This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 15%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Hello all
I'm pretty new to Intune. I'm running a elementary school as ICT coördinator and we will enroll about 100 devices to Intune.
Now i already enrolled 10 teacher devices ( Lenovo Thinkad E14) with config profiles and restricitons.
Everything works normal ( except a notification about bitlocker not configured, but strange enough it is ok, i can see the encryption key in the admin pane)
Now when i take a device, and log in with my account and credentials ( and i'm global admin) i have the same permissions and restrictions as a normal teacher.
What do i do wrong?
Do i need to make an separate configprofile for me?
Do i need i local admin account?
is there a way that i can put my account in the administrators group? like we did in the day with windows server ADDS? so i can log in with no restrictions?
I'm playing arround with a student device (asus W202 ( i really don't like chromebooks..)) The devices are in a group, config profile linked to that group but it doesn't work.. when i take a look to the admin pane -> devices, click on the student device, i can't see the config profile linked to that device. strange..
2 questions ( or even 3 :) ) but thanks in advance!
Being a global admin and thus a local admin on the device doesn't mean policies don't apply to you and your account. It means you have a higher level or permissions and privileges, but it in no way excludes you from policies applied to the device.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 45%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFA%3C/text%3E%3C/svg%3E)
Is being a global admin on Entra the only way you can be a local admin on a Entra added machine?
No. Any user added to the local admins group on the device will be a local admin. See https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin for lots detailed info. Note that you can also use account protection policies from Intune on managed Windows devices to control this: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
Are these devices Azure AD Joined? If so, then you should have admin if you are global admin, see https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
How were they enrolled into Intune exactly?
Must you be a global admin to install programs and make computer changes?
No. Being a global admin actually has zero context on a local device. Global admins just get automatically added to the local admin group granting them elevated permissions and privileges. What's significant is having those elevated rights, permissions, and privileges because the account is a member of the local admins group. There are other ways to grant the necessary permissions, rights, or privileges for most activity on a local device. What that is though is dictated by that activity so there's no one specific answer for all activity except adding the account to the local admins group which is why this is the generally accepted path if this is what you are after. Of course, with great power comes great responsibility because now that account has the rights, permissions, and privileges to do change anything on the device which can lead to accidentally issues, malicious activity, or a bad actor influencing or infiltrating the device.
Yes all devices are Azure AD registered ( Azure AD joined).
I enrolled the first 10 devices without autopilot. ( restricted in time on that moment..)
So i registered the device as admin ( with my account) when i first started the devices ( "how would you like to set up?" -> set up as a organization)
Afterwards the teacher signed in.. worked with all the restricitons.
Only my account as well is restricted ( for example i can't change the network, or install software..) when i use a workarround, it askes for my admin credentials ( same as my account) and then it will work..
It seems to ignore my admin account, asks for admin credentials, and then accpets my admin account.. but not automaticaly
There is a way to make local admin account .. but i don't think thats the good way to do it...
For the 100 new devices ( 2 times 50 devices 2021-2023) i will test out autopilot and do it with the OOBE way..
I just chekced a device, my Azure accounts is addes to the administrators group, yet i can't install apps on the device...
so basicaly i have the same restrictions as a regular teacher...
how is this even possible?
when i drag the install file to my onedrive... i can run the application... and install it on the device.
yet i can't install apps on the device.
Can you please define what this means in technical terms? What exactly are you launching, how are you launching it, what happens when you launch it, are you getting an error, etc.
Also, how are you joining the devices to AAD?
Well when i log in to the computer, with my account i have the same restrictions ( i made some device restrictions for a teachers group) as the teachers. Despite that i'm a global admin.
So, when i want to install an app on the device itself ( so i dont push that app trough intune) it is not possible due to a app store restriction that i made. So when i want to launch the exe file it opens a box that says, install apps trough windows app store. Basically i made that restriction in the config profile, so teachers only can install apps confirmed by microsoft in the app store.
But i'm a global admin.. so why is that box shown to me? I cant bring in admin or account details to prove i'm an admin and i'm allowed to install apps.
When i go to the download folder, right click on the exe file that i want to install, then i see "run as administrator". when i do that i get the app box again...
So i seems that Intune is not recognize me as an admin..
The devices are registered under my admin account.
When i first started the laptop -> register for an organization -> logged in with my admin account. -> device shows "registered".
Is that the wrong way? Didn't had the time back then, to use autopilot.
Are you guys registering the devices an other way?
I tried it with different exe files. ( okay i can prep the exe to another format an push it trough intune...)
But the problem is not only installing apps, when i'm logged on, i can't see the settings like system time, update pane,... ( also a restriction that i made for the teachers group), can't change network settings... again, despite that i'm a admin...
Did you receive the correct procedures on this one, I am kind of dealing with the same issues. My admin account works to install things. We do not have Intune set up at all. While mine works there is another admin account who's log in does not work.