question

DanielMonks-0112 avatar image
0 Votes"
DanielMonks-0112 asked LuDaiMSFT-0289 commented

Convert from Azure AD registered to Azure AD Joined without local admin rights

Hello,

We have an issue with a large number of machines our client has inherited. Our client has absorbed a couple of companies and the machines that were associated with those users.

The issue is we can't get Intune to deploy to these machines since the users are signed into local account that do NOT have local admin rights to the machine. These machines are Azure AD Registered, but we need to get them to a Azure AD Joined or Hybrid state. We do not have the passwords for the local users that do have local admin rights on the machines, so we can't get any new software installed or provision our RMM tools.

Is there any way to get the devices moved to Azure AD Joined or grant local admin rights without resetting the device to factory and running through AutoPilot?

mem-intune-generalmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

Jason-MSFT avatar image
2 Votes"
Jason-MSFT answered DanielMonks-0112 commented

Is there any way to get the devices moved to Azure AD Joined or grant local admin rights without resetting the device to factory and running through AutoPilot?

No. Local admin permissions are required to join a device to a domain (AD or AAD doesn't matter) or enroll it into MDM. If this were not required, any bad actor, even unintelligent ones, would already have taken over all of your user's systems.

AAD Registration is just that, a simple registration of a device by the user, it doesn't endow or grant any sort of control over that device in any way.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielMonks-0112 avatar image DanielMonks-0112 ·

Yeah understood, I was just hoping to avoid resetting 300 devices.

0 Votes 0 ·
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered DanielMonks-0112 commented

Have you considered using provisioning package for joining into AAD and auto-enrollment?

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielMonks-0112 avatar image DanielMonks-0112 ·

@RahulJindal-2267

I have not. This is the first time I am coming across Provisioning Package. I will look into and see if that can help resolve the issue.

0 Votes 0 ·
LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 commented

@DanielMonks-0112 Thanks for posting in our Q&A.

To clarify this issue, could you please tell us if the devices are already manged by intune? If yes, we can try to write a Powershell script to create a local admin user and deploy this script via intune.

I have done the test in my lab. I will share you some screen shots:
Script:
181273-image.png

Settings of script policy in intune portal:
https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension#create-a-script-policy-and-assign-it
181186-image.png

Results:
I can see the new admin user in the Administrator group.
181068-image.png

Now we can disconnect the account in Settings > Accounts > Access work or school. Then we can follow the steps under "To join an already configured Windows 10 device" in the following link to make the device Azure AD joined.
https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973

Hope it will help.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (50.8 KiB)
image.png (79.6 KiB)
image.png (23.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielMonks-0112 avatar image DanielMonks-0112 ·

@LuDaiMSFT-0289

No, the devices are not managed by Intune. I have a test machine spun up that has the same settings as the acquired companies' machines.

In my test setup, I can check Azure and see my test user, checked the devices and my test device is showing as "Azure AD Registered" but the MDM column shows as "None".

181450-image.png

I should note that Intune works perfectly if setting up a device "as new". The issue is primarily with machines that are setup with local users that don't have local admin rights.


0 Votes 0 ·
image.png (20.4 KiB)
LuDaiMSFT-0289 avatar image LuDaiMSFT-0289 DanielMonks-0112 ·

@DanielMonks-0112 Thanks for your update. The above method is not available for this situation that the device is not enrolled to intune.

And thanks Jason for clearing some information about AAD Registration.

0 Votes 0 ·