This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 63%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Hi,
We have some PCs deployed via a "Standard User" autopilot profile (Hybrid Azure AD). However we have created a policy to get a elevated prompt when a user wants to install a software and if we enter global administrator credentials, it will install the application. But we don't want to give helpdesk users this GA permissions and want to know whether "Device Administrator" in Azure AD can perform this?
Regards,
Kavindu
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Kavindu Dayananda , For the users with device administrators role, they become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. From your description, it seems the devices are Hybrid Azure AD device. Based on my research, it is not suitable for Hybrid Azure AD joining devices. We can see more details in the following link:
https://dirteam.com/sander/2020/08/31/knowledgebase-the-device-administrator-role-is-not-available-on-the-roles-and-administrators-pane-in-the-azure-portal/
Note: Non-microsoft link, just for the reference.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Crystal,
Thanks for your reply.
I understand that "Device Administrator" will not work on "hybrid azure ad" joined PCs, but then what is the recommended way of having this? I couldn't find a proper MS article for this.
Regards,
Kavindu
@Kavindu Dayananda , To install application or software on computers, we need local administrator permission. For our situation, I have two suggestions in mind:
Suggestion 1: Create GPO and add related account with local administrator permission.
Suggestion 2: Or we can consider create a local user and add it to local administrators group:
https://social.technet.microsoft.com/Forums/en-US/95b1baba-d040-443c-8df1-a1d5b3cb5eb9/create-local-user-account-and-make-it-as-administrator-using-intune-policy?forum=microsoftintuneprod
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Suggestion 1 will not work on hybrid azure ad domain devices.
Same as you always have with on-prem domain joined devices: Group Policy.
@Jason Sandys , Thanks for the notification, I will modify my reply.
@Kavindu Dayananda , How's everything going? If there's anything else we can help, feel free to let us know.