Share via

Convert from Azure AD registered to Azure AD Joined without local admin rights

Daniel Monks 26 Reputation points
2022-03-08T22:00:24.407+00:00

Hello,

We have an issue with a large number of machines our client has inherited. Our client has absorbed a couple of companies and the machines that were associated with those users.

The issue is we can't get Intune to deploy to these machines since the users are signed into local account that do NOT have local admin rights to the machine. These machines are Azure AD Registered, but we need to get them to a Azure AD Joined or Hybrid state. We do not have the passwords for the local users that do have local admin rights on the machines, so we can't get any new software installed or provision our RMM tools.

Is there any way to get the devices moved to Azure AD Joined or grant local admin rights without resetting the device to factory and running through AutoPilot?

Microsoft Security | Intune | Enrollment
Microsoft Security | Intune | Other
0 comments
Accepted answer
  1. Jason Sandys 31,411 Reputation points Microsoft Employee Moderator
    2022-03-09T20:46:21.103+00:00

    Is there any way to get the devices moved to Azure AD Joined or grant local admin rights without resetting the device to factory and running through AutoPilot?

    No. Local admin permissions are required to join a device to a domain (AD or AAD doesn't matter) or enroll it into MDM. If this were not required, any bad actor, even unintelligent ones, would already have taken over all of your user's systems.

    AAD Registration is just that, a simple registration of a device by the user, it doesn't endow or grant any sort of control over that device in any way.

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Jindal [MVP] 10,911 Reputation points MVP
    2022-03-08T23:19:10.817+00:00

    Have you considered using provisioning package for joining into AAD and auto-enrollment?

    1 person found this answer helpful.
  2. Lu Dai-MSFT 28,501 Reputation points
    2022-03-09T04:52:23.46+00:00

    @Daniel Monks Thanks for posting in our Q&A.

    To clarify this issue, could you please tell us if the devices are already manged by intune? If yes, we can try to write a Powershell script to create a local admin user and deploy this script via intune.

    I have done the test in my lab. I will share you some screen shots:
    Script:
    181273-image.png

    Settings of script policy in intune portal:
    https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension#create-a-script-policy-and-assign-it
    181186-image.png

    Results:
    I can see the new admin user in the Administrator group.
    181068-image.png

    Now we can disconnect the account in Settings > Accounts > Access work or school. Then we can follow the steps under "To join an already configured Windows 10 device" in the following link to make the device Azure AD joined.
    https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973

    Hope it will help.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.