Jul 05 2023 01:49 AM - edited Jul 05 2023 01:55 AM
Hi,
we're having ~150 devices that are on-premise domain joined and Azure AD registered through the Access work or school option.
We would like to lift those devices to a hybrid AAD join and also enroll them in intune.
I set up a SCP GPO and the MDM enroll GPO and tested with a few devices.
If the device is only domain joined and the computer is not yet synced through Azure Connect: As soon as I put the computer in a AAD-synced OU and deploy the GPOs, everything goes smoothly into hybrid AAD join + compliant Intune MDM enroll.
However, if the device is already AD registered, it switches to hybrid join but the MDM enroll does not work. dsregcmd /status shows "WillNotProvision" but with no error message.
Event log shows a lot of warnings that Windows Hello for Business could not be started. Also it says Precheck for automatic deploment completed, device is already joined.
Is there any other way I can debug this? Is there a way to reset the mdm enroll?