question

KavinduAsangaDayananda-1079 avatar image
0 Votes"
KavinduAsangaDayananda-1079 asked Crystal-MSFT commented

Can device administrator install local software/applications on a device

Hi,

We have some PCs deployed via a "Standard User" autopilot profile (Hybrid Azure AD). However we have created a policy to get a elevated prompt when a user wants to install a software and if we enter global administrator credentials, it will install the application. But we don't want to give helpdesk users this GA permissions and want to know whether "Device Administrator" in Azure AD can perform this?

Regards,

Kavindu

mem-intune-generalmem-intune-device-configurationsmem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@KavinduAsangaDayananda-1079, For the users with device administrators role, they become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. From your description, it seems the devices are Hybrid Azure AD device. Based on my research, it is not suitable for Hybrid Azure AD joining devices. We can see more details in the following link:
https://dirteam.com/sander/2020/08/31/knowledgebase-the-device-administrator-role-is-not-available-on-the-roles-and-administrators-pane-in-the-azure-portal/
Note: Non-microsoft link, just for the reference.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KavinduAsangaDayananda-1079 avatar image
0 Votes"
KavinduAsangaDayananda-1079 answered Crystal-MSFT commented

Hi Crystal,

Thanks for your reply.

I understand that "Device Administrator" will not work on "hybrid azure ad" joined PCs, but then what is the recommended way of having this? I couldn't find a proper MS article for this.

Regards,
Kavindu

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KavinduAsangaDayananda-1079, To install application or software on computers, we need local administrator permission. For our situation, I have two suggestions in mind:

Suggestion 1: Create GPO and add related account with local administrator permission.

Suggestion 2: Or we can consider create a local user and add it to local administrators group:
https://social.technet.microsoft.com/Forums/en-US/95b1baba-d040-443c-8df1-a1d5b3cb5eb9/create-local-user-account-and-make-it-as-administrator-using-intune-policy?forum=microsoftintuneprod

Hope it can help.


If the response is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Suggestion 1 will not work on hybrid azure ad domain devices.

0 Votes 0 ·

@Jason-MSFT , Thanks for the notification, I will modify my reply.

0 Votes 0 ·

@KavinduAsangaDayananda-1079, How's everything going? If there's anything else we can help, feel free to let us know.

0 Votes 0 ·

Same as you always have with on-prem domain joined devices: Group Policy.

0 Votes 0 ·