cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

troubleshooting for standard user in windows autopilot

mmchx
Copper Contributor

‎Dec 14 2021 12:15 AM

‎Dec 14 2021 12:15 AM

troubleshooting for standard user in windows autopilot

Hi experts,

it's very straightforward. if we set the windows autopilot's profile and set the account type to "Standard User". How can we assist them when we need to do something on their device? since we cannot run as administrators. 

5,035 Views
0 Likes
7 Replies
Reply
7 Replies
Adir_Moshe

‎Dec 14 2021 01:02 AM

‎Dec 14 2021 01:02 AM

Re: troubleshooting for standard user in windows autopilot

Hi,

If you need to assist someone on site you could "run as admin" and use admin credential.
admin would be Azure AD user who has the Global Administrator role or the Azure AD Joined Device Local Administrator Role.
You could read more about that role in the following link :
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#azure-ad-joined-...

For remote assistant you could use the new Remote Help from intune (that product have a cost)
adding a link about that new product.
https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-help

Best regards,
2 Likes
Reply
Rudy_Ooms_MVP

‎Dec 14 2021 02:39 AM - edited ‎Dec 14 2021 04:30 AM

‎Dec 14 2021 02:39 AM - edited ‎Dec 14 2021 04:30 AM

Re: troubleshooting for standard user in windows autopilot

Hi,

I would go for the additional local admin like I am mentioning in this blog. because in my opinion using one azure ad account to manage each workstation ... mmm not my cup of tea. I would rather use a local admin and add LAPS to it..

 

(even while this blog is more about the remediation error it could give you :) )

https://call4cloud.nl/2021/12/i-kill-remediation-errors/

0 Likes
Reply
gerardoamadeus

‎Dec 14 2021 04:17 AM

‎Dec 14 2021 04:17 AM

Re: troubleshooting for standard user in windows autopilot

Hi,
Your best optionis either add admins to device administrators group (which is added to Administrators on all devices) or if you want to be more specific if you have several countries or groups of administrators you can use the following CSP to add azure users or groups:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
You can add and remove users from the local Administrator group.
To add azure groups you will need the azure SID which can be found using graph explorer.
Regards,
0 Likes
Reply
michael_moshkovich

‎Dec 14 2021 04:22 AM - edited ‎Dec 14 2021 04:39 AM

‎Dec 14 2021 04:22 AM - edited ‎Dec 14 2021 04:39 AM

Re: troubleshooting for standard user in windows autopilot

Hi @mmchx,

 

Adding to @Adir_Moshe, for more granular configuration you can leverage the Policy CSP - LocalUsersAndGroups - Windows Client Management | Microsoft Docsthis will allow you to add specific user account to specific Local groups an specific managed devices.

 

Managing Local Admin account, although have it's benefits, has a lot of security and management disadvantages and I would not recommend that.

 

For remote control, the new tool from Microsoft does sound promising but still in preview and no cost estimation in sight, so you can fallback to a third party such as TeamViewer which in my opinion provides good integration, until Remote Help is GA.

 

Best regards,

Michael Moshkovich

 

1 Like
Reply
Mr_Helaas

‎Dec 21 2021 01:20 PM

‎Dec 21 2021 01:20 PM

Re: troubleshooting for standard user in windows autopilot

Hi @gerardoamadeus

 

From a security perspective add admin to a device administrator group is not save. If one of your admins are hacked they have local admin rights on al your Azure Ad Joined machines. 

 

So, I agree with @Rudy_Ooms_MVP. My advice is to use always a Local admin account to the specific device with LAPS and none of your device will have the same admin password. 

 

Kind regards,

 

Rene

0 Likes
Reply
Mr_Helaas

‎Dec 21 2021 01:29 PM

‎Dec 21 2021 01:29 PM

Re: troubleshooting for standard user in windows autopilot

Hi @mmchx

 

I think you have enabled the Microsoft Security Baseline or you have set it up in Endpoint Protection policy and now you are not able to Run as Administrator, right? 

 

If so, you can change the following setting in the security baseline: "Standard user elevation prompt behavior" to Prompt for credentials on the secure desktop or change the setting "Elevation prompt for standard users" in your Endpoind Protection policy to Prompt for credentials on the secure desktop. 

 

Kind regards,

 

Rene

0 Likes
Reply
Mr_Helaas

‎Dec 24 2021 08:12 AM

‎Dec 24 2021 08:12 AM

Re: troubleshooting for standard user in windows autopilot

Hi @mmchx

 

Did you already take a look at the following blog post:

 

Quick Assist - UAC Black Screen resolution via Intune - Let's ConfigMgr! (letsconfigmgr.com)

 

Kind regards,

 

Rene

0 Likes
Reply