Share via

I went and retire these Windows 10 devices from the old/legacy Intune portal. Now having problems registering the MDM on them.

Lee, Tina 1 Reputation point
2020-10-15T21:05:52.387+00:00

I went and retire these Windows 10 devices from the old/legacy Intune portal. Now having problems registering the MDM on them. Found out that the users have to be a local admin of the workstation which we don't have at the present time.

Question:

  1. Is there a way to register the MDM without giving local admin rights to the end users?
  2. In the old/legacy Intune portal, these devices are company owned. However, when I tried to registered them to the new MDM client, it's trying to registered as BYOD devices. Yet, these devices are already on our domain.

Thanks,

Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Enrollment
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nick Hogarth 3,521 Reputation points Volunteer Moderator
    2020-10-15T23:06:16.82+00:00

    If they are domain joined, you can use a GPO to enroll the devices into Intune. They will be marked as corporate and not BYOD. https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

    0 comments
  2. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2020-10-16T02:22:04.737+00:00

    @Lee, Tina , Based as I know, Local administrative privileges are required for Bring Your Own Device (BYOD) enrollment in Intune. we can see more details in the following link:
    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/no-permission-to-enroll-windows-devices

    For Device in on premise AD domain, we can consider Nick's suggestion to automatically enroll windows 10 device using GPO. The following article for the reference:
    https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

    In General, for the windows enrollment, Intune automatically assigns corporate-owned status to devices that are:

    • Enrolled with a device enrollment manager account
    • Joined to Azure Active Directory with work or school credentials.
    • Autopilot enrollment
    • Windows 10 enrollment with GPO
    • Set as corporate in the device's properties list

    Hope it can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Lee, Tina 1 Reputation point
    2020-10-20T05:11:16.103+00:00

    Hi Crystal-MSFT.

    Thanks for following up with me. We did follow this suggestion:
    For Device in on premise AD domain, we can consider Nick's suggestion to automatically enroll windows 10 device using GPO. The following article for the reference:
    https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

    However, we are still having some problems with it. There's a part in the documentation where it talks about th is part:
    Additionally, verify that the SSO State section displays AzureAdPrt as YES.
    And the text is showing SSO = NO.

    I am not sure if maybe our Azure tenant is not joined correctly or we are missing something in the configuration setup.

    If you can point me in the right direction, I would appreciate it.

    I also have Microsoft technical support open on this too.

    Thanks again,

  4. s ganesamoorthy 161 Reputation points
    2020-10-20T05:57:25.187+00:00

    Seems the device is not connected to Azure for a longer time, PRT is valid for 14 days and will be renewed when the user using the device

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.