Forum Discussion

Ion Zubia's avatar
Ion Zubia
Brass Contributor
Nov 13, 2019

Hybrid Azure AD join devices MDM set to "none"?

Good afternoon,   We have recently upgraded all of our servers and as part of that I'm re-configuring Azure AD Connect for the hybrid environment.   Users are syncing properly. Devices, however, ...
Conditional Access
Intune
mobile device management (mdm)
Ion Zubia's avatar
Ion Zubia
Brass Contributor
Jan 29, 2020

Hi Moe_Kinani ,

 

Yes, that's configured correctly and working. The group policy is pushed successfully to the devices and does in fact generate the task to enroll the device. However, the naming of it is different to the one that used to be generated in our previous setup in the client machine (although I cannot see any difference on the GPO management service in the server). We used to run Windows Server 2012 R2 servers while we run Windows Server 2016 now. Unfortunately, the control over them has been delegated to a third party so I was not the one to update the ADMX files for GPOs this time. But I cannot see any difference between them, the difference can only be found in the Windows 10 client machine.

 

I'm confident the machine is attempting to enroll. It should be using Azure's AD Credentials so the issue either is in it not attempting to enroll with them or something along the way (like a Firewall) interfering with the process.

 

Thanks!

Christian_Hemken's avatar
Christian_Hemken
Copper Contributor
Jan 30, 2020

Ion Zubia 

Do you use a proxy with user authentication in your environment? If yes, the system is probably failing there. Have you asked your network colleagues if they see

 

Kind Regards, 

Chris

  • Ion Zubia's avatar
    Ion Zubia
    Brass Contributor
    Jan 30, 2020
    We do not! Whatever is interfering with the enrollment request it cuts it off before it gets to Intune, as Intune does not even register an unsuccessful enrollment attempt.
    • Christian_Hemken's avatar
      Christian_Hemken
      Copper Contributor
      Jan 31, 2020

      Can you manually enroll devices to Intune and join them to AzureAD? No hybrid from you environment? Is this working flawless?
      Additional, can you see something in the event viewer?
      Microsoft --> Windows --> AAD and
      is the log of windows aad join.

      Kind Regards,
      Christian

      • Ion Zubia's avatar
        Ion Zubia
        Brass Contributor
        Jan 31, 2020

        Thanks for that Christian_Hemken

         

        I wasn't aware of this being logged by Window's events. There are some error logs stating "Error validating credentials due to invalid username or password" , there's also a request error log with a link that leads to this:

        Further more, there's a 3rd type of error:

        "Error description: AADSTS50126: Error validating credentials due to invalid username or password"

         

        Quite a clear error,  we do not use password hash sync and as far as I understand it isn't required with the way we are trying to auto-enroll the devices. But could that be the source of this error? I thought that since on prem accounts are synced to Azure AD's with Azure AD connect, it would have access to the right credentials.

         

        Manual enrollment with company portal works, but of course then a local admin account is required.

Resources