Forum Discussion

Ion Zubia's avatar
Ion Zubia
Brass Contributor
Nov 13, 2019

Hybrid Azure AD join devices MDM set to "none"?

Good afternoon,   We have recently upgraded all of our servers and as part of that I'm re-configuring Azure AD Connect for the hybrid environment.   Users are syncing properly. Devices, however, ...
Conditional Access
Intune
mobile device management (mdm)
Moe_Kinani's avatar
Moe_Kinani
Bronze Contributor
Jan 24, 2020
Hi Ion,

Did you configure Hybrid AD join for devices in Azure ADConnect? Please check the blog below about Hybrid Enrollment with GPO.

https://cloudbymoe.com/f/enrolling-workstations-to-intune-using-gpo

Moe
Ion Zubia's avatar
Ion Zubia
Brass Contributor
Jan 29, 2020

Hi Moe_Kinani ,

 

Yes, that's configured correctly and working. The group policy is pushed successfully to the devices and does in fact generate the task to enroll the device. However, the naming of it is different to the one that used to be generated in our previous setup in the client machine (although I cannot see any difference on the GPO management service in the server). We used to run Windows Server 2012 R2 servers while we run Windows Server 2016 now. Unfortunately, the control over them has been delegated to a third party so I was not the one to update the ADMX files for GPOs this time. But I cannot see any difference between them, the difference can only be found in the Windows 10 client machine.

 

I'm confident the machine is attempting to enroll. It should be using Azure's AD Credentials so the issue either is in it not attempting to enroll with them or something along the way (like a Firewall) interfering with the process.

 

Thanks!

  • Christian_Hemken's avatar
    Christian_Hemken
    Copper Contributor
    Jan 30, 2020

    Ion Zubia 

    Do you use a proxy with user authentication in your environment? If yes, the system is probably failing there. Have you asked your network colleagues if they see

     

    Kind Regards, 

    Chris

    • Ion Zubia's avatar
      Ion Zubia
      Brass Contributor
      Jan 30, 2020
      We do not! Whatever is interfering with the enrollment request it cuts it off before it gets to Intune, as Intune does not even register an unsuccessful enrollment attempt.
      • Christian_Hemken's avatar
        Christian_Hemken
        Copper Contributor
        Jan 31, 2020

        Can you manually enroll devices to Intune and join them to AzureAD? No hybrid from you environment? Is this working flawless?
        Additional, can you see something in the event viewer?
        Microsoft --> Windows --> AAD and
        is the log of windows aad join.

        Kind Regards,
        Christian

  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    Jan 29, 2020
    Strange.

    Could you run GPEDIT.MSC in the local PC and check the setting if applied? If not, could you enable it and do gpupdate? It could be the policy is not applied to the local machine?

    Moe
    • Ion Zubia's avatar
      Ion Zubia
      Brass Contributor
      Jan 30, 2020

      Hi Moe_Kinani,

       

      If I run GPEDIT.MSC and look at the policy in the Local Group Policy Editor the state of the policy is "Not configured". If I run RSOP.MSC and view it in Resultant Set of Policy it shows as enabled. Not too sure on this but I don't think domain pushed policies show in RSOP?

       

      At any rate, the schedule is created and is visible in Task Scheduler:

       

      Thanks

Resources