Jul 27 2021 06:12 AM
e just recently started moving our environment into intune for a ~2500+ device deployment for teachers/admin/students. We have a Hybrid AD Domain Join step that starts it and joins it to our on premises AD. We have ad sync /azure connect going where it syncs with on-prem.
Our goal is to have the users turn a computer on and through OOBE login and as immediately as possible have onedrive / all o365 apps linked up and most importantly have it automatically sync the known folders (documents/pictures/videos/etc) to the onedrive location.
The Hybrid AD Domain Join step works like a charm. Then the user logs in and after it loads the profile it gives the "Select here to fix your credentials. Or, go to settings > Accounts > Access work or school settings, and select Sign in again to fix your work or school account.
If I reboot the computer, sometimes this goes away completely. Sometimes it takes 2-3 reboots. If the user clicks it and logs in, usually onedrive will then kick in via the configuration profile we have setup to 1) login / start syncing one drive and 2) silently redirect folders to onedrive locations. Unfortunately, neither of these work immediately...some take 3-4 reboots.
In our on-premises group policy, we have the Intune Device Enrollment group policy applied to "Enable automatic MDM enrollment using default Azure AD credentials. The option for "Select Credential Type to Use is set to "User Credential", not Device Credential.
I don't have anything in the MDM Application ID. I'm guessing this is correct?
I'm grasping at straws to get this as seamless as possible, so any help to get this streamlined would be greatly appreciated.
Is there anything I'm missing? I feel like this is something that should be an easy fix that i'm just overlooking.
Thank you!
Jul 27 2021 09:25 AM - edited Jul 27 2021 09:26 AM
Hi,
When looking at your question. It looks like you are enrolling existing devices?
Just a few questions:
*Did you monitor what happens each step/reboot with using dsregcmd /status ?
*Were the device already registered ? (existing devices --> teams --> allow to manage this device)
*Before enrolling did you check out this reg setting if there already exisiting enrollments:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments
*Did you configure:
Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration.
*Maybe configuring the scp with a gpo yourself?
*Maybe configuring the mdmwinsovergpo scp setting to make sure MDM policies win
Jul 27 2021 10:02 AM
Jul 27 2021 10:13 AM