't want these devices to be Azure AD joined right? If that is the case, you can go for MDM only enrollment like Moe explains. (option 2) 

 

Yes, you will have to use a local admin account to do this, and if I'm right, your devices are already domain joined right? If that's true, by default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain.

 

This means you can sign in with a domain admin to the device and then MDM enroll the device using MDM only enrollment. If you don't want to sign-in with a domain admin account. You can create a GPO to update the local administrators group on your devices and add a domain user to this group. Later on, you can update the local administrators group again, and remove the account. 

 

Now for the MDM only enrollment part. The best thing you can do is

  1. sign-in to the device with a domain admin account
  2. have the user him/herself MDM enroll the device using MDM only enrollment
  3. sign-out the domain admin account

2022-05-16_22h37_36.jpg

Here's what the docs tell:

This enrollment method isn't recommended because:

It doesn't register the device into Azure Active Directory (AD). Users might not get access to organization resources, such as email.
It prevents using some Azure AD features, such as Conditional Access.

 

(however... you could use some conditional access policies and target devices using Filter for devices - device.trustType -ne "AzureAD" -and device.trustType -ne "Workplace") :xd:

 

The next step could be for the user to actually Azure AD register the device. This will make it easier and more convenient for the users to use the Office apps. Users do not have to be a local admin to register the device.

 

If for what ever reason, the user himself cannot MDM enroll the device, then you could go for a DEM account. However, normally, you would not use a DEM account to enroll devices using MDM only enrollment. I know it works, but I'm not sure if it's supported.  

 

Here's what the docs tell:

You can use the following methods to enroll devices using DEM accounts:

  • Windows Autopilot
  • Windows devices bulk enrollment
  • DEM initiated via Company Portal
  • DEM initiated via Azure AD join

In the end I have to say... just (hybrid)Azure AD joining the devices, will make life a lot easier. :smile:

 

Hope this helps

Oktay

I try to explain better.
We have connected companies with "Azure Active Directory Connect cloud sync". (NOT Azure Active Directory Connect sync)
https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync


The identity can be synchronized. But unfortunately not the devices.
In order to be able to manage these now (limited), the idea is to bring them to intune via the company portal.

Some of these devices are in the domain of the other company and the users do not have local admin rights. Now my question is what is the best way to do it?