Here are the key points from the video transcript: • A Device Enrollment Manager (DEM) is a non-admin user that can enroll and manage up to 1000 devices in Intune. Regular non-admin users can only enroll 15 devices. • You don't create a DEM account, you promote an existing Intune user with a license to be a DEM. • Global admins or Intune service admins can add, manage, and delete DEM accounts in the Endpoint Manager admin center. • To add a DEM, get the user's UPN, confirm they have an Intune license, and promote them in the admin center. • DEM enrolled devices have some limitations, like DEM users can't wipe devices and Windows devices enroll in shared mode. • Demo of enrolling a Windows 10 device with a DEM account and signing in as another user. The other user can't disconnect the device or access admin settings. • The DEM account is added to the local Administrators group, so it has admin access while other users don't. In summary, DEMs allow scalable Intune enrollment without giving full admin access to users. The devices have some restrictions compared to standard enrollment.
Thank you for this video, I have three questions if you don't mind as I cannot find the answer anywhere on the web. 1. Is it possible to have the DEM users to be the only ones assigned the Auto-Enrolment in Intune or would this break something? 2. What if the DEM user used to enrol devices gets disabled or deleted? 3. What is the relevance of the "Enrolled By:" attribute in this case? thank you very much
Answer:1 You can do that, till now I haven't seen or notice anything which can create problem or break anything. But I have used only once for testing purpose. So need more time to test it. Answer:2 If DEM user is deleted or disabled and if you do not have any other local administrator on that device, you can sign-in to that device using any admin equivalent user from Intune. In video check the time-stamp 11:43 (The group is already added to the built-in administrators group). There is also another method to add administrator account to intune-managed device if no admin account found on it. Answer:3 Whoever enroll the device to Intune will become an administrator on that device. It might be possible that someone else is currently using the device now with standard user permission. So in Intune portal you will see primary user (the one who is currently using the device) and Enrolled by (who has enrolled the device). If you are using DEM then DEM user will be listed as an Enrolled by.
Question: What if we are blocking non IT users from joining AAD? We only have our helpdesk people who can join devices to AAD\Intune. If I assign Joe Smith as DEM, but he is just a regular user, he won't be able to join to AAD, but will be able to enroll the device in Intune? How would that work in terms of showing up as enrolled as a personal vs company owned device?
Here are the key points from the video transcript:
• A Device Enrollment Manager (DEM) is a non-admin user that can enroll and manage up to 1000 devices in Intune. Regular non-admin users can only enroll 15 devices.
• You don't create a DEM account, you promote an existing Intune user with a license to be a DEM.
• Global admins or Intune service admins can add, manage, and delete DEM accounts in the Endpoint Manager admin center.
• To add a DEM, get the user's UPN, confirm they have an Intune license, and promote them in the admin center.
• DEM enrolled devices have some limitations, like DEM users can't wipe devices and Windows devices enroll in shared mode.
• Demo of enrolling a Windows 10 device with a DEM account and signing in as another user. The other user can't disconnect the device or access admin settings.
• The DEM account is added to the local Administrators group, so it has admin access while other users don't.
In summary, DEMs allow scalable Intune enrollment without giving full admin access to users. The devices have some restrictions compared to standard enrollment.
Very nice. Keep up the good work.😊
Great, very nice video. It´s so helpfull
Thanks fr the video...nice explanation....could u plz shaare any video regarding emal domin migrations
Once a device is onboarded using a DEM account, what are some key considerations for managing and maintaining the device within Intune?
youre the best !!!!!
I know this is a year old, but can you also autopilot a device using a DEM account as well, automate that and then have another user sign in?
Thank you for this video, I have three questions if you don't mind as I cannot find the answer anywhere on the web. 1. Is it possible to have the DEM users to be the only ones assigned the Auto-Enrolment in Intune or would this break something? 2. What if the DEM user used to enrol devices gets disabled or deleted? 3. What is the relevance of the "Enrolled By:" attribute in this case? thank you very much
Answer:1 You can do that, till now I haven't seen or notice anything which can create problem or break anything. But I have used only once for testing purpose. So need more time to test it.
Answer:2 If DEM user is deleted or disabled and if you do not have any other local administrator on that device, you can sign-in to that device using any admin equivalent user from Intune. In video check the time-stamp 11:43 (The group is already added to the built-in administrators group). There is also another method to add administrator account to intune-managed device if no admin account found on it.
Answer:3 Whoever enroll the device to Intune will become an administrator on that device. It might be possible that someone else is currently using the device now with standard user permission. So in Intune portal you will see primary user (the one who is currently using the device) and Enrolled by (who has enrolled the device). If you are using DEM then DEM user will be listed as an Enrolled by.
Thank you very much for your prompt and details response. Much appreciated. @@MSFTWebCast
in 7:30, I want to user type going to be Standard, how can i do this.
Is user2 has to have Intune license as well ?
Yes user must have Intune license assigned to him. Every user that uses a device that is managed by Intune, should have active Intune license.
@@MSFTWebCast Thanks!
Question: What if we are blocking non IT users from joining AAD? We only have our helpdesk people who can join devices to AAD\Intune. If I assign Joe Smith as DEM, but he is just a regular user, he won't be able to join to AAD, but will be able to enroll the device in Intune? How would that work in terms of showing up as enrolled as a personal vs company owned device?