question

LiamFermoyle-7788 avatar image
0 Votes"
LiamFermoyle-7788 asked ZollnerD edited

Disabling admin privileges for work account users on assigned devices - intune / Microsoft Endpoint Manager

61824-microsoftteams-image-1.pngWe are working towards our Cyber Essentials Plus.

One part is to make sure Administrator privilege on endpoint devices is not used on a day to day basis. All users need to be set to a "standard" type account.

Currently it seems that Azure forces the admin privilege automatically due to the device being associated to the users account.

In AzureAD I am unable to Manage the devices due to them not being set up in Endpoint Manager (Intune).

We are currently testing Intune (limited 5 device license) how ever I am unable to add any of our existing devices which are currently AzureAD joined - even though they are included in the group specified in the deployment policy. I have even tried to import a device using the import feature using a CSV - erroring due to the device already AAD joined (see image attached)

Of course I can un-join the device from AAD but that may mean forcing users to have to reconnect to the devices as if it was the first time using the laptop.

Is it possible to force the join?

AAD version: Azure AD for o365 - EDIT: we are now trialing 365 business premium 1 (AAD premium1)


mem-intune-enrollmentazure-ad-device-management
microsoftteams-image-1.png (49.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielSidler-1019 avatar image DanielSidler-1019 ·

In case someone comes across this thread via googling, there's a new way of managing these settings in Endpoint Manager as described here: https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207

0 Votes 0 ·

1 Answer

vipulsparsh-MSFT avatar image
2 Votes"
vipulsparsh-MSFT answered

@LiamFermoyle-7788 Thanks for reaching out.

The concern regarding normal user being the admin after connected to Intune can be solved in 2 ways with endpoint manager.

Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator. You can accomplish this by creating an Autopilot profile.
Bulk enrollment - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined are not added to the administrators group.


Coming to your next issue with forcing the join, as long as the AAD detects that the device is already AAD joined, it will continue to throw that error, you can delete the device from Devices list in AAD and try again. IF not, then you must remove the device from AAD and re-join.
This device seems to have follow the autopilot path before as well and somehow not properly completed the process.

A support case with Intune team will help you investigate further.

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.



5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.