ff

%3CLINGO-SUB%20id%3D%22lingo-sub-2787045%22%20slang%3D%22en-US%22%3ECA%20not%20recognizing%20hybrid%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2787045%22%20slang%3D%22en-US%22%3E%3CP%3ERunning%20CA%20with%20following%20settings%3A%3C%2FP%3E%3CP%3ECloud%20apps%3A%20office%20365%3C%2FP%3E%3CP%3EConditions%3A%20any%20device%3C%2FP%3E%3CP%3Elocation%3A%20any%3C%2FP%3E%3CP%3Eclient%20apps%3A%20mobile%20apps%2Fdesktop%20clients%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGrant%20access%3A%3C%2FP%3E%3CP%3ERequire%20device%20to%20be%20compliant%3C%2FP%3E%3CP%3Eor%3C%2FP%3E%3CP%3ERequire%20hybrid%20azure%20ad%20joined%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20policy%20works%20just%20fine%20on%20win%2010%20workstations(hybrid%20joined).%3C%2FP%3E%3CP%3EHowever%2C%20on%20RDS%202016%2C%20i%20can%20sso%20into%20onedrive%20only.%3C%2FP%3E%3CP%3EOffice%20365%20apps%20(word%2Cexcel)%20do%20not%20work.%20I%20have%20to%20manually%20sign%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20i%20check%20the%20logs%20under%3C%2FP%3E%3CP%3EBasic%20info%3A%3C%2FP%3E%3CP%3E%3CSPAN%3EDevice%20is%20not%20in%20required%20device%20state%3A%20%7Bstate%7D.%20Conditional%20Access%20policy%20requires%20a%20compliant%20device%2C%20and%20the%20device%20is%20not%20compliant.%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDevice%20info%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%3EDevice%20ID%3C%2FSPAN%3E%3A%20BLANK%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22%22%3EBrowser%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%3ERich%20Client%20v3.4.1.35249%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%3CSPAN%3EJoin%20type%3A%20BLANK%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20RDS%20server%20is%20hybrid%20joined%2C%20no%20errors%2C%20user%20has%20prt.%3C%2FP%3E%3CP%3EI%20tried%20leaving%20and%20joining%20again%2C%20but%20no%20good.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20i%20turn%20off%20CA%2C%20shared%20activation%20and%20sso%20work%20just%20fine%2C%20nothing%20for%20end%20user%20to%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2787045%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2787346%22%20slang%3D%22en-US%22%3ERe%3A%20CA%20not%20recognizing%20hybrid%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2787346%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1145112%22%20target%3D%22_blank%22%3E%40KleoNunket%3C%2FA%3E%26nbsp%3Bcan%20you%20filter%20out%20the%20RDS%20server%20from%20the%20CA%20policy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20might%20be%20able%20to%20filter%20it%20out%20based%20on%20its%20device%20ID%20using%20%22Filters%20for%20Devices%20(preview)%22%20condition.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-condition-filters-for-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-condition-filters-for-devices%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20its%20working%20with%20the%20CA%20Policy%20off%20you%20can%20just%20exclude%20it%20from%20the%20policy%20as%20a%20work%20around.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20the%20non-compliance%20status%20in%20intune%20for%20RDS.%26nbsp%3B%20I'm%20wondering%20if%20Windows%20Server%20OS%20are%20supported%20here.%26nbsp%3B%20Perhaps%20only%20the%20windows%20client%20OS%20are%20supported.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20if%20you%20go%20into%20intune%20to%20the%20compliance%20policy%20is%20should%20show%20why%20that%20device%20is%20failing%20compliance.%26nbsp%3B%20Might%20give%20you%20a%20clue%20where%20to%20look.%20Go%20to%20the%20Device%20in%20Intune%20and%20then%20select%20Device%20Compliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2788421%22%20slang%3D%22en-US%22%3ERe%3A%20CA%20not%20recognizing%20hybrid%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2788421%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F331650%22%20target%3D%22_blank%22%3E%40AntR07%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%20filter%20it%20via%20that%20solution%2C%20but%20it%20still%20doesn't%20work%20because%20365%20apps%20are%20not%20reporting%20DEVICE%20ID%2C%20it's%20just%20blank...%3CBR%20%2F%3ENo%2C%20the%20non%20compliance%20is%20for%20intune%20devices%2C%20server%20can't%20be%20joined.%3CBR%20%2F%3EThere's%20a%20way%20to%20make%20it%20compliant%20without%20enrolling%20it%2C%20more%20%22tricking%22%20azure%20to%20think%20it's%20compliant%2C%20but%20it%20still%20acts%20the%20same.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20part%20should%20be%20different%2C%20and%20because%20it's%20empty%2C%20it's%20not%20working.%20Really%20weird%20issue%2C%20see%20example%20how%20it%20is%20when%20accessing%20via%20onedrive%3A%3CBR%20%2F%3EDevice%20info%3A%20should%20say%20name%20of%20RDS%3CBR%20%2F%3E%3CBR%20%2F%3EDevice%20ID%3A%20ID%20of%20device%3CBR%20%2F%3EBrowser%3CBR%20%2F%3ERich%20Client%20v3.4.1.35249%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EJoin%20type%3A%20Hybrid%20Azure%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

sss

1 Reply

@KleoNunket can you filter out the RDS server from the CA policy?

 

You might be able to filter it out based on its device ID using "Filters for Devices (preview)" condition.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters...

 

If its working with the CA Policy off you can just exclude it from the policy as a work around.

 

As for the non-compliance status in intune for RDS.  I'm wondering if Windows Server OS are supported here.  Perhaps only the windows client OS are supported.

 

However if you go into intune to the compliance policy is should show why that device is failing compliance.  Might give you a clue where to look. Go to the Device in Intune and then select Device Compliance.