May 11 2018 06:52 AM
May 11 2018 06:52 AM
When working with Intune and Conditional access you need to use an administrator account to make any device compliant. However, is there anyway to use an standard user once the device is register in Azure and marked as compliant? I can only make it work with admin users.
May 13 2018 07:59 PM
What do you mean that you need to use an admin user to make it compliant?
Are you auto-registering and auto-enrolling the devices in Intune?
I have Windows 10 clients here with non-admin users, and they're marked as compliant in Intune. No extra steps by an admin user were needed to get to that state.
May 14 2018 12:06 AM - edited May 14 2018 02:46 AM
I believe a hybrid environment is needed to accomplish this scenario. At the moment our premise infrastructure has 0 connection to our 365 and Azure AD.
I'm forcing compliance to a few users, however, even if their Windows 10 machines are marked as compliant, these users will only be able to access their data if they're logged in with a local admin account. Otherwise access is denied and the device detected as non compliant.
And no, I'm enrolling the devices manually.
May 14 2018 09:09 PM
I'm confused why they are logging in with local admin accounts and then accessing Office 365 services. Can you explain why they are doing that?
May 15 2018 12:08 AM - edited May 15 2018 12:09 AM
They don't, we make the computers compliant manually and then hand it to the users (this hasn't been deployed yet, so we are still testing it).
To make the device compliant you need to use an administrator account, a regular user will not be able to go thru the enrolment process to make the PC compliant. However, I do not want the end user to use a device with local admin rights. I can manually make a Windows 10 machine compliant with the Intune policies (making the machine Azure registered and Intune compliant). To do this you need a user with local admin rights.
Once the device is compliant, if I switch to a regular user's account with no local admin rights, it then fails to access data (e.g, logging into Office 365). If I, however, access the device with a user with local admin rights, I'll be able to access the data successfully.
We need to do this manually because our on premise 2012 AD has absolutely no connection to our Azure AD.
If I may ask, do you work on a hybrid environment, on premise or cloud solution (Azure)?