none
Windows 10 1809 Intune Auto Enroll (GPO) without local admin

All replies

  • Hello,

    Based on my experience, even the Azure AD user account doesn't have local administrator privileges, the device still can be enrolled successfully by using GPO.

    Firstly, could you please view the log at location in the Event Viwer: Applications and Services Logs->Microsoft->Windows->DeviceManagement-Enterprise-Diagnostics-Provider->Admin

    In addition, please also check the device in the Azure AD portal, and make sure the join type is Hybrid Azure AD joined. If there is duplicate device items with different join type, just remove the duplicate one.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 4:17 AM
  • Hi Andy,

    thanks for your reply.

    The log its just giving a 76 eventid

    Auto MDM Enroll: Failed (0x0) 

    The device is i the portal and showing as Hibryd and only one entry.


    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, May 17, 2019 4:32 AM
  • Hello,

    Please check the AD account used to sign in, and make sure the account has already been synced in the Azure AD, and you have assigned the Intune license to this account. 

    You should check it in the Azure AD portal.

    Best regards,
    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 5:29 AM
  • Interestingly enough i gave local admin to the user in question, as soon as i logged in it registered.

    It would be great to have a confirmation of official documentation that this is a requirement, otherwise will be hard to justify to the business that i temporarily need to give local admin permission to all users for them to be able to auto enroll in intune (going desk by desk to manually enable is definitely a NO-GO).


    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, May 17, 2019 5:33 AM
  • Hello,

    Interesting.

    I can enroll without local admin permissions.

    By the way, the OS is Windows 10 1809 Enterprise.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 5:49 AM
  • Mine is PRO but i dont think that should change anything right?


    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, May 17, 2019 6:01 AM
  • I'm not quite sure, but I think it should not.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 6:13 AM
  • Lets wait and see if someone can bring their experience of troubleshooting or even if it worked for someone else without local admin.


    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, May 17, 2019 6:38 AM
  • It worked fine for me on Windows 10 Pro 1809 using a standard user and the GPO to autoenroll in Intune (device was Hybrid Azure AD joined)

    Can you post more of the logs in Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics > Admin?

    Friday, May 17, 2019 7:25 AM
  • Hey Nick Was that a brand new image or an upgraded one?? The case i was testing is a 1607 upgraded to 1803 then 1809 (i think a lot of people will have a lot of scenarios that involve older versions being upgraded). As i mentione the device mgmt log was only givin event 76 repeteadly with failed to enroll 0x0. I’ll try to get another one with the client next week to test. Thanks

    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, May 17, 2019 7:51 AM
  • It was a fresh 1809 Pro. Have you tried any of the troubleshooting steps here? https://support.microsoft.com/en-au/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune
    Friday, May 17, 2019 8:50 AM
  • Hey Nick Yeah i did check all of those. I tried to manually enroll before adding the user as admin and got the error on the gui saying the user didnt have permission to enroll ( which i believe is expected not to work correct??). Or should 1809 also allow standard accounts to mnaually enroll hybrid devices to intune??

    MCSE Messaging, Productivity & Mobile MCSA Windows 8, 10, 2012 & Office 365 MCTS SCCM 2007 & 2012

    Friday, May 17, 2019 9:01 AM