cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Intune + OOBE without local Admin permission on Device

RomanK7
Brass Contributor

‎Nov 15 2022 02:10 AM

‎Nov 15 2022 02:10 AM

Intune + OOBE without local Admin permission on Device

Hi,

 

I have a question about the enrollment method because something is unclear. Now I try to describe it.
In Intune, I created a new profile under Windows Enrollment > Windows Autopilot Deployment Program > Windows Autopilot deployment profiles > Under Assignments a group where my user is in it.
Now I reset a VM and log in with the account. The device comes after Azure AD and Intune.

However, I notice that the setting regarding "User account type: Standard" has not been adopted and my user is admin.
Is the device joined to Azure via the "normal" enrollment and brought to Intune?


Do I have to register the device in Intune to have the OOBE experience?

What is my goal:
Bring devices that are not synchronized from on-prem to Azure AD without the user admins being on the devices

Labels:
3,594 Views
0 Likes
5 Replies
Reply
5 Replies
Rudy_Ooms_MVP

‎Nov 15 2022 06:40 AM - edited ‎Nov 15 2022 06:42 AM

‎Nov 15 2022 06:40 AM - edited ‎Nov 15 2022 06:42 AM

Re: Intune + OOBE without local Admin permission on Device

Hi... are you 10000% sure the device went through the autopilot enrollment? seeying the esp is something else than the autopilot enrollment (even when its a part of it) 99,9% of the time when a device ends up with being a local admin or the old device name, the device didn't went through the autopilot enrollment

 

Besides the autopilot standard user setting you could also deploy some additional configuration to make sure the user isnt becoming a local admin

Manage your local administrator with Intune / MDM (call4cloud.nl)

0 Likes
Reply
RomanK7

‎Nov 15 2022 10:14 PM

‎Nov 15 2022 10:14 PM

Re: Intune + OOBE without local Admin permission on Device

Thank you for your reply. No, I'm just not sure.
I reset Windows 10 from the OS via Settings.

Does the device for Autopilot have to be registered under "Windows Autopilot Deployment Program" > "Devices"?

If I reset the device in the OS and then log in to the OOBE (without autopilot) with the business E-Mail address, is this a "normal" AD join and the device is then enrolled to Intune (if I have that activated)?
0 Likes
Reply
Rudy_Ooms_MVP

‎Nov 15 2022 10:51 PM

‎Nov 15 2022 10:51 PM

Re: Intune + OOBE without local Admin permission on Device

Hi.. yes the device needs to be shown in Intune in that section... if not... the device iits hash isnt uploaded or registered in your tenant.

If you don't use Autopilot , the device would prompt you for your email address (depends on win 10 or 11) and after entering your credentials the device will be azure ad joined and intune intune enrolled if you have the proper license and not blocking personal devices to be enrolled

So if you want to be sure that only autopilot devices can be enrolled into azure and configure intune restrictions to block personal devices
0 Likes
Reply
RomanK7

‎Nov 15 2022 11:00 PM

‎Nov 15 2022 11:00 PM

Re: Intune + OOBE without local Admin permission on Device

Hi

Thanks for the information. I think I understand it better now.
Autopilot requires device registration in Intune in any case.

The other method (Reset or Reinstall) is an Azure AD Join and is enabled via normal enrollment.

My biggest concern is the thing with the admins on the devices. With autopilot (with device registration in Intune) the switch should work which I mentioned in the start post.

Do you have a note just now on what is recommended with devices that are added via Azure AD and come to Intune? Or is that the clues from your link you posted above?
0 Likes
Reply
Rudy_Ooms_MVP

‎Nov 15 2022 11:02 PM

‎Nov 15 2022 11:02 PM

Re: Intune + OOBE without local Admin permission on Device

Hi..

Jep.... in the link I posted, there are multiple options to make sure the user is not a local admin in every situation.. ;).. so with Autopilot and also when you enroll a device without autopilot to azure ad and Intune
0 Likes
Reply