Jul 31 2019 08:54 AM
We are in the midst of a cloud migration project for our managed desktop infrastructure, and one thing that we used to be able to do is manage machines remotely, and perform management tasks such as the following:
1) invoke compmgmt.msc against a remote computer, view event logs remotely, manage local users and groups
2) access c$, copy files to and from the computer
3) start / stop processes and services remotely
4) make WMI queries
We did these things via the "allow inbound remote administration exception" and "allow file and printer sharing" GPOs, but since we are migrating into a cloud-only, AAD + EMS environment, we no longer have the ability to leverage the traditional identity management stack. I find that I am able to set the requisite firewall exceptions using a Intune configuration policy, but I get an access denied error when I try to view events or do computer management remotely. The account I'm using is an Azure AD "cloud device administrator" account. This account gives me the ability to manage a computer if I am logged on to it interactively. If I create a local admin account, I am able to use that to do remote management. But since LAPS in Azure is still "in planning", we don't want to create local admin accounts on machines without some central way to administer them.
Does anyone know if there is a way to leverage Azure AD identities to manage client endpoints remotely? I know there is teamviewer, and Intune has some features that allows remote assistance. This is not what I am looking for. What I am looking for is a way to manage a computer non-intrusively, without the user getting involved. Sometimes you just want to get in, do your thing, and get out, but you want to do this while keeping the bad guys out, too.