Forum Discussion
AutoPilot Hybrid Join with White Glove - Issue at first login (MFA we think)
I am in a similar configuration so to speak hybrid join/MFA and CA and using anyconnect - but MFA has never been an issue. and we have devices require MFA set to yes and this is something you want as well.
I am struggling as well with applying policies 🙂 so far i am unsuccesfull at having them applied at first logon - always requiring a reboot to see them applied whether policies are coming from MDM or GPO.
Do you have the privilege to run Start-ADSyncSyncCycle -PolicyType delta on your AD connect box ?
Do you have ESP user disabled ?
You could run a user-driven autopilot install - run a delta sync after the machine rebooted after ODJ ( expedite the HAADJ ) - and observe behavior you have .
I dont see as well much activity on autopilot subject or i am looking on wrong forums ...
Maya
Hi Maya,
Thanks for your response - I too think maybe AutoPilot is being asked in other forums too, as Cibavision says - no one posts in here 🙂
However, to answer your question - we now have this working, we had to create a explicit CA rule that targets AutoPilot devices that granted access to the App "Intune Enrollment" and "Intune" for Hybrid AD Joined Devices.
Now when we do AutoPilot hybrid AD Join enrolment (outside of the corporate network, i.e. from home) we don't have a problem with MFA for the device. Users still require MFA to log into Teams etc for the first time but the device joins OK.
We still have the issue (but I think this can't be avoided) where you need to reboot the laptop after some time of joining it (usually around 30mins) and after we reboot it, it gets all the policies from MDM and GPO.
This is the rule we used:
Assignment - Specific user or group
Cloud App - Include: Intune & Intune Enrolment. Exclude: None
Condition - Device Platform: Windows
Access Controls - Grant & Require Hybrid Azure AD Joined device