How get who is Device primary user on enrolled device without Azure AD request?

Question

Hi,

Is it possible get information on device that is enrolled to Intune, who is Primery user for this device, without conenction to Azure AD? Using commands like dsregcmd /status or somthing else.

Thank you.

Answer 1

@Denis Pasternak Thanks for posting in our Q&A.

For this issue, if you want to get device primary user via Graph, it still needs to have an Azure AD account to sign in Microsoft graph explorer. And then run the request.

We can use the following request to get the Primary User.

https://graph.microsoft.com/beta/deviceManagement/managedDevices/{managedDeviceId}/users

If you want to get device primary user via PowerShell script, please refer to the following link.

https://github.com/microsoftgraph/powershell-intune-samples/blob/master/ManagedDevices/Win10_PrimaryUser_Get.ps1

Hope it will give you some ideas.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

1. Create an application.
2. Grant read device list privileges in Intune.
3. Read the list of users (to get the SID).

 

The script to execute the request will receive a list of devices and the current owner. Find out its SID and add it to the local administrators group.

This will allows admin to change the local administrator by assigning the owner of the device from Intune admin center.

IF ((Get-InstalledModule Microsoft.Graph -ErrorAction SilentlyContinue) -eq $null){
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
    Install-Module Microsoft.Graph -Confirm:$false
    Import-Module Microsoft.Graph
} ELSE {
    Import-Module Microsoft.Graph
}


# Populate with the App Registration details and Tenant ID
$appid = '325fg34-2345-754r-436w-75634gfb34446bj566'
$tenantid = '6434df35-23-231451-g4526-weqSe0r0932048'
$secret = 'gWz8Q~slskdlaskwpuepioqwuiuiqwur'
 
$body =  @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    Client_Id     = $appid
    Client_Secret = $secret
}
 
$connection = Invoke-RestMethod `
    -Uri https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token `
    -Method POST `
    -Body $body
 
$token = $connection.access_token
 
Connect-MgGraph -AccessToken $token

#The Graph API URL
$uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices "
 
$method = "GET"
 
# Run the Graph API query to retrieve users
$output = Invoke-WebRequest -Method $method -Uri $uri -ContentType "application/json" -Headers @{Authorization = "Bearer $token"} -ErrorAction Stop

($output.Content | ConvertFrom-Json).value

Answer 3

This is other way, using registry.

Start-Transcript -Path "$env:SystemRoot\Temp\elevate-first-logged-in-user-to-administrators.txt"
$PATH = (Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Enrollments\*\FirstSync').Name -replace "\\FirstSync",'' -replace 'HKEY_LOCAL_MACHINE','HKLM:'
$UPN = Get-ItemPropertyValue -Path $PATH -Name 'UPN'

$LOGIN = $UPN -replace '@contoso.com'
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS
FOREACH ($RootHKC in (Get-ChildItem "HKU:\" -ErrorAction SilentlyContinue).Name | Where-Object {$_ -like "HKEY_USERS\S-1-12-1*" -and $_ -notlike "*_Classes"}){

$HKUPATH = $RootHKC -replace "HKEY_USERS", "HKU:"
$UserId = Get-ItemPropertyValue -Path "$HKUPATH\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\AADNGC\*" -Name 'UserId' -ErrorAction SilentlyContinue
$UserId
IF ($UserId -ne $null -and $UserId -eq $UPN){
$SID = $RootHKC -replace "HKEY_USERS\\"

} ELSE {
    $false
}
}
Remove-PSDrive -Name HKU

$PATH
$UPN
$LOGIN
Stop-Transcript

Answer 4

Oliver has something on this...

https://oliverkieselbach.com/2022/08/30/deploy-an-intune-application-with-user-device-affinity/