This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 80%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELF%3C/text%3E%3C/svg%3E)
We are working towards our Cyber Essentials Plus.
One part is to make sure Administrator privilege on endpoint devices is not used on a day to day basis. All users need to be set to a "standard" type account.
Currently it seems that Azure forces the admin privilege automatically due to the device being associated to the users account.
In AzureAD I am unable to Manage the devices due to them not being set up in Endpoint Manager (Intune).
We are currently testing Intune (limited 5 device license) how ever I am unable to add any of our existing devices which are currently AzureAD joined - even though they are included in the group specified in the deployment policy. I have even tried to import a device using the import feature using a CSV - erroring due to the device already AAD joined (see image attached)
Of course I can un-join the device from AAD but that may mean forcing users to have to reconnect to the devices as if it was the first time using the laptop.
Is it possible to force the join?
AAD version: Azure AD for o365 - EDIT: we are now trialing 365 business premium 1 (AAD premium1)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 38%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
In case someone comes across this thread via googling, there's a new way of managing these settings in Endpoint Manager as described here: https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
@Liam Fermoyle Thanks for reaching out.
The concern regarding normal user being the admin after connected to Intune can be solved in 2 ways with endpoint manager.
Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator. You can accomplish this by creating an Autopilot profile.
Bulk enrollment - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined are not added to the administrators group.
Coming to your next issue with forcing the join, as long as the AAD detects that the device is already AAD joined, it will continue to throw that error, you can delete the device from Devices list in AAD and try again. IF not, then you must remove the device from AAD and re-join.
This device seems to have follow the autopilot path before as well and somehow not properly completed the process.
A support case with Intune team will help you investigate further.
-----------------------------------------------------------------------------------------------------------------
If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.