- last edited on
I have enrolled a new Surface Hub 2S into AAD but all my device config profiles like distributing the Trusted root certs, SCEP certificate is shows as "Pending". All my previous Surface Hub were on Prem and they just worked fine. But I am unable to get these new surface hubs on cloud only which shows up as 'non compliant' and 'Not Evaluated' status. Any idea what could have possibly gone wrong here?
Apparently, I have started this conversation in the wrong group. Can this be moved to the Surface Hub group please?
10-23-2019 04:29 AM
10-24-2019 01:43 AM
For the Surface Hub to be compliant, it will need to be joined to Azure AD when MDM autoenrollment is enabled on the tenant. Check the hyperlinks here and note that if this was not set up, you will need to reset the devices and join them again to AAD after you enabled autoenrollment.
10-25-2019 02:22 AM
We have autoenrollment enabled in Intune and we have lot of Win 10 clients getting enrolled without any issues. This issue is specific only to Surface Hub 2S devices.
10-25-2019 02:27 AM
Officially Conditional Access is no longer supported on the Surface Hub due to the OS version running on it (RS2).
I know from experience that this should work (limited) as long as the process I mentioned is followed. Can you check the scope of MAM to confirm that the Surface Hubs are also autoenrolled? If so, please open a case to investigate further
10-29-2019 06:01 AM
@neeldaya Hi, I just set one up and it enrolled without any issues. I created a local account, then enrolled using a room mailbox with a meeting room license. What kind of license did you give the account?
The only odd issue I had is that the hub was showing twice when I created an AAD group for assignment - I had to add both in before it got the profile. Now only one device is listed.
11-04-2019 03:18 AM
@CloudHal Thank you for your response.
The device gets enrolled into AAD but until any configuration profiles that I have created like my Trusted Root CAs, User and device SCEP certificates are not getting deployed.
-Created an on prem device account with E5 license assigned. Followed all the steps provided here https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-onprem-powershell.
-Created a user group in Intune and added this device account into it.
-Assigned my config profiles(Root CA and SCEP certificates) to this user group.
-During First Time setup I selected AAD for configuration.
-The devices gets enrolled in AAD and I have created a dynamic device group in intune for Surface Hub 2S device model to which this new device gets into.
-Now if I check the status of these device configuration profiles then all of them show up as "Pending"
-On the device I click on Skype then there is just a rotating ball and no sign in happens.
12-11-2019 05:00 PM
We have seen similar issues with devices, we have tried a few things and notice that if you apply the policies to the device instead of user the policies apply.
However we have had issues with the Teams Mode policy when we do that... it applies but then shortly after the device seems to revert back to original settings on the device... and we cant get the setting to reapply either via Intune or a Provisioning Package.
Have you had any further luck with User assigned policies against the Hubs?
12-12-2019 07:17 AM
12-12-2019 07:17 AM