No Admin Access After SCCM Client Install

Question

No Admin Access After SCCM Client Install

bob ross 101

I finally got my SCCM Client install from Intune to an AAD Joined device working. Strangely enough my online admin account cannot elevate on the device any longer. This device has all workloads set to intune. My admin account is an intune admin, cloud device admin, and local aad device admin. Has anyone else seen or gone through this?

to clarify - the device went from aad joined to hybrid aad joined. it is not on the domain. it is showing in sccm and i went ahead and added it to the pilot intune group that i have set up for the configuration workloads

0 comments

2 answers

Your answer

Answer 1

Jason Sandys 31,421 Microsoft Employee Moderator

I am unable to try with my domain Admin account as it only asks for an email addresss

Right because that identity and its authority (your on-prem AD domain) are unknown to the device.

Any idea why the admin access no longer works?

What does this mean in technical terms? What are you trying to do exactly? WHat exactly is not working? What messages are displayed when you are attempting the action? Etc.?

bob ross 101 Reputation points

2021-07-06T21:17:31.633+00:00

anytime you perform an action that needs elevation (ex. open cmd as admin) and i put in my credentials that worked before the client was installed, and i get a message back saying "the requested action requires elevation".
bob ross 101 Reputation points

2021-07-06T21:19:02.223+00:00

I think the correct terminology for the state of the device went from "Aad joined" to "aad joined in a co-managed state"
Jason Sandys 31,421 Reputation points Microsoft Employee Moderator

2021-07-06T21:23:46.607+00:00

and i put in my credentials

What credentials exactly? From your AAD account in the format of ******@AADDomain.com?
bob ross 101 Reputation points

2021-07-07T13:44:34.557+00:00

exactly. aad account that is intune admin, intune service admin, and aad joined local admin
Jason Sandys 31,421 Reputation points Microsoft Employee Moderator

2021-07-07T15:02:49.843+00:00

None of those roles grant local admin permissions although I don't know what "aad joined local admin" refers to.

Answer 2

Jason Sandys 31,421 Microsoft Employee Moderator

the device went from aad joined to hybrid aad joined

This is not possible without manually unjoining the device from the AAD domain first. Co-management (by virtue of enrolling the device into Intune) is not the same as hybrid AAD domain join and is unrelated to the device's domain join state. Also, hybrid AAD join, by definition, is an on-prem domain join + AAD registration by the device.

However, if you did somehow change the domain join state of the device, then that explains why your AAD account no longer works as an HAADJ device has no concept or ability to authenticate an AAD account for local purposes (like local admin permissions).

bob ross 101 Reputation points

2021-07-01T18:54:32.25+00:00

Sorry I think I misunderstood what Hybrid AAD Joined means. So the device was just AAD Joined, but had the SCCM Client installed on it. Any idea why the admin access no longer works? I am unable to try with my domain Admin account as it only asks for an email addresss

Share via

No Admin Access After SCCM Client Install

2 answers

Your answer