Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, June 5, 2017 11:29 AM
Hi all,
I am logged onto the system having Windows 10 1607 build with a standard local domain user account. But when I go to 'Start --> Settings --> Accounts --> Access work or school', the 'Enroll only in device management' option isn't shown at the bottom. Also, when I try to add a Azure AD account by clicking on 'Connect' and enter my email address, then click on 'Next', the following message is shown in red letters 'You don't have the right privileges to perform this operation. Please talk to your admin'. Also, above the 'Connect' option, a message in red is shown 'Sign in as an administrator to change device management settings'. The particular standard AD user account has been granted Intune and O365 license. Also, it is a 'DEM' account, i.e., Device Enrollment Manager. Please help resolve this issue by letting this standard user account allow to enroll in device management. Kindly suggest what rights and privileges need to be granted to this user account for it to be able to enroll itself in MDM.
All replies (12)
Tuesday, June 6, 2017 10:07 AM âś…Answered
Can there is a way around such that a normal standard domain user can also have the privilege to enroll in device management?? What privileges should it hold for this purpose??
Hi,
Firstly, that's not supported to enroll an on-premises domain joined devices into MDM. So the "Enroll only in device management" will not appear, that's by design.
Additionally, enroll your devices into MDM needs users with local admin rights signed in but add a work or school account doesn't need.
Regards,
Jimmy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, June 5, 2017 1:59 PM
As indicated by the message you clearly typed in, the account needs to be a local administrator -- currently, there is no way around this.
Jason | http://blog.configmgrftw.com | @jasonsandys
Tuesday, June 6, 2017 7:24 AM
Can there is a way around such that a normal standard domain user can also have the privilege to enroll in device management?? What privileges should it hold for this purpose??
Wednesday, June 7, 2017 5:45 AM
Thank you for your help.....but I have a query regarding it. Can I create a provisioning package and deploy it to normal domain users so that they have to just add it and apply it. Thus, the system will be enrolled in MDM.
Wednesday, June 7, 2017 1:43 PM
I don't think provisioning packages include MDM enrollment. Even if they do though, applying a provisioning package requires local admin permissions.
Making privileged changes to a system requires local admin permissions -- if it didn't hackers would really have an easy time.
Jason | http://blog.configmgrftw.com | @jasonsandys
Thursday, June 8, 2017 6:21 AM
Thank you for your help.....but I have a query regarding it. Can I create a provisioning package and deploy it to normal domain users so that they have to just add it and apply it. Thus, the system will be enrolled in MDM.
Hi,
No, as noted above the on-premises domain joined computers cannot be enrolled and managed via Intune MDM, they should be managed via GP or SCCM. You can only configure Automatic registration of these domain-joined devices with Azure AD, please see this docs for more details:
/en-us/azure/active-directory/active-directory-azureadjoin-devices-group-policy
Regards,
Jimmy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, August 24, 2017 11:17 PM
Thank you for your help.....but I have a query regarding it. Can I create a provisioning package and deploy it to normal domain users so that they have to just add it and apply it. Thus, the system will be enrolled in MDM.
Hi,
No, as noted above the on-premises domain joined computers cannot be enrolled and managed via Intune MDM, they should be managed via GP or SCCM. You can only configure Automatic registration of these domain-joined devices with Azure AD, please see this docs for more details:
/en-us/azure/active-directory/active-directory-azureadjoin-devices-group-policy
Regards,
Jimmy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Hi Jimmy. Is there any official wording around corporate domain joined machines managed via intune MDM as being unsupported? There seems to be a lot of confusion around.
There is a growing use-case to keep laptops domain joined (for GPO, access to applications etc), yet leverage MDM capability e.g. remote-wipe.
Friday, August 25, 2017 1:58 AM | 1 vote
Hi nerdfinger,
I'm sorry for the confusions giving to you, the reply I post actually is Not True. The truth is that you can enroll a on-premises domain joined devices into MDM, but if that device has ConfigMgr agent installed at the same time, the "Enroll only into Device Management" will not appear.
In other words, ConfigMgr agent installed devices cannot be enrolled into MDM, simply domain joined devices are supported to enroll into Intune MDM.
Regards,
Jimmy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, August 28, 2017 12:31 AM
Hi Jimmy,
I appreciate your response as it has been difficult finding clarity around this scenario. I have another question on this topic.
Regarding the link here:
https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-to-windows-computers
The section "How to install clients to Intune MDM-managed Windows devices" suggests you can have an MDM enrolled device with the ConfigMgr agent installed at the same time.
Is this scenario only valid for WORKGROUP devices? And does the ConfigMgr agent need to be installed after MDM enrolment (and not the other way round) ?
Thanks!
Monday, August 28, 2017 8:58 AM
Hi,
The devices are managed via MDM firstly, then switched to managed via ConfigMgr, not be managed at the same time. When the ConfigMgr client is installed, the device will be unenrolled from Intune.
Regards,
Jimmy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, August 30, 2017 12:39 AM
Hi,
The devices are managed via MDM firstly, then switched to managed via ConfigMgr, not be managed at the same time. When the ConfigMgr client is installed, the device will be unenrolled from Intune.
Regards,
Jimmy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Ok thank you Jimmy!
Thursday, October 4, 2018 12:57 AM
hello,
I agree I can enrol a computer in intune using a domain account, when the account has administrative priviledges. But when this is a standard user, the message 'You don't have the right privileges to perform this operation. Please talk to your admin' forbids it.
Is there a way to overcome this, when there is no sync (AD-Connect) between on premise AD and Azure-AD ?
Thank you