SOLVED

Hybrid AAD devices have stopped auto-enrolling with Intune

Copper Contributor

We have been using a Hybrid AAD scenario for a few years, and then a couple of years ago we began using Intune. Everything has been working, but in the last month or so we noticed systems were not enrolling in Intune. They are appearing in AAD. Checked that MDM was still enabled in AAD, Group Policy is still in place, CNAME entries are still valid. We are at a loss and manually enrolling does not appear to be working well either. Devices already in Intune are taking policy and working correctly.

The only change anyone can think of is the Azure AD Connect sync service had to be rebuilt a while back, and that possibly there is something in the Azure AD Connect set configuration that was missed. However, the Hybrid connector is still there, and am not seeing anything related to MDM configuration in the Azure AD Connect configuration.

 

Anyone have any ideas of what can be checked? 

 

Thank you

3 Replies
Are the devices successfully Entra ID hybrid joined? Have you checked the user registration event log and\or run the dsregcmd status\debug mode to see where the process is failing?
They are joining Entra with no issues. We can find all of them. Checked the enrollment errors in Intune but it is not showing any except for those we expect from BYOD devices we are blocking. What am I looking for in the DSREG output? I am seeing that it is AzureADJoined, and it shows the MDM URL.
best response confirmed by CSCTool (Copper Contributor)
Solution

Found a response on another forum about Group Policy needing to be replaced with the same rule, just rebuilt. Our Group Policy had always been User Credential, but to test I switched to Device Credential and then any machine that was rebound to the domain would then go through the full process of joining EntraID and then eventually Intune. Am going to experiment with a seperate GPO that goes back to User Credentials but is all new and see if that works. No idea why a GPO would suddenly stop working that is so basic, but it appears that "refreshing" it solves the issue.