Windows 10: Entra ID logon issues. Setting up company device

Hi, I am currently setting up a device via 'join this device to Microsoft entra ID' When I follow the prompts it keeps putting the user type as 'Administrator' Is this just because I am doing this on the local admin accountAs documentation references Then once the user signs in should the administrative permissions be revoked? I want the user to be treated as a member with limited permissions. Am I missing a step on the backend or is this hypothesis correct? Kind regards

:)

 

Some windows 11 devices shows as Entra ID registered in Intune

Some devices onboarded to Intune with self deploying Autopilot mode, and now they shows as Entra ID registered in Intune and not Entra ID joined. Why these shows Entra ID registered and how to make them appear Entra ID joined.

 

How to get non-domain joined in use systems to be entra joined without having to touch the system?

Hello, this is Emily.

What do you mean exactly by without having to touch each one??

To joine the device to entra AD, first of all, you need to make sure your computer is running Windows Pro edition, If it is Home edition, then you won't be able to add a work account.

If you have Pro, to do so, go to Settings > Accounts > Access Work or School, click on Connect.

Don't sign into your work email yet. Instead, click on "Join this device to Microsoft Entra ID". On the next step, you will be prompted to sign in, then you can sign in.

Once done, restart the computer and you can use "switch user" to sign in using the company email.

 

Allow only company-issued USB devices to be used

I'm trying to do some customization to our Windows 10 Enterprise installation image that is being deployed to multiple endpoints. Specifically, I'm trying to impose limitations to USB device connectivity in order to improve security:

• Prevent installation and use of any USB peripheral device (keyboards, etc)
  
• Prevent installation and use of any USB storage device that is not company-issued
  
• Use company-issued USB storage device that, once inserted, "unlocks" the use of peripheral devices
  
• Once that company-issued USB storage device is removed, again prevent use of any USB peripheral device
  

Is something like this in any way possible?

Here are a couple of things that I've tried doing:

• I've tried configuring GP to prevent installation of any device, but that's not actually going to work for us since there's going to be need for us to actually connect to those endpoints;
  
• I've tried to whitelist some of the devices, which works fine, however I'm stuck with Device ID whitelisting, which won't work since I would like to be able to issue multiple of those USB drives that act as a key for "unlocking" USB device use;
  
• I've tried creating an app that listens to USB connect/disconnect and trying to do something there, but with little success.
  

Just as a proof of concept, I whitelisted one USB device and created an autorun for that device in order to invoke GP changes and that works on connect, however not really sure how to tackle disconnects in those situations. But then again, that's not what we want to do. Is there a way to modify or enrich device information of a USB drive, to include some additional info, like a custom ID that we would generate and then automatically to whitelist all the devices that have that value?

In the end, there's actually two questions here:

• is the scenario listed at the beginning even possible to implement and
  
• is it possible to modify/enrich USB device information in order to be able to whitelist multiple devices easily through group policy?
  

Any help here would be appreciated!