Event banner

Windows. Cloud. Management. Your questions answered.

Event Ended
Wednesday, Nov 29, 2023, 07:30 AM PST
Online

Event details

If you are stuck in your journey to the cloud -- or have questions about the ins and outs of Windows Autopilot, Microsoft Entra Join (formerly Azure AD Join), policy management -- come ask the expert...
Char_Cheesman
Updated Dec 27, 2024
Technical Takeoff
Dylangould's avatar
Dylangould
Brass Contributor
Nov 29, 2023
When testing using Autopilot for Hybrid devices I am seeing two devices entries get created in Entra ID for the one Device. How do we properly maintain those? Only one of them is managed by Intune and the other one is not, but the Entries are linked together in a backend way. So if you have any Device base groups its hard to know which entry to add to the group, since you can't see which one is manages on the Member Add screen inside intune. Also it seems to make some features like wiping a device more complicated as you have to do other steps then just click wipe in intune and it reenrolls it self with no issues...
  • DaneaGalbraith's avatar
    DaneaGalbraith
    Iron Contributor
    Nov 29, 2023
    We have hybrid devices coming in from AD connect and were initially imaged with SCCM. We show multiple entries but there is an entry that is an empty Join type. Then there is another entry that is Hybrid Join without a user account attached. What is the empty Join type entry?
  • Char_Cheesman's avatar
    Char_Cheesman
    Bronze Contributor
    Nov 29, 2023

    Thanks for participating in today's Windows. Cloud. Management. Your questions answered! For reference, the panel covered this topic at around 39:15.

  • Hung_Dang's avatar
    Hung_Dang
    Icon for Microsoft rankMicrosoft
    Nov 29, 2023
    That's correct that there are two Entra ID device objects at the end of Autopilot into Hybrid. The first object is the one for device registration into Autopilot in the first place. The intent is that that device object is joined to specific groups before the device is deployed, and then the policies assigned to the group are applied during deployment. The second object is created that reflects the device object in AD (primarily for authentication purposes). That second object should be joined to the same groups as the first object, and so the policies still apply. In general, if you change groups for the device AFTER deployment, the best practice is to move BOTH device objects, since that device could be reset at any time, at which time the first object takes effect (and this assumes you want the new group's policies to apply even after reset). Hope this helps, Dylan! -- Hung
  • SkipToTheEndpoint's avatar
    SkipToTheEndpoint
    Brass Contributor
    Nov 29, 2023
    The painful yet honest answer to this is "Don't Hybrid Autopilot". Aim for your new devices to be cloud native, you'll be thankful you did.
    • Dylangould's avatar
      Dylangould
      Brass Contributor
      Nov 29, 2023
      That is unfortunately what I expected.
      • SkipToTheEndpoint's avatar
        SkipToTheEndpoint
        Brass Contributor
        Nov 29, 2023
        What do you believe your blockers to having cloud native devices are, out of curiosity?
Date and Time
Nov 29, 20237:30 AM - 8:30 AM PST