Home

Remotely manage Windows 10 Devices without On-Prem AD

%3CLINGO-SUB%20id%3D%22lingo-sub-781748%22%20slang%3D%22en-US%22%3ERemotely%20manage%20Windows%2010%20Devices%20without%20On-Prem%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-781748%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20in%20the%20midst%20of%20a%20cloud%20migration%20project%20for%20our%20managed%20desktop%20infrastructure%2C%20and%20one%20thing%20that%20we%20used%20to%20be%20able%20to%20do%20is%20manage%20machines%20remotely%2C%20and%20perform%20management%20tasks%20such%20as%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20invoke%20compmgmt.msc%20against%20a%20remote%20computer%2C%20view%20event%20logs%20remotely%2C%20manage%20local%20users%20and%20groups%3C%2FP%3E%3CP%3E2)%20access%20c%24%2C%20copy%20files%20to%20and%20from%20the%20computer%3C%2FP%3E%3CP%3E3)%20start%20%2F%20stop%20processes%20and%20services%20remotely%3C%2FP%3E%3CP%3E4)%20make%20WMI%20queries%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20did%20these%20things%20via%20the%20%22allow%20inbound%20remote%20administration%20exception%22%20and%20%22allow%20file%20and%20printer%20sharing%22%20GPOs%2C%20but%20since%20we%20are%20migrating%20into%20a%20cloud-only%2C%20AAD%20%2B%20EMS%20environment%2C%20we%20no%20longer%20have%20the%20ability%20to%20leverage%20the%20traditional%20identity%20management%20stack.%20I%20find%20that%20I%20am%20able%20to%20set%20the%20requisite%20firewall%20exceptions%20using%20a%20Intune%20configuration%20policy%2C%20but%20I%20get%20an%20access%20denied%20error%20when%20I%20try%20to%20view%20events%20or%20do%20computer%20management%20remotely.%20The%20account%20I'm%20using%20is%20an%20Azure%20AD%20%22cloud%20device%20administrator%22%20account.%20This%20account%20gives%20me%20the%20ability%20to%20manage%20a%20computer%20if%20I%20am%20logged%20on%20to%20it%20interactively.%20If%20I%20create%20a%20local%20admin%20account%2C%20I%20am%20able%20to%20use%20that%20to%20do%20remote%20management.%20But%20since%20LAPS%20in%20Azure%20is%20still%20%22in%20planning%22%2C%20we%20don't%20want%20to%20create%20local%20admin%20accounts%20on%20machines%20without%20some%20central%20way%20to%20administer%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20if%20there%20is%20a%20way%20to%20leverage%20Azure%20AD%20identities%20to%20manage%20client%20endpoints%20remotely%3F%20I%20know%20there%20is%20teamviewer%2C%20and%20Intune%20has%20some%20features%20that%20allows%20remote%20assistance.%20This%20is%20not%20what%20I%20am%20looking%20for.%20What%20I%20am%20looking%20for%20is%20a%20way%20to%20manage%20a%20computer%20non-intrusively%2C%20without%20the%20user%20getting%20involved.%20Sometimes%20you%20just%20want%20to%20get%20in%2C%20do%20your%20thing%2C%20and%20get%20out%2C%20but%20you%20want%20to%20do%20this%20while%20keeping%20the%20bad%20guys%20out%2C%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-781748%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
derekliu
Occasional Contributor

We are in the midst of a cloud migration project for our managed desktop infrastructure, and one thing that we used to be able to do is manage machines remotely, and perform management tasks such as the following:

 

1) invoke compmgmt.msc against a remote computer, view event logs remotely, manage local users and groups

2) access c$, copy files to and from the computer

3) start / stop processes and services remotely

4) make WMI queries

 

We did these things via the "allow inbound remote administration exception" and "allow file and printer sharing" GPOs, but since we are migrating into a cloud-only, AAD + EMS environment, we no longer have the ability to leverage the traditional identity management stack. I find that I am able to set the requisite firewall exceptions using a Intune configuration policy, but I get an access denied error when I try to view events or do computer management remotely. The account I'm using is an Azure AD "cloud device administrator" account. This account gives me the ability to manage a computer if I am logged on to it interactively. If I create a local admin account, I am able to use that to do remote management. But since LAPS in Azure is still "in planning", we don't want to create local admin accounts on machines without some central way to administer them.

 

Does anyone know if there is a way to leverage Azure AD identities to manage client endpoints remotely? I know there is teamviewer, and Intune has some features that allows remote assistance. This is not what I am looking for. What I am looking for is a way to manage a computer non-intrusively, without the user getting involved. Sometimes you just want to get in, do your thing, and get out, but you want to do this while keeping the bad guys out, too.

Related Conversations
Yealink t55 skype config
BenRooke in Skype for Business IT Pro on
0 Replies
New Feature: Edge | Phone and other devices
HotCakeX in Discussions on
4 Replies
S4B integration door phone
PioRock in Skype for Business Users on
2 Replies
Iphone + Strange Number 266669987
niklasdavidsson in Skype for Business Users on
0 Replies
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies