Device Enrollment

Question

Recently we found multiple scenarios in one of our production environment.

X user has administrator privileges on a Windows 10 device it is successfully getting enrolled to intune for two different organizations simultaneously.

If we remove administrator privileges of X user from the same Windows 10 device it throws an error while enrolling second organization intune which is expected normal scenario.

 

Question is why does it successfully get enrolled with X user having administrator privileges.

Have anybody experienced similar problems or is it Microsoft bug?

 

 

Answers ( 2 )

    2
    2020-07-02T22:15:19+05:30

    What you mean by getting enrolled in two environments, please?

    You might have more details in the event logs to understand the issue of the problem with non-admin users…

    Are you checking about

    Azure AD registration or MDM enrollment process

    I’m sure Azure AD join is not possible twice for sure …

    I have seen this scenario (Azure AD registration) when you install RD client for WVD etc… but that is by design …

    Best answer
      0
      2020-07-03T12:30:47+05:30

      Hi Anoop – Thanks for your response.
      I am also from Abhi team.
      We have enabled Auto MDM and WIP (Silent – With enrollment) policy for all users to protect data on BYOD devices.

      The scenario is, The vendor device is local AD domain joined and AAD registered with vendor domain. The vendor managed device is enrolling automatically when the user is using Customer ID to signing in Outlook or Excel app with admin (Vendor account) access on the device, when they try to enroll in Settings – Account – Access work or school account – connect , with this option they are getting “the device is already managed by other organization” error, even with admin access same error.

      Without admin access, it is just registering the device into Customer AAD (This is what we are expecting in all scenario). The question is, why it is enrolling the device into customer Intune with admin access, is this expected behavior? Our understanding and expectation is, since the device is already vendor domain joined it should not enroll into customer Intune , even with Admin access. Is there any way we can stop this. The expected outcome is only BYOD and non-domain or MDM managed devices should enroll into Intune. Thanks for your time!!

Leave an answer

Sorry, you do not have permission to answer to this question .