This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 88%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
I went and retire these Windows 10 devices from the old/legacy Intune portal. Now having problems registering the MDM on them. Found out that the users have to be a local admin of the workstation which we don't have at the present time.
Question:
Thanks,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
If they are domain joined, you can use a GPO to enroll the devices into Intune. They will be marked as corporate and not BYOD. https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Lee, Tina , Based as I know, Local administrative privileges are required for Bring Your Own Device (BYOD) enrollment in Intune. we can see more details in the following link:
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/no-permission-to-enroll-windows-devices
For Device in on premise AD domain, we can consider Nick's suggestion to automatically enroll windows 10 device using GPO. The following article for the reference:
https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
In General, for the windows enrollment, Intune automatically assigns corporate-owned status to devices that are:
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Lee, Tina , How's everything going? If there's anything else we can help, feel free to let us know.
Hi Crystal-MSFT.
Thanks for following up with me. We did follow this suggestion:
For Device in on premise AD domain, we can consider Nick's suggestion to automatically enroll windows 10 device using GPO. The following article for the reference:
https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
However, we are still having some problems with it. There's a part in the documentation where it talks about th is part:
Additionally, verify that the SSO State section displays AzureAdPrt as YES.
And the text is showing SSO = NO.
I am not sure if maybe our Azure tenant is not joined correctly or we are missing something in the configuration setup.
If you can point me in the right direction, I would appreciate it.
I also have Microsoft technical support open on this too.
Thanks again,
@Lee, Tina , , From your description, it seems to be failed to obtain Azure AD PRT. We can try to rejoin the device into Azure AD with the following steps.
However, if the issue still persists, we suggest to submit on Azure AD Q&A to check the issue. Or open a case to Azure AD support to fix it:
https://learn.microsoft.com/en-us/answers/topics/azure-active-directory.html
Hope it can help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 40%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Seems the device is not connected to Azure for a longer time, PRT is valid for 14 days and will be renewed when the user using the device