troubleshooting for standard user in windows autopilot

Contributor

Hi experts,

it's very straightforward. if we set the windows autopilot's profile and set the account type to "Standard User". How can we assist them when we need to do something on their device? since we cannot run as administrators. 

7 Replies
Hi,

If you need to assist someone on site you could "run as admin" and use admin credential.
admin would be Azure AD user who has the Global Administrator role or the Azure AD Joined Device Local Administrator Role.
You could read more about that role in the following link :
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#azure-ad-joined-...

For remote assistant you could use the new Remote Help from intune (that product have a cost)
adding a link about that new product.
https://docs.microsoft.com/en-us/mem/intune/remote-actions/remote-help

Best regards,

Hi,

I would go for the additional local admin like I am mentioning in this blog. because in my opinion using one azure ad account to manage each workstation ... mmm not my cup of tea. I would rather use a local admin and add LAPS to it..

 

(even while this blog is more about the remediation error it could give you :) )

https://call4cloud.nl/2021/12/i-kill-remediation-errors/

Hi,
Your best optionis either add admins to device administrators group (which is added to Administrators on all devices) or if you want to be more specific if you have several countries or groups of administrators you can use the following CSP to add azure users or groups:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
You can add and remove users from the local Administrator group.
To add azure groups you will need the azure SID which can be found using graph explorer.
Regards,

Hi @mmchx,

 

Adding to @Adir_Moshe, for more granular configuration you can leverage the Policy CSP - LocalUsersAndGroups - Windows Client Management | Microsoft Docsthis will allow you to add specific user account to specific Local groups an specific managed devices.

 

Managing Local Admin account, although have it's benefits, has a lot of security and management disadvantages and I would not recommend that.

 

For remote control, the new tool from Microsoft does sound promising but still in preview and no cost estimation in sight, so you can fallback to a third party such as TeamViewer which in my opinion provides good integration, until Remote Help is GA.

 

Best regards,

Michael Moshkovich

 

Hi @gerardoamadeus

 

From a security perspective add admin to a device administrator group is not save. If one of your admins are hacked they have local admin rights on al your Azure Ad Joined machines. 

 

So, I agree with @Rudy_Ooms_MVP. My advice is to use always a Local admin account to the specific device with LAPS and none of your device will have the same admin password. 

 

Kind regards,

 

Rene

Hi @mmchx

 

I think you have enabled the Microsoft Security Baseline or you have set it up in Endpoint Protection policy and now you are not able to Run as Administrator, right? 

 

If so, you can change the following setting in the security baseline: "Standard user elevation prompt behavior" to Prompt for credentials on the secure desktop or change the setting "Elevation prompt for standard users" in your Endpoind Protection policy to Prompt for credentials on the secure desktop. 

 

Kind regards,

 

Rene

Hi @mmchx

 

Did you already take a look at the following blog post:

 

Quick Assist - UAC Black Screen resolution via Intune - Let's ConfigMgr! (letsconfigmgr.com)

 

Kind regards,

 

Rene