Forum Discussion

neeldaya's avatar
neeldaya
Copper Contributor
Oct 23, 2019

Issue with Surface Hub 2s device configuration profiles Intune

Hi Experts,

 

I have enrolled a new Surface Hub 2S into AAD but all my device config profiles like distributing the Trusted root certs, SCEP certificate is shows as "Pending". All my previous Surface Hub were on Prem and they just worked fine.  But I am unable to get these new surface hubs on cloud only which shows up as 'non compliant' and 'Not Evaluated' status. Any idea what could have possibly gone wrong here?

 

Apparently, I have started this conversation in the wrong group. Can this be moved to the Surface Hub group please?

Cezar Cretu 

 

  • Hello neeldaya,

     

    For the Surface Hub to be compliant, it will need to be joined to Azure AD when MDM autoenrollment is enabled on the tenant. Check the hyperlinks here and note that if this was not set up, you will need to reset the devices and join them again to AAD after you enabled autoenrollment.

     

    Thank you,

    Cezar 

    • neeldaya's avatar
      neeldaya
      Copper Contributor

      cezarcretu +

       

      We have autoenrollment enabled in Intune and we have lot of Win 10 clients getting enrolled without any issues. This issue is specific only to Surface Hub 2S devices. 

      • cezarcretu's avatar
        cezarcretu
        Icon for Microsoft rankMicrosoft

        neeldaya 

         

        Officially Conditional Access is no longer supported on the Surface Hub due to the OS version running on it (RS2). 

        I know from experience that this should work (limited) as long as the process I mentioned is followed. Can you check the scope of MAM to confirm that the Surface Hubs are also autoenrolled? If so, please open a case to investigate further

         

        Thank you,

        Cezar

  • CloudHal's avatar
    CloudHal
    Iron Contributor

    neeldaya Hi, I just set one up and it enrolled without any issues. I created a local account, then enrolled using a room mailbox with a meeting room license. What kind of license did you give the account?

    The only odd issue I had is that the hub was showing twice when I created an AAD group for assignment - I had to add both in before it got the profile. Now only one device is listed.

    • neeldaya's avatar
      neeldaya
      Copper Contributor

      CloudHal  Thank you for your response. 

      The device gets enrolled into AAD but until any configuration profiles that I have created like my Trusted Root CAs, User and device SCEP certificates are not getting deployed.

      My steps:

      -Created an on prem device account with E5 license assigned. Followed all the steps provided here https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-onprem-powershell.

      -Created a user group in Intune and added this device account into it.

      -Assigned my config profiles(Root CA and SCEP certificates) to this user group.

      -During First Time setup I selected AAD for configuration.

      https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-setup#azure-active-directory

      -The devices gets enrolled in AAD and I have created a dynamic device group in intune for Surface Hub 2S device model to which this new device gets into. 

      -Now if I check the status of these device configuration profiles then all of them show up as "Pending"

      -On the device I click on Skype then there is just a rotating ball and no sign in happens.

       

       

       

       

      • odm_asb's avatar
        odm_asb
        Copper Contributor

        Hi,

         

        We have seen similar issues with devices, we have tried a few things and notice that if you apply the policies to the device instead of user the policies apply.

         

        However we have had issues with the Teams Mode policy when we do that... it applies but then shortly after the device seems to revert back to original settings on the device... and we cant get the setting to reapply either via Intune or a Provisioning Package.

         

        Have you had any further luck with User assigned policies against the Hubs?

         

        Owen

Resources