How get who is Device primary user on enrolled device without Azure AD request?

Mountain Pond 1,431 Reputation points
2023-05-20T15:24:24.8733333+00:00

Hi,

Is it possible get information on device that is enrolled to Intune, who is Primery user for this device, without conenction to Azure AD? Using commands like dsregcmd /status or somthing else.

Thank you.

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,314 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,715 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Lu Dai-MSFT 28,366 Reputation points
    2023-05-22T02:50:21.89+00:00

    @Denis Pasternak Thanks for posting in our Q&A.

    For this issue, if you want to get device primary user via Graph, it still needs to have an Azure AD account to sign in Microsoft graph explorer. And then run the request.

    We can use the following request to get the Primary User.

    https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}/users
    
    

    If you want to get device primary user via PowerShell script, please refer to the following link.

    https://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/Win10_PrimaryUser_Get.ps1

    Hope it will give you some ideas.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Mountain Pond 1,431 Reputation points
    2023-05-22T10:15:06.2966667+00:00
    1. Create an application.
    2. Grant read device list privileges in Intune.
    3. Read the list of users (to get the SID).

     

    The script to execute the request will receive a list of devices and the current owner. Find out its SID and add it to the local administrators group.

    This will allows admin to change the local administrator by assigning the owner of the device from Intune admin center.

    msedge_nf6xBT9GqI

    IF ((Get-InstalledModule Microsoft.Graph -ErrorAction SilentlyContinue) -eq $null){
        Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
        Install-Module Microsoft.Graph -Confirm:$false
        Import-Module Microsoft.Graph
    } ELSE {
        Import-Module Microsoft.Graph
    }
    
    
    # Populate with the App Registration details and Tenant ID
    $appid = '325fg34-2345-754r-436w-75634gfb34446bj566'
    $tenantid = '6434df35-23-231451-g4526-weqSe0r0932048'
    $secret = 'gWz8Q~slskdlaskwpuepioqwuiuiqwur'
     
    $body =  @{
        Grant_Type    = "client_credentials"
        Scope         = "https://graph.microsoft.com/.default"
        Client_Id     = $appid
        Client_Secret = $secret
    }
     
    $connection = Invoke-RestMethod `
        -Uri https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token `
        -Method POST `
        -Body $body
     
    $token = $connection.access_token
     
    Connect-MgGraph -AccessToken $token
    
    #The Graph API URL
    $uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices "
     
    $method = "GET"
     
    # Run the Graph API query to retrieve users
    $output = Invoke-WebRequest -Method $method -Uri $uri -ContentType "application/json" -Headers @{Authorization = "Bearer $token"} -ErrorAction Stop
    
    ($output.Content | ConvertFrom-Json).value
    
    0 comments No comments

  3. Mountain Pond 1,431 Reputation points
    2023-05-22T10:19:48.45+00:00

    This is other way, using registry.

    Start-Transcript -Path "$env:SystemRoot\Temp\elevate-first-logged-in-user-to-administrators.txt"
    $PATH = (Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Enrollments\*\FirstSync').Name -replace "\\FirstSync",'' -replace 'HKEY_LOCAL_MACHINE','HKLM:'
    $UPN = Get-ItemPropertyValue -Path $PATH -Name 'UPN'
    
    $LOGIN = $UPN -replace '@contoso.com'
    New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
    FOREACH ($RootHKC in (Get-ChildItem "HKU:\" -ErrorAction SilentlyContinue).Name | Where-Object {$_ -like "HKEY_USERS\S-1-12-1*" -and $_ -notlike "*_Classes"}){
    
    $HKUPATH = $RootHKC -replace "HKEY_USERS", "HKU:"
    $UserId = Get-ItemPropertyValue -Path "$HKUPATH\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\AADNGC\*" -Name 'UserId' -ErrorAction SilentlyContinue
    $UserId
    IF ($UserId -ne $null -and $UserId -eq $UPN){
    $SID = $RootHKC -replace "HKEY_USERS\\"
    
    } ELSE {
        $false
    }
    }
    Remove-PSDrive -Name HKU
    
    $PATH
    $UPN
    $LOGIN
    Stop-Transcript
    
    0 comments No comments

  4. dridley 161 Reputation points
    2023-11-21T03:41:25.3733333+00:00
    0 comments No comments