Intune MDM auto-enrollment question

%3CLINGO-SUB%20id%3D%22lingo-sub-126722%22%20slang%3D%22en-US%22%3EIntune%20MDM%20auto-enrollment%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126722%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3EI'm%20not%20sure%20if%20this%20is%20by%20design%20or%20somewhere%20in%20the%20process%20there%20was%20an%20error.%20When%20i%20use%20an%20on-prem%20AD%20account%20with%20admin%20rights%20to%20login%20to%20a%20Windows%2010%20PC%20and%20register%20to%20Azure%20AD%20using%20my%20Azure%20AD%20account%20(with%20Intune%2C%20Azure%20AD%20P2%2C%20Office%20365%20licenses)%2C%20I%20can%20correctly%20register%20the%20PC%20as%20personal%20and%20auto-enrolled%20in%20Intune%20MDM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20i%20used%20a%20regular%2C%20non-admin%20on-prem%20AD%20account%20to%20a%20Windows%2010%20PC%20with%20the%20same%20Azure%20AD%20credentials%2C%20I%20can%20only%20get%20as%20far%20as%20registering%20the%20PC%20in%20Azure%20AD.%20The%20MDM%20auto-enrollment%20fails%20because%20the%20device%20does%20not%20reflect%20in%20Intune%20%22All%20Devices%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20the%20way%2C%20all%20users%20are%20allowed%20to%20register%20to%20Azure%20AD%20as%20configured%20in%20Device%20Settings.%20Do%20you%20really%20need%20an%20admin%20account%20for%20auto-enroll%20to%20work%3F%20Has%20anyone%20had%20this%20scenario%20when%20an%20ordinary%20user%20registers%20his%2Fher%20Windows%2010%20pc%20regardless%20if%20its%20domain%20joined%20or%20not%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-126722%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158466%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20MDM%20auto-enrollment%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158466%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Christopher%2C%20did%20you%20manage%20to%20find%20answer%20to%20this%20issue%3F%20I%20have%20the%20same%20problem.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-154540%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20MDM%20auto-enrollment%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-154540%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%20-%20with%20AutoPilot%20you%20can%20have%20a%20non-admin%20user%20setup%20the%20computer.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-autopilot%2Fwindows-10-autopilot%23windows-autopilot-scenarios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-autopilot%2Fwindows-10-autopilot%23windows-autopilot-scenarios%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-131065%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20MDM%20auto-enrollment%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131065%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20need%20to%20be%20an%20(local)%20admin%20of%20the%20Windows%2010%20device%20to%20do%20Azure%20AD%20Join.%3CBR%20%2F%3EWhen%20you%60re%20not%20a%20local%20admin%20of%20the%20device%20your%20only%20option%20is%20Azure%20AD%20register%2C%20but%20you%20need%20Azure%20AD%20join%20for%20auto%20MDM%20enrolment%20in%20Intune.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi Everyone,

I'm not sure if this is by design or somewhere in the process there was an error. When i use an on-prem AD account with admin rights to login to a Windows 10 PC and register to Azure AD using my Azure AD account (with Intune, Azure AD P2, Office 365 licenses), I can correctly register the PC as personal and auto-enrolled in Intune MDM.

 

When i used a regular, non-admin on-prem AD account to a Windows 10 PC with the same Azure AD credentials, I can only get as far as registering the PC in Azure AD. The MDM auto-enrollment fails because the device does not reflect in Intune "All Devices".

 

By the way, all users are allowed to register to Azure AD as configured in Device Settings. Do you really need an admin account for auto-enroll to work? Has anyone had this scenario when an ordinary user registers his/her Windows 10 pc regardless if its domain joined or not?

3 Replies
Highlighted

You need to be an (local) admin of the Windows 10 device to do Azure AD Join.
When you`re not a local admin of the device your only option is Azure AD register, but you need Azure AD join for auto MDM enrolment in Intune.

Highlighted

FYI - with AutoPilot you can have a non-admin user setup the computer.

 

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot#windows-a...

 

Highlighted

Hi Christopher, did you manage to find answer to this issue? I have the same problem.