![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 95%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Hello Marcelo,
From your description, it sounds like the device has been enrolled into Microsoft Intune or Azure AD Join, but the assigned user account lacks local administrator privileges. Even though you've granted full access roles in Microsoft Entra ID, those roles apply to cloud resources and don’t automatically elevate local permissions on the device.
To resolve this, I recommend checking the Intune Device Configuration Profile or Endpoint Manager settings. Specifically, ensure that the user is added to the Local Administrators group via a device configuration policy. You can do this by navigating to Endpoint Security > Account Protection > Local user group membership and assigning the correct group membership.
If you're completely locked out and unable to access CMD or install apps, you may need to perform a fresh reset using a recovery USB and reconfigure the device with proper admin provisioning during setup. Be sure to use an account that’s pre-assigned as a local admin via Autopilot or manual provisioning.
Once access is restored, you can re-enroll the device and apply the necessary policies to avoid future lockouts.
=====
I hope this helps you get back on track quickly. If this guidance proves useful, feel free to hit “Accept Answer”—it’s always great to know when the solution lands well 😊
T&B, Harry.