Forum Discussion
Hybrid Azure AD join devices MDM set to "none"?
Good afternoon,
We have recently upgraded all of our servers and as part of that I'm re-configuring Azure AD Connect for the hybrid environment.
Users are syncing properly. Devices, however, seem to fail to be picked up by Intune and thus, MDM. IT is set to "none" and on top of that is not replacing the existing record for the device, so currently there's a Hybrid Azure AD join device and a Azure AD registered record assigned to the user that uses it (myself).
I'm trying to use auto-enrollment via GPO, the specific GPO is "Enable Automatic MDM enrollment using default Azure AD credentials". Something I've noticed (and if memory servers me well), is the fact that the generated task in task scheduler is named differently. If I remember correct, the name should match or be similar to that of the GPO, it is now called "Schedule created by enrollment client for automatically enrolling in MDM from AAD". So I'm not too sure if the policy is, for whatever reason, generating the wrong task?
At any rate, below is the information of one of the devices:
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : DOMAIN
SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
EnterprisePrt : NO
EnterprisePrtAuthority :
I'm aware that AzureAdPrt is set to NO, but I understand that isn't an issue if you are trying to enroll via default user credentials? (Correct me if I'm wrong).
As for Intune, auto-enrollment is activated for everyone and anyone with the correct license. It has been a while since I last worked with this and perhaps I'm missing something obvious, but having look at Microsoft's docs and following some of the trouble shooting advice, I cannot see anything wrong with my setup.
Please, if you need any more information do let me know.
Thank you
21 Replies
- Did you get a resolution to this or has anyone resolved this? I have checked all settings and KBs and all looks good, but my Hybrid Azure device MDM is still set to None. In this environment, devices were built and domain joined AND has SCCM on it. Could this be interfering? AD Connect is set up, GPO applies correctly (verified by running rsop) and devices are hybrid joined.
Hello Ion Zubia
What is your current Conditional Access and MFA-settings? Note that MFA could very easily interfere with the Intune enrollment if not set up correctly.
//Nicklas Ahlberg
https://www.nicklasahlberg.se/
- Hi Ion,
Did you configure Hybrid AD join for devices in Azure ADConnect? Please check the blog below about Hybrid Enrollment with GPO.
https://cloudbymoe.com/f/enrolling-workstations-to-intune-using-gpo
MoeHi Moe_Kinani ,
Yes, that's configured correctly and working. The group policy is pushed successfully to the devices and does in fact generate the task to enroll the device. However, the naming of it is different to the one that used to be generated in our previous setup in the client machine (although I cannot see any difference on the GPO management service in the server). We used to run Windows Server 2012 R2 servers while we run Windows Server 2016 now. Unfortunately, the control over them has been delegated to a third party so I was not the one to update the ADMX files for GPOs this time. But I cannot see any difference between them, the difference can only be found in the Windows 10 client machine.
I'm confident the machine is attempting to enroll. It should be using Azure's AD Credentials so the issue either is in it not attempting to enroll with them or something along the way (like a Firewall) interfering with the process.
Thanks!
Do you use a proxy with user authentication in your environment? If yes, the system is probably failing there. Have you asked your network colleagues if they see
Kind Regards,
Chris
- Hi Ion,
could you please give me some additional information.
Which Windows 10 version are you working with?
Do you also sync the OU where your devices belong to?
Could you please share a screenshot of two devices with the same name which registration states they are having?
Thanks,
MichaelHi Michael Obernberger ,
Of course, please find the answers below:
- Which Windows 10 version are you working with? Windows 10 Pro 1809 Build 17763.864
- Do you also sync the OU where your devices belong to? Yes, it syncs every 30 minutes.
- Could you please share a screenshot of two devices with the same name which registration states they are having?
Do let me know if you need anything else please.
Thank you.
