Introduction
As almost every company adopts modern device management solutions like Windows Autopilot, Service Desks and Support personnel often face challenges when trying to perform administrative tasks on these devices remotely. If you use local administrator password solutions (LAPS) that stores the password in Entra ID, you can authenticate on those managed devices like in the “good old days” with .\. If you haven’t configured LAPS, check out our friends, Oliver Müller, blog post about Windows LAPS in Microsoft Intune
One common question that always arises when I work with support personnel is whether it’s possible to authenticate as an admin on a remote Autopilot device using Entra ID credentials, especially when using tools like TeamViewer.
The Solution
Here’s how you can authenticate as an administrator on a remote Autopilot device using Entra ID credentials with TeamViewer:
- Make sure you use a dedicated administrator that is only used for local device administrative tasks. It should be a personalized administrator account and the Entra ID Role: Microsoft Entra Joined Device Local Administrator should be eligible via PIM.
- Ensure TeamViewer is installed and running.
- Obtain TeamViewer ID from the device.
- Before typing in the password, select the “Advanced” features.
- Select the Windows authentication.
- Instead of using the traditional domain\username format, use the format AzureAd\[email protected].
- If your Entra ID account has administrative privileges, this will elevate the remote machine’s TeamViewer session, allowing you to see and interact with UAC prompts. The TeamViewer will reboot and connect automatically.
- Once authenticated, you can perform the necessary administrative tasks on the Entra ID joined device.
Conclusion
Transitioning to modern device management solutions like Windows Autopilot can present new challenges, but with the right approach and tools, these can be effectively managed.