Share via

Autopilot Reset via Intune – Cannot Delegate to Custom RBAC Role Without Intune Administrator

Pablo Gil 20 Reputation points
2026-03-12T16:48:50.6733333+00:00

Summary

We are trying to allow helpdesk agents to perform Autopilot Reset on Windows devices through Intune without granting them the full Intune Administrator M365 role. The button appears available in the portal for our agents but clicking it results in a failure. We as Intune Admins can perform the action without issue, confirming it is a permissions problem.

Environment

  • Tenant: Microsoft Entra ID / Intune (cloud-only)
  • Devices: Windows, Entra ID joined, Intune enrolled, Autopilot registered
  • Agent role: Custom Intune RBAC role

What We Have Tried

We created a custom Intune RBAC role for our helpdesk agents with the following relevant permissions assigned:

Remote Tasks:

  • Wipe ✅
  • Clean PC (Fresh Start) ✅
  • Reboot Now ✅
  • Sync Device ✅
  • Shut Down ✅
  • Remote Lock ✅
  • Set Device Name ✅

Managed Devices:

  • Read ✅
  • Update ✅
  • Delete ✅
  • Set Primary User ✅
  • View Reports ✅

Enrollment Program Tokens:

  • Read ✅

Despite having Wipe and ManagedDevices - Update permissions (which we believed were the requirements for Autopilot Reset), the action fails for agents while succeeding for accounts with the full Intune Administrator M365 role.

What We Checked

  • The device is online and recently synced with Intune
  • The device is correctly Autopilot registered and Entra ID joined
  • An Intune Administrator account can successfully perform Autopilot Reset on the same device
  • We reviewed all available Enrollment Programs permissions in the custom role — these appear to be Apple/ADE-related only and do not contain any Autopilot-specific permission
  • We reviewed all Remote Tasks permissions — there is no explicit "Autopilot Reset" permission listed
  • We reviewed available built-in roles and none fit our use case without giving broader access than needed

Our Questions

  1. Is Autopilot Reset exclusively available to the Intune Service Administrator M365 role and not delegable through custom Intune RBAC roles?
  2. If it can be delegated, which specific RBAC permissions are required?
  3. Is there a dedicated "Autopilot Reset" permission that is not visible in the current Intune portal role editor?
  4. Is this a known limitation and if so, is there a roadmap item to add granular Autopilot Reset delegation?
  5. As a workaround, would assigning the built-in Help Desk Operator role alongside a custom role expose this capability?

    Summary

    We are trying to allow helpdesk agents to perform Autopilot Reset on Windows devices through Intune without granting them the full Intune Administrator M365 role. The button appears available in the portal for our agents but clicking it results in a failure. We as Intune Admins can perform the action without issue, confirming it is a permissions problem.

    Environment

    • Tenant: Microsoft Entra ID / Intune (cloud-only)
    • Devices: Windows, Entra ID joined, Intune enrolled, Autopilot registered
    • Agent role: Custom Intune RBAC role

    What We Have Tried

    We created a custom Intune RBAC role for our helpdesk agents with the following relevant permissions assigned: Remote Tasks:
    • Wipe ✅
    • Clean PC (Fresh Start) ✅
    • Reboot Now ✅
    • Sync Device ✅
    • Shut Down ✅
    • Remote Lock ✅
    • Set Device Name ✅
    Managed Devices:
    • Read ✅
    • Update ✅
    • Delete ✅
    • Set Primary User ✅
    • View Reports ✅
    Enrollment Program Tokens:
    • Read ✅
    Despite having Wipe and ManagedDevices - Update permissions (which we believed were the requirements for Autopilot Reset), the action fails for agents while succeeding for accounts with the full Intune Administrator M365 role.

    What We Checked

    • The device is online and recently synced with Intune
    • The device is correctly Autopilot registered and Entra ID joined
    • An Intune Administrator account can successfully perform Autopilot Reset on the same device
    • We reviewed all available Enrollment Programs permissions in the custom role — these appear to be Apple/ADE-related only and do not contain any Autopilot-specific permission
    • We reviewed all Remote Tasks permissions — there is no explicit "Autopilot Reset" permission listed
    • We reviewed available built-in roles and none fit our use case without giving broader access than needed

    Our Questions

    1. Is Autopilot Reset exclusively available to the Intune Service Administrator M365 role and not delegable through custom Intune RBAC roles?
    2. If it can be delegated, which specific RBAC permissions are required?
    3. Is there a dedicated "Autopilot Reset" permission that is not visible in the current Intune portal role editor?
    4. Is this a known limitation and if so, is there a roadmap item to add granular Autopilot Reset delegation?
    5. As a workaround, would assigning the built-in Help Desk Operator role alongside a custom role expose this capability?
Microsoft Security | Intune | Other

Answer accepted by question author

  1. Q&A Assist
    2026-03-12T16:49:23.4+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. Remote Windows Autopilot Reset is documented as requiring the Intune Service Administrator role when initiated from Intune. The requirement is expressed as an Intune/Microsoft Entra admin role, not as an Intune custom RBAC permission. From the documentation:

      “To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Microsoft Entra ID. Additionally, for Intune, the Intune Service Administrator role is required for remote Windows Autopilot Reset.

      This means Autopilot Reset is effectively tied to the Intune Service Administrator role and not exposed as a granular, delegable Intune RBAC permission.
    2. The specific requirement for remote Autopilot Reset is membership in the Intune Service Administrator role. The context does not list any additional Intune RBAC permissions beyond that role requirement. Your custom role with Remote tasks/Wipe and Managed devices/Update aligns with the generic “wipe” action, but remote Autopilot Reset has an explicit prerequisite of Intune Service Administrator.
    3. There is no dedicated, visible “Autopilot Reset” permission in the Intune RBAC role editor in the provided documentation. Autopilot Reset is described as a remote action that can be triggered from Intune, but the only permission requirement called out is the Intune Service Administrator role.
    4. The documentation frames this as a requirement rather than a configurable option:
      • Remote Autopilot Reset: “Admins initiating a remote Windows Autopilot Reset must be a member of the Intune Service Administrator role.”
      No mention is made of delegating this via custom RBAC or of a roadmap for more granular delegation. The context does not provide any statement about future roadmap items or known limitations beyond this requirement.
    5. The built-in Help Desk Operator role is explicitly documented as being able to run the Autopilot Reset remote action:
      • For the Autopilot Reset remote action in Intune, the following roles are listed as sufficient:
        • Help Desk Operator
        • School Administrator
        • Custom role that includes:
          • Remote tasks/Wipe
          • Permissions that provide visibility into and access to managed devices (for example, Organization/Read, Managed devices/Read).
      So, as a workaround, assigning the built-in Help Desk Operator role should allow helpdesk agents to perform Autopilot Reset, provided the device meets the Autopilot Reset requirements (Microsoft Entra join, Intune enrollment, WinRE enabled, etc.). In contrast, for remote Windows Autopilot Reset as described in the Autopilot tutorial and overview, the requirement is still that the admin be a member of the Intune Service Administrator role. The context does not reconcile this difference beyond stating both:
      • Intune remote action page: Help Desk Operator / School Administrator / custom role with Wipe.
      • Autopilot Reset overview/tutorial: Intune Service Administrator required for remote Autopilot Reset.

    Given the provided information:

    • Autopilot Reset from the Intune admin center is allowed for Help Desk Operator, School Administrator, or a custom role with Remote tasks/Wipe plus device visibility.
    • Remote Windows Autopilot Reset (as a Windows Autopilot feature) additionally documents a requirement for Intune Service Administrator.
    • No separate, hidden “Autopilot Reset” RBAC permission is documented.

    The most supportable workaround in the context is to assign the Help Desk Operator role (and ensure the custom role includes Remote tasks/Wipe and the necessary read permissions) and verify that WinRE is enabled on the devices (reagentc.exe /enable) and that the devices meet all Autopilot Reset requirements.

    References:

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.