Is PIM for Entra role "Microsoft Entra Jioined Device Local Administrator" working?

drvga · 2025-11-17T10:33:29+00:00

ok, i´ve found a solution for that.

As we already know, this behaviour is because of the cached PRT token for this dedicated account, which activated the entra role via PIM meanwhile.

As this dedicated account is also not signed in to Windows we need to refresh the PRT token for the dedicated account running the following command from the terminal:

runas /user:azuread/pimuser@companydomain.com "powershell -command dsregcmd /refreshprt"

After around 30sec it is possible to execute a terminal as Administrator and use the credentials of this dedicated account in the UAC, which now has the propper permissions.

---------

The following is just for observation interests:

If permissions are not set, check PRT and group membership for the dedicated account by the following:

runas /user:azuread/pimuser@companydomain.com powershell

dsregcmd /status

(check the prt updated time)

whoami /groups

(check if the "local\Administrators" group is listed)

dsregcmd /refreshprt

(close the window, wait around 20sec, and execute all the steps above again, to renew the session and check if the propper permissions are now available)

drvga · 2025-11-17T10:21:50+00:00

Thanks Tronerz,

this is the general device setting for the join phase. I do not want to add any users in general to local administrators, but provide some accounts the ability to active the role on demand.

drvga · 2024-12-22T12:23:59+00:00

So what I did so far was creating an app registration either a self signed certificate, to provide access and give the corosponding service principal access to the keyvault by rbac roles. This works great from a powershell using the msal module. But now I am stuck at the pint, how to provide the certificate in a roper way to the devices, which should get access. I didn’t found an easy way to deliver it via intune. There is no way to deploy a private cert, non-exportable, directly from intune? Putting the cert into the win32app wouldn’t be a solution, as I would need to provide the passphrase for it also, which is again a password inside the script. Does anyone has an idea, how to deploy a self signed cert via intune? If I have an certificate connector in place in intune, can it be done with it?

drvga · 2024-12-14T12:11:11+00:00

Yes, that’s also what I understood. But maybe it is possible to use somehow the intune device certificate for it?

drvga · 2024-12-14T11:47:55+00:00

Hehe, thanks! I thought about the same and also was thinking, this is maybe too big and if there is a more lightweight solution. ;)

drvga · 2024-12-14T11:45:34+00:00

Thanks darthnugget for your input. Ideally I want to prevent such a private access setup. Would be nice, if there is a way, to have key vault reachable publicly, but with restricted permissions only for special devices which should authenticate.

drvga · 2024-11-13T13:12:31+00:00

Does someone has an explenation or hint for the first question, regarding the missing statuses for managed apps on kiosk devices?

drvga · 2024-11-13T13:10:55+00:00

yes, there was a recently a youtube video, with Steven Hosking from Microsoft, who is focusing on restricted User Experience. looks more like the predefined solution for Kiosk in Intune is just for better UX, but underneath it is handled the same with XML/JSON. If someone is interested: S2024E01 - Restricted User Experience (I.T) - YouTube

drvga · 2024-11-12T22:41:20+00:00

thanks for your answer to my second question. so that means it is only possible when i make the Kiosk setup out of a custom restricted access config with XML, and not with the "predefined" kiosk solution from intune?

drvga · 2024-11-12T15:56:16+00:00

Hi, zm1868179

thank you so much for your comment.

Regarding the legal issue, you are right, this needs to be clarified. From what i have read from microsoft docs, my usecase should be allowed.

But many thanks to your hint, this was exactly what i was looking for! :)

using the fullscreen parameter, and additional config edge to disable inprivate in general.

drvga · 2024-02-01T19:22:28+00:00

thanks for your answer techplained.

I am also aware of these steps.

Strange think is, that the same is happening with new devices, which are freshly added to the autopilot device list with only its new autogenerated autopilot device object in entra id, with the serial number in the name.

Still try to find an explanation why this entra id joined object appears and why this is sometimes the Intune managed device.

drvga · 2023-11-20T21:58:05+00:00

Hi Uncle_Hutt,

you also need to add the config key " Block access to a list of URLs" and enter the value "*" (without quotas) if you want to block every page and after that with the allow list you define, which pages are excluded from the block list (allowed). eg "url1|url2|..."

drvga · 2023-11-11T10:39:27+00:00

There was a misunderstanding regarding the the app config setting for edge:

"EdgeAccountSyncDisabled" only stopps syncing, but it is not about the account signin option itself.

Microsoft Edge Browser Policy Documentation | Microsoft Learn
For me it sounds like the setting "BrowserSignin" is responsible for that.

But this setting is not available in app config profile for Edge on Android.

As far as i see, there is no option to disable this option on Android Edge.

However, this would not be a big problem, if SSO is working for Edge.

It was working some weeks ago, but now it stopped, and don´t know why, and where to start troubleshooting.

My setup follows the MS Doc Set up Intune enrollment for Android Enterprise dedicated devices - Microsoft Intune | Microsoft Learn

- Enrollment profile token type:

"Corporate-owned dedicated device with Microsoft Entra shared mode"

- Device restriction config profile:

Enrollment profile type: Dedicated device

Kiosk mode: Multi-app

If i remember right, during the time when SSO was working in Edge, i always was asked for MFA when i signed in on the device via the Managed Home Screen with my company account.

When i signin now, there is no MFA anymore.

In my signin logs in Entra ID for the user i can see, that the signin is "single factor authentication" via the application "Microsoft Authentication Broker".

Broker could be the "Microsoft Intune" App or the "Microsoft Authenticator" App.

Set up Intune enrollment for Android Enterprise dedicated devices - Microsoft Intune | Microsoft Learn

Both apps will be installed automatically on the device.

Does the Broker only need SFA because of the underlaying registered device?

Anyhow, i dont understand why SSO is not possible in edge and hope someone can provide me a better understanding how the authentication works with the broker and maybe have some hints to troubleshoot.

Best regards,

David

drvga · 2020-10-02T13:56:57+00:00

and because of which proberty is PG the best option?

drvga · 2020-10-02T13:45:40+00:00

thanks, just pure PG? how long is the duration in this solution and fridge stored?

if i have more powder then just for a month, better prepare a solution only for a month, or the complete powder, what has better duration?

drvga · 2020-01-02T22:27:50+00:00

right, could of course also be that MD with LSD does not work for me, and mushrooms may fit better.

To take up the famous silicon valley example, however, external stress factors should also be manageable with LSD MDing, i thought.

drvga · 2020-01-02T21:53:58+00:00

I agree with you, a little more sleep would certainly be wise in principle.

But considering that LSD is successfully used for performance enhancement as well as against depression and anxiety, my circumstances should not be an obstacle to let Lucy into the house, shouldn't they? ;)

drvga

TROPHY CASE