Forum Discussion

Scott Paterson's avatar
Scott Paterson
Copper Contributor
Jan 07, 2018

Intune Management Extension not installing

I am testing Intune/EMS on Windows 10 (1709) PCs and trying to get Powershell scripts to run without success. I think the issue is with the Intune Management Extension not installing but cant find mu...
Intune
Oliver Kieselbach's avatar
Oliver Kieselbach
MVP
Apr 25, 2019

Okay your issue is that you have technically a WorkPlace Joined (WPJ) device and not hybrid AADJ. Because of the use of manually add work/school acount the device is treated as WPJ. The WPJ scenario is not supported by MS for the Intune Management Extension (IME) and I'm not sure it will in near future. As WPJ is more targeted to BYOD and MS don't want to mess with BYOD devices by installing agents on personal devices.

To make the agent work you would need to WPJ un-enroll them and hybrid AADJ them via:

 

How To: Plan your hybrid Azure Active Directory join implementation
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

 

I'm sorry if this introduces efforts on your side.

 

The documentation is telling the fact only implicit by not telling that the IME is supported on WPJ devices:

 

The Intune management extension supports Azure AD joined, hybrid Azure AD domain joined, and co-managed enrolled Windows devices.

 

This is a bit confusing.

 

best,

Oliver

WalterPrem's avatar
WalterPrem
Brass Contributor
Jun 12, 2019

Oliver Kieselbach 


So today, surprisingly, I got the Intune Management Extension working on a WorkplaceJoined PC by removing the work account, and then choosing Enroll only in device management instead (almost hidden on the right...).

For some reason, MDMdiag XML now reports MDMFull instead of MDMFullWithAAD, and to my surprise, after installing the IME, I'm receiving powershell scripts.

 

Again I have a lot of trouble finding documentation on the difference between the above, and why it's working if I use the Enroll only button rather than the CONNECT button.

 

The problem is still that, all our devices are joined to Intune with the CONNECT button either via the add school/work account menu or via the company portal.

This means I would still need to un-enroll and re-enroll all our "WorkplaceJoined" devices.

 

Maybe you know of a way to get "MDMFullWithAAD" devices to be "MDMFull"?

  • Ryan_Frazier's avatar
    Ryan_Frazier
    Copper Contributor
    Jun 12, 2020

    Just stumbling across this issue now after manually enrolling 50 or so devices and not realizing that PowerShell will not work on these devices.  Will using the local security policy editor "gpedit.msc" to set this attribute work for 100% remote devices?  I'll be trying this on a few but for the sake of time per device, it'd be nice to be able to disjoin from Work or School and then just set this bit and leave.

     

    Computer Configuration > Administrative Templates > Windows Components > MDM

     

    Microsoft also has provisions in the portal to change a device from "Personal" to "Corporate" owned... why would they not flip that device to Hybrid Joined then instead of making admins jump on all these machines physically... makes no sense.

  • WalterPrem's avatar
    WalterPrem
    Brass Contributor
    Jan 22, 2020

    AlexanderKarls 

    Well, the conclusion is that it's simply not supported for devices that are "manually" joined to Intune, e.g. when using add/remove account or the company portal.

    You need to use Windows Autopilot or Azure AD join during setup, or setup Hybrid environment (syncing computers) and rolling out Intune using GPO.

  • AlexanderKarls's avatar
    AlexanderKarls
    Copper Contributor
    Jan 21, 2020

    WalterPrem: Did you ever solved this? I got exactly the same problem 😞 

Resources