Forum Discussion
Why our users are getting local admin access on devices when the device runs through Autopilot profi
Its not personal device, its corporate device and when it does not work with Autopilot then we don't have any other option to join the device to Intune/Autopilot. Then we ask user to join the device via this way and even while enrolling via autopilot also user get the admin access on their devices.
Where is Rudy's response saying : disable the possibility of users joining Personal Devices. If the device is deployed using Autopilot and the profile is set to User and not Administrator, they are just users on the device.
Can you point it out or share in the reply here?
Yes its standard All Devices group in Intune. I can try that by adding Autopilot group autopilot profile will check.
- Not sure what AllWindowsDevices is. Is that the standard All Devices group? You can add your Autopilot group too it as well
Yes we have this group created and assigned to autopilot dynamic group.
We have Autopilot group with Dynamic device membership in Entra ID and assigned the these kind of expressions for autopilot devices groups.
But in our case we have assigned "AllWindowsDevices" group to autopilot profile.
See below
Do you recommend we should assign the Autopilot group to profile that we have created or what you say?
- Any update?
- You probably have a dynamic group that automatically puts all registered Autopilot devices in that group by using a ZTDID query (https://learn.microsoft.com/en-us/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune) You assign that group to a deployment profile. Is the device a member of that group when it fails?
We are uploading hardware hash in Intune/Autopilot. Those are been take care by device provide and devices are going to autopilot profile as expected but sometime it does not work as expected so in that case we guide users to enroll the device via Entra ID join method so we have seen in both ways it shows user gets admin access on device.
Could you elaborate more on what we need to check/see in Autopilot to resolve this issue?
you mentioned below in last reply:
"Autopilot not working. You upload the hardware hash to Intune, assign the devices to a group, and give that group to a deployment profile set to User enrollment."