Jul 25 2017 09:26 AM
Jul 25 2017 09:26 AM
Half of my users are joined to my local domain, and the other half (who don't come in the office) I've joined to Azure Active directory instead. I would like to eliminate the local AD completely if possible for PCs (not servers). I have a series of questions related to this senario. Also, if there is a document that provides a summary overview of how to accomplish the items below, please send me a link.
Jul 25 2017 09:35 AM
Hi Thomas, Great to hear that you are joining some of your devices to Azure AD. Answers to your questions below:
1. Yes, what you say is possible. However, you can use Windows 10 Autopilot to AAD join your devices and also designate that the first user should be a standard user. So you can now make sure the user is a std user. You are right that all AAD tenant admins are added as local admins to the PC. But this is a configurable setting in Azure AD. you could change the users that are added as admins.
2. Intune is the management tool from Microsoft that uses MDM to manage devices from the cloud. Azure AD premium is the premium version of the Microsoft identity offering. Intune depends on Azure AD for identity. So think of Azure AD as the identity plane on which Intune is built on. You will need Azure AD premium if you would like to auto enroll into Intune as part of AAD join and use Autopilot
3. Microsoft doesnt yet have a product exactly for this E2E but Remote desktop and Skype are tools that many of our customers use. Also SCCM has remote control support and we are working with many ISVs by providing the right APIs to help them build a remote assistance tool.
Feel free to post back a clarification or question if there are further qeuestions.
Jul 25 2017 09:46 AM
Here are Microsoft Intune's remote assistance solutions: https://docs.microsoft.com/en-us/intune-classic/deploy-use/request-and-provide-remote-assistance-for...
Jul 25 2017 09:52 AM
Okay, great. I just want to confirm a specific point pertaining to item #1 in my previous message. If I take a new Windows 10 device and select the option "the PC belongs to my organization," and log into that machine for the first time with my Azure AD admin account, am I now the local admin on that machine? Also, can any other Azure AD admin log into that machine and be the admin? And, finally, any other user who is on the domain will now be able to login to the machine, but they won't be an admin, correct?
Jul 25 2017 10:00 AM
Yes, you are right on all counts.
1. First user will be an admin without Autopilot
2. any Azure AD admin can logon and be an admin
3. Any AAD user can login to the machien but will not be an admin
Jul 25 2017 10:19 AM
If you have a link for more info on Autopilot, I'll take it.
Thanks for the answers, and have a great day!
Aug 11 2017 03:50 AM
More info on Windows Autopilot..