Forum Discussion

Naveen_Murugan44's avatar
Naveen_Murugan44
Copper Contributor
Feb 24, 2024

MECM devices getting sync back in Intune portal after Co pilot enablement

Urgent! Need suggestions.

We've Hybrid environment with MECM and Intune devices.

We tried to comanage 10k PC and planned to do Pilot deployment, unfortunately we've selected "Automatic Enrollment" settings to all devices in Co-management settings.

This made MECM devices first login device to have ESP page, which we didn't expect and also it removed the Device based license for the group it had assigned, now we lost license for more that 2k devices.

 

We deleted those devices from Intune portal immediately, but again it is getting synced back slowly 

back to the Intune portal.

 

Now we need to know why these devices are synced back to Intune portal?

 

  • kyazaferr's avatar
    kyazaferr
    Iron Contributor
    Nov 19, 2024

    Automatic Enrollment Settings in Co-Management

    When you select Automatic Enrollment for all devices under co-management settings, it applies the Intune enrollment policy to all devices in the MECM environment. The Co-Management Setup Wizard typically allows you to specify which workloads are managed by MECM and which are handled by Intune. However, setting Automatic Enrollment for all devices without filtering could lead to unexpected behaviors like devices being enrolled in Intune when they shouldn’t be.

    Solution:

    • Review the Co-management settings in the MECM console:
      • In MECM, go to Administration > Overview > Cloud Services > Co-management.
      • Check the workloads that are set to be managed by Intune, especially for Compliance policiesDevice configuration, and Application management.
    • Ensure that only the pilot devices (e.g., 10K PCs) are set to Automatic Enrollment, and exclude the rest. You can limit automatic enrollment by using device collections.

    • When devices first log in and hit the ESP page unexpectedly, it may have triggered re-enrollment into Intune because the ESP page is a key part of the enrollment process, and your MECM device might have been inadvertently re-enrolled.

      Solution:

      • To prevent the ESP page from appearing, disable automatic enrollment or ensure that it’s only applied to your pilot group.
      • In MECM, you can manage Automatic Enrollment settings in the Co-management Configuration and modify which collections should be targeted for automatic enrollment to avoid re-enrollment of unintended devices.

      3. Device Cleanup in Intune

      Even though you’ve deleted the devices from the Intune portalMECM can still sync them back based on its enrollment settings. This may happen because:

      • MECM is still trying to manage these devices, and due to synchronization policies, it re-adds them to Intune.
      • There might be a sync delay or pending sync task in MECM that re-initiates the enrollment process after deletion.

      Solution:

      • Perform a manual sync from MECM to Intune for the affected devices:
        • In the MECM console, go to Administration > Overview > Cloud Services > Co-management and trigger a sync to refresh the enrollment status.
      • Ensure that the device is no longer in any collections targeted for Intune enrollment.

      4. Licensing Issues (Device-Based Licenses)

      The device-based license removal could be caused by the automatic enrollment triggering re-enrollment of the devices into Intune and causing them to be ineligible for the previously assigned device-based licenses. This could also explain the loss of licenses for the 2k devices.

      Solution:

      • Ensure that device-based licenses are reassigned to the devices after they have been removed from Intune. You may need to manually reassign the licenses in the Microsoft 365 Admin Center.
      • Also, review the licensing assignments for device-based licensing in both MECM and Intune to ensure consistency.

      5. Prevent Future Syncing of Devices

      To prevent devices from syncing back to Intune after deletion:

      • Update Automatic Enrollment settings to restrict only your pilot or specific collections for Intune enrollment.
      • Use Intune Device Enrollment Restrictions to block unwanted devices from automatically enrolling.
      • Ensure that Device Cleanup Rules are properly configured in MECM to prevent synchronization of removed devices.

      6. Intune Device Cleanup Policies

      Intune has a feature to automatically clean up unlicensed or inactive devices. However, the sync may cause issues where the device is re-synced back even after it was deleted.

      Solution:

      • Review device cleanup policies in the Intune portal:
        • Go to Devices > Device cleanup and review the settings for auto-delete of unlicensed or inactive devices.
      • Make sure the devices are indeed removed from all Azure AD groups that might be syncing with Intune.

      7. Azure AD Sync

      Devices enrolled through MECM might be getting synced back to Azure AD (which is linked to Intune) after deletion. If Azure AD sync is enabled, the devices might be getting re-enrolled into Intune automatically.

      Solution:

      • Check the Azure AD sync settings to ensure that devices deleted from Intune are also deleted from Azure AD.
      • Use Azure AD Connect settings to ensure proper device removal or exclusion.
  • kyazaferr's avatar
    kyazaferr
    Iron Contributor
    Nov 19, 2024

    Next Steps:

    1. Review Co-Management settings and Automatic Enrollment settings to ensure only the correct devices are enrolled.
    2. Re-sync the devices in MECM to reflect the correct enrollment status.
    3. Ensure license reassignment in Intune for the 2k affected devices.
    4. Monitor the devices in both MECM and Intune to confirm that devices no longer sync back unexpectedly.

Resources