This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 48%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I have users all over the world and need to get computers added to Azure AD with intune to manage the computers.
On the Set up a work or school account screen, select Join this device to Azure Active Directory.
only shows when login as a local admin account.
I don't want to users to Join with user type: Administrator
The users are not and should not be local Administrator.
How do i join computer to intune with mdm?
The computers are already OOBE so i can't use the
Company Portal and self enroll if they are allowed to.
Users must be a local admin to join a domain (any kind of domain including AAD) and must also be local admins to enroll in MDM management. If this were not the case, anyone could take over your devices, i.e., it would be really, really, really ... really bad security wise.
Are the devices currently joined to an on-prem AD domain? Are they currently managed in any way?
there in a workgroup and not join to a any on-prem.
i was hoping to have users enroll them self by entering in there own 365 info. But if they need local admin if there a way to not have the user type: Administrator when they enroll.
was thinking of getting the ID of each computer import in to Azure.
Then have the user enroll in to azure-ad and mdm and use the device ID+ there 365 info with 2fa to enroll.
That's possible using Access Work and School today. You'll have to use the policies in Intune to remove local admin from their AAD account after they join AAD and enroll in Intune. See https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-available-to-configure-local-user-group-membership/ba-p/3093207
Keep in mind though that this will be a new user profile on the local device (there's no supported way to migrate the data from the local account to an AAD account). Also, the local account will still exist and have local admin permissions unless you do something to disable or remove it (like run a PowerShell script from Intune). This will of course delete the local profile though so could cause data loss.
This is all manageable if you are prepared for it, but none of it is handled automatically so you need to test and validate and adjust accordingly. Brining in an experienced third party may be advisable as well.
I know about the new profile and i am good with that part. I have done the disable all local profile and create a new local admin account for back up.
Does intune powershell command run at admin level when trigger from intune?
Moving from GPO computer/user level to only intune i have not gotten the full scope of the Pro/Cons yet.
O one more thing is there a way to turn off the requiring to make a pin number when joining azure ad.
When i join azure ad with the users 365 info it ask to create a MS Pin# for password. Need to turn this off as the users will only use there 365 info to login to the computer.
Does intune powershell command run at admin level when trigger from intune?
If you want it to, yes.
Moving from GPO computer/user level to only intune i have not gotten the full scope of the Pro/Cons yet.
Not exactly sure what this means. There are still user-based and computer-based policies in Intune. They are just assigned differently than the method used with GPOs.
one more thing is there a way to turn off the requiring to make a pin number when joining azure ad.
Why do you want to? Windows Hello for Business is the first step to eliminating the largest security weakness in every org: passwords.
we are enforcing 2fa for all windows login adding PIN will confuse people
Not possible to the best of my knowledge. Windows Hello for Business requires a PIN in case biometrics fail (for whatever reason).
ok if it must be made what about making the password as the default option when the user log in. It goes to Pin when the user reboots after joining Azure AD.