Connection of already Hybrid Azure AD joined Win10 Devices to Intune Management

Deleted
Not applicable

Hi folks,

 

i'm trying to implement Intune.

My first steps were iOS & Android what i finished right now.

Now it's time for Win10 Devices:

BYOD Devices with a work or school account are no problem, they appear as expected in the Intune console.

At this moment i',m trying to connect our Windows 10 Devices, which are already Hybrid Azure AD joined. (joined to our OnPrem Domain)

 

I don't know how to achive this. Would you please help me out of this?

I already tried to set the GPO (Auto MDM Enrollment with AAD Token) at a local Win10 Client, but this doesn't do anything. 

Is that the right approach? (Or what should i do? Do i need the Intune connector? Do i need Autopilot for this first step? (when deployment of the OS is done manually, not by autopilot))

 

Thank you very much :)

Patrick.

 

 

 

14 Replies

Are you certain that Hybrid Azure AD join is configured correctly? Configuring Hybrid Azure AD join in Azure AD Connect and setting the GPO are all that you need (plus assigning EMS / Intune licenses). Once these are configured, you should see devices register pretty quickly.

 

Docs here:

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatica...

Hi Aaron

 

i've already read this MS Doc. Yesterday i found out a few things with dsregcmd and got the first machines working.

 

My current problem seems to be an SCCM topic.

Let me describe the current situation and the goal:

 

Currently:

1. We don't manage mobile devices (iOS & Android) yet.

2. We manage Win10 Devices (okay, most of them are mobile, too ;) by SCCM. (Enrolling the operating system, install a few software products)

 

Objective:

1. We want to manage our clients (iOS, Android & Win10) with Intune in AAD.

2. We want to use SCCM also in future for the "first enrollment". (An on-site training for sccm for my colleague is pending, starts in end of february.)

 

What i've done so far:

1. I learned quite a few interesting things about Intune in combination with iOS & Android, so we are able to manage them. Currently we're in a testphase and want to go in a pilot phase with a few more Users/devices)

2. I enrolled some Win10 testclients with the GPO setting to the Intune console.

 

When these clients already had the sccm agent installed, when they got enrolled in Intune, they appear in Intune as "managed by: MDM/ConfigMgr".

 

The problem is, that they won't get the policies and configurations i configured in Intune.

Because i'm not experienced in using SCCM yet i don't know how to go on.

Do i need the feature "co-management" within SCCM to achive this objective?

(The devices already appear in intune, as i mentioned before)

 

The goal should be:

- Managing all mobile devices (iOS, Android & Win10) in Intune

- Installing the basics of our desktop devices with onprem SCCM (Installing OS to workstations, installing some basic software packages.

 

I hope, my englisch is understandable so far :D

I would be happy if you (or anyone else) can help me a little bit.

 

Thank you very much!

Patrick

Hi,

 

If you want to get the policies and configurations from Intune you need to enable co-management and adjust the slider to set the authority. GPO will take precedence over MDM policy from Intune.thLI3LTRKV.jpg

 

 

Thank you for your answer! That was a good advice for me.
When setting up co-management in SCCM the wizard asks me for giving the credentials for an "Intune organizational account". It is not possible for me to connect with my "normal" O365 Admin Account. Is the organizational account something different?

Yes. You need provide global Admin account.

I have a similar situation although we do not have SCCM on premise. Devices have been Hybrid AD joined and Auto MDM enrolled through GPO but show up as Managed by MDM/ConfigMgr Agent. We do not have Configuration Manager OnPremise. How do i force MDM only?

 

Device Action status

Co-management

USERNAME Windows PC is being co-managed between Intune and Configuration Manager. Configuration Manager agent state is shown below, if the state is anything other than “Healthy” there are a few steps that help with this. 

Learn more
Configuration Manager agent state
Could not connect
Details
The Configuration Manager client is currently unable to reach the Configuration Manager management point. Make sure the client can communicate with the server. For more information on client communication issues, see the CcmMessaging.log, LocationServices.log, or ClientLocation.log files on the Configuration Manager client.
Last Configuration Manager agent check in time
2/1/1900, 12:00:00 AM

@Nathan Hart 

Hi 

I have this same problem. 

But i have SCCM co-management configuration set.

Co-management

the configuration is set to device collections.
I removed my test device from this collection and try to register it in Intune as being only managed by MDM.

Unfortunately, it still appears as MDM / ConfigMgr

The MDM policy is set.
How to change the device authorization for MDM, leaving other devices managed by co-management?

Because of a new techcommunity account, this is just a short response to follow up the thread. :)

I successfully setup Hyrid ad join and co-management for some Pilot devices. Management is still controlled by ConfigMgr.

In the Azure console I see however stated that the Configmgr Agent state reports as could not connect. (See attached screenshot). Remote restart does work (with some delay) so there seems to be connection. Can anyone put me in the right direction how to troubleshoot this?

 

@nielsvd  It seems to me that the communication with the portal is done through the extension (Intune Management Extension - I do not remember the name) installed when connecting the device to Intune MDM.
I would check if the sccm agent on the device is working correctly, possibly reinstalling the agent. In addition, I would check sccm versions, windows10 versions. Not all versions work together.
Sometimes, after uninstalling the sccm agent, the garbage remains in the registry. Intune means the device as co-management but in reality the device does not have the sccm agent.

@Nathan Hart We are having the same issue I will be happy to hear if you were able to sort this out .
I am working with Premier on this issue almost a week now .

 

 

@Nathan Hart and everyone.. 

Im seeing the same issues.  Devies come up as managed by ConfigMgr. 

 

I set all workloads to Intune in configuration manager co-management - still reads the same. 

i am having same issue with 20h2 version. i created the image via MDT.  Computer gets register in Azure AD but with compliant status as NO and shows as sccm managed.  In intunes it registers with username rather than the computer name. we do not use sccm in our environment. i guess since the image was created using mdt its showing as sccm co managed. i did remove all sccm task sequence related keys and folders and still no luck.   @gfridman  Please share if you were able to get something from support.

@Mohammed_Aqeel  Finally after a lot of research and head banging i was able to get it working.

 

 My issue was i was deleting the service dmwappushservice and diagtrack during the image creation to disable the Telemetry service. It looks like intunes uses this service(dmwappushservice) frequently to do various tasks . once that service was restored everything started working.

 

I was able to nail it down to this via eventviewer-->Applications and SErvices Logs-->Microsoft->DeviceManagement-Enterprise-Diagnostics-Provider

 

Now everything is working as it should be. All devices are registering as hybrid,showing compliant and also registering as InTunes in MDM authority