question

LeeTina-3888 avatar image
0 Votes"
LeeTina-3888 asked Crystal-MSFT commented

I went and retire these Windows 10 devices from the old/legacy Intune portal. Now having problems registering the MDM on them.

I went and retire these Windows 10 devices from the old/legacy Intune portal. Now having problems registering the MDM on them. Found out that the users have to be a local admin of the workstation which we don't have at the present time.

Question:
1. Is there a way to register the MDM without giving local admin rights to the end users?
2. In the old/legacy Intune portal, these devices are company owned. However, when I tried to registered them to the new MDM client, it's trying to registered as BYOD devices. Yet, these devices are already on our domain.

Thanks,



mem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered

If they are domain joined, you can use a GPO to enroll the devices into Intune. They will be marked as corporate and not BYOD. https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT commented

@LeeTina-3888, Based as I know, Local administrative privileges are required for Bring Your Own Device (BYOD) enrollment in Intune. we can see more details in the following link:
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/no-permission-to-enroll-windows-devices

For Device in on premise AD domain, we can consider Nick's suggestion to automatically enroll windows 10 device using GPO. The following article for the reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

In General, for the windows enrollment, Intune automatically assigns corporate-owned status to devices that are:

  • Enrolled with a device enrollment manager account

  • Joined to Azure Active Directory with work or school credentials.

  • Autopilot enrollment

  • Windows 10 enrollment with GPO

  • Set as corporate in the device's properties list

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@LeeTina-3888, How's everything going? If there's anything else we can help, feel free to let us know.

0 Votes 0 ·
LeeTina-3888 avatar image
0 Votes"
LeeTina-3888 answered Crystal-MSFT commented

Hi Crystal-MSFT.

Thanks for following up with me. We did follow this suggestion:
For Device in on premise AD domain, we can consider Nick's suggestion to automatically enroll windows 10 device using GPO. The following article for the reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

However, we are still having some problems with it. There's a part in the documentation where it talks about th is part:
Additionally, verify that the SSO State section displays AzureAdPrt as YES.
And the text is showing SSO = NO.

I am not sure if maybe our Azure tenant is not joined correctly or we are missing something in the configuration setup.

If you can point me in the right direction, I would appreciate it.

I also have Microsoft technical support open on this too.

Thanks again,

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@LeeTina-3888, , From your description, it seems to be failed to obtain Azure AD PRT. We can try to rejoin the device into Azure AD with the following steps.
1. Open cmd as an administrator and run dsregcmd /leave /debug
2. Delete the device on the Azure portal
3. Restart the device
4. Open cmd as an administrator and run dsregcmd / join /debug

However, if the issue still persists, we suggest to submit on Azure AD Q&A to check the issue. Or open a case to Azure AD support to fix it:
https://docs.microsoft.com/en-us/answers/topics/azure-active-directory.html

Hope it can help.

0 Votes 0 ·
sganesamoorthy-0877 avatar image
0 Votes"
sganesamoorthy-0877 answered

Seems the device is not connected to Azure for a longer time, PRT is valid for 14 days and will be renewed when the user using the device

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.