Home
%3CLINGO-SUB%20id%3D%22lingo-sub-392805%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20issue%20with%20%E2%80%9CRename%20device%E2%80%9D%20setting%20for%20Windows%2010%20devices%20in%20the%20Intune%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392805%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Intune%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20having%20a%20very%20serious%20issue%20with%20Hybrid%20AAD%20Joined%20Windows%2010%20machines%20and%20our%20MDM%20users.%3C%2FP%3E%3CP%3EThey%20are%20able%20to%20see%20their%20Windows%2010%20Corporate-Owned%20Hybrid%20AAD%20Joined%20machines%20in%20the%20Company%20Portal%20and%20from%20there%2C%20issue%20a%20Refresh%20(Wipe)%20command!%20This%20is%20very%20dangerous%20as%20it%20allows%20end%20users%20to%20reset%20their%20assigned%20company%20machines%20through%20their%20mobile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20already%20been%20informed%20by%20Intune%20Support%20that%20this%20is%20a%20known%20issue%20and%20should%20be%20resolved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20logic%20here%20should%20be%20that%20if%20a%20Windows%2010%20Domain%20Joined%20%2F%20Hybrid%20AAD%20joined%20machine%20is%20Corporate%20owned%20(GPO%20or%20SCCM%20used%20for%20automatic%20enrollment)%2C%20the%20%22Enrollment%20user%22%20shouldn't%20be%20able%20to%20act%20against%20those%20systems.%20Only%20designated%20entities%20should.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20raise%20this%20case's%20impact%20as%20it%20could%20really%20cause%20issues%20where%20users%20unknowingly%20do%20such%20actions%20(rename%20should%20also%20be%20blocked%20for%20them)%20as%20these%20devices%20are%20not%20under%20their%20ownership%2C%20rather%20they%20are%20company%20resources.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390868%22%20slang%3D%22en-US%22%3EKnown%20issue%20with%20%E2%80%9CRename%20device%E2%80%9D%20setting%20for%20Windows%2010%20devices%20in%20the%20Intune%20console%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390868%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99ve%20discovered%20an%20issue%20with%20a%20new%20feature%20that%20was%20recently%20released%20in%20the%20console.%20If%20you%20manage%20Windows%2010%20devices%2C%20you%20may%20have%20seen%20a%20new%20%E2%80%9CRename%20device%E2%80%9D%20setting%20in%20the%20console%20to%20rename%20an%20enrolled%20Windows%2010%20device.%20We%E2%80%99ve%20found%20that%20the%20renaming%20flow%20using%20this%20setting%20might%20not%20complete%20on%20Windows%20devices%20that%20are%20joined%20to%20on%20premises%20Active%20Directory%2C%20including%20Hybrid%20Azure%20AD%20joined%20devices.%20This%20setting%20has%20now%20been%20temporarily%20disabled%20for%20Hybrid%20Azure%20AD%20joined%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%E2%80%99s%20the%20current%20experience%20in%20the%20Intune%20console.%20When%20you%20go%20to%20Devices%20%26gt%3B%20All%20Devices%20and%20choose%20a%20Windows%20device%2C%20you%20will%20see%20an%20option%20to%20rename%20the%20device.%20On%20renaming%20the%20device%2C%20the%20new%20name%20is%20reflected%20in%20the%20Intune%20console%20and%20in%20Azure%20AD.%20However%2C%20we%E2%80%99ve%20seen%20some%20cases%20where%20the%20new%20device%20name%20is%20not%20reflected%20in%20the%20on%20premises%20Active%20Directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20can%20result%20in%20login%20errors%20where%20a%20user%20may%20be%20able%20to%20log%20on%20to%20their%20device%20initially%20but%20may%20experience%20single%20sign-on%20(SSO)%20errors%20when%20they%20try%20to%20login%20again%20after%20a%20password%20change.%3C%2FP%3E%0A%3CP%3EEngineering%20is%20still%20working%20to%20understand%20the%20cause%20and%20remediation.%20We've%20temporarily%20disabled%20this%20setting%20in%20the%20console%20for%20Hybrid%20Azure%20AD%20joined%20devices%20and%20Azure%20AD%20joined%20co-managed%20devices%20until%20we%20have%20a%20fix%20for%20this%20issue.%20Stay%20tuned%20for%20more%20information%20as%20we%20look%20into%20this!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENOTE%3A%20This%20post%20previously%20shared%20that%20the%20impact%20was%20limited%20to%20Hybrid%20Azure%20AD%20joined%20devices.%20We've%20since%20updated%20the%20post%20to%20include%20Azure%20AD%20co-managed%20devices.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUpdated%20-%205%2F17%2F19%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-390868%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eknown%20issue%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewindows%2010%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

We’ve discovered an issue with a new feature that was recently released in the console. If you manage Windows 10 devices, you may have seen a new “Rename device” setting in the console to rename an enrolled Windows 10 device. We’ve found that the renaming flow using this setting might not complete on Windows devices that are joined to on premises Active Directory, including Hybrid Azure AD joined devices. This setting has now been temporarily disabled for Hybrid Azure AD joined devices.

 

Here’s the current experience in the Intune console. When you go to Devices > All Devices and choose a Windows device, you will see an option to rename the device. On renaming the device, the new name is reflected in the Intune console and in Azure AD. However, we’ve seen some cases where the new device name is not reflected in the on premises Active Directory.

 

This can result in login errors where a user may be able to log on to their device initially but may experience single sign-on (SSO) errors when they try to login again after a password change.

Engineering is still working to understand the cause and remediation. We've temporarily disabled this setting in the console for Hybrid Azure AD joined devices and Azure AD joined co-managed devices until we have a fix for this issue. Stay tuned for more information as we look into this!

 

NOTE: This post previously shared that the impact was limited to Hybrid Azure AD joined devices. We've since updated the post to include Azure AD co-managed devices. 

 

Updated - 5/17/19

 

1 Comment
Visitor

Hello Intune,

 

we are having a very serious issue with Hybrid AAD Joined Windows 10 machines and our MDM users.

They are able to see their Windows 10 Corporate-Owned Hybrid AAD Joined machines in the Company Portal and from there, issue a Refresh (Wipe) command! This is very dangerous as it allows end users to reset their assigned company machines through their mobile.

 

I have already been informed by Intune Support that this is a known issue and should be resolved.

 

The logic here should be that if a Windows 10 Domain Joined / Hybrid AAD joined machine is Corporate owned (GPO or SCCM used for automatic enrollment), the "Enrollment user" shouldn't be able to act against those systems. Only designated entities should.

 

Please raise this case's impact as it could really cause issues where users unknowingly do such actions (rename should also be blocked for them) as these devices are not under their ownership, rather they are company resources.

 

Thanks