Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Issue with Surface Hub 2s device configuration profiles Intune

Copper Contributor

Hi Experts,

 

I have enrolled a new Surface Hub 2S into AAD but all my device config profiles like distributing the Trusted root certs, SCEP certificate is shows as "Pending". All my previous Surface Hub were on Prem and they just worked fine.  But I am unable to get these new surface hubs on cloud only which shows up as 'non compliant' and 'Not Evaluated' status. Any idea what could have possibly gone wrong here?

 

clipboard_image_0.png

Apparently, I have started this conversation in the wrong group. Can this be moved to the Surface Hub group please?

@Cezar Cretu 

 

8 Replies

@neeldaya 

Hi,

it's okay, I'll notify the moderators to move it to the proper forum,

 

Azure Active Directory forum

 

Azure Forum

 

You can see the list of all available communities and forums if you click on the "Communities" on top of every web page. :)

Hello @neeldaya,

 

For the Surface Hub to be compliant, it will need to be joined to Azure AD when MDM autoenrollment is enabled on the tenant. Check the hyperlinks here and note that if this was not set up, you will need to reset the devices and join them again to AAD after you enabled autoenrollment.

 

Thank you,

Cezar 

@Cezar Cretu +

 

We have autoenrollment enabled in Intune and we have lot of Win 10 clients getting enrolled without any issues. This issue is specific only to Surface Hub 2S devices. 

@neeldaya 

 

Officially Conditional Access is no longer supported on the Surface Hub due to the OS version running on it (RS2). 

I know from experience that this should work (limited) as long as the process I mentioned is followed. Can you check the scope of MAM to confirm that the Surface Hubs are also autoenrolled? If so, please open a case to investigate further

 

Thank you,

Cezar

@neeldaya Hi, I just set one up and it enrolled without any issues. I created a local account, then enrolled using a room mailbox with a meeting room license. What kind of license did you give the account?

The only odd issue I had is that the hub was showing twice when I created an AAD group for assignment - I had to add both in before it got the profile. Now only one device is listed.

@CloudHal  Thank you for your response. 

The device gets enrolled into AAD but until any configuration profiles that I have created like my Trusted Root CAs, User and device SCEP certificates are not getting deployed.

My steps:

-Created an on prem device account with E5 license assigned. Followed all the steps provided here https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-onprem-powershell.

-Created a user group in Intune and added this device account into it.

-Assigned my config profiles(Root CA and SCEP certificates) to this user group.

-During First Time setup I selected AAD for configuration.

https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-setup#azure-active-directory

-The devices gets enrolled in AAD and I have created a dynamic device group in intune for Surface Hub 2S device model to which this new device gets into. 

-Now if I check the status of these device configuration profiles then all of them show up as "Pending"

-On the device I click on Skype then there is just a rotating ball and no sign in happens.

 

clipboard_image_0.png

 

 

 

Hi,

 

We have seen similar issues with devices, we have tried a few things and notice that if you apply the policies to the device instead of user the policies apply.

 

However we have had issues with the Teams Mode policy when we do that... it applies but then shortly after the device seems to revert back to original settings on the device... and we cant get the setting to reapply either via Intune or a Provisioning Package.

 

Have you had any further luck with User assigned policies against the Hubs?

 

Owen

No, we never got this to work. We have an hybrid skype and Exchange environment and we tried to create users online in O365 as per MS documentation and the skype login is not possible as well.