Forum Discussion

Ion Zubia's avatar
Ion Zubia
Brass Contributor
Nov 13, 2019

Hybrid Azure AD join devices MDM set to "none"?

Good afternoon,   We have recently upgraded all of our servers and as part of that I'm re-configuring Azure AD Connect for the hybrid environment.   Users are syncing properly. Devices, however, ...
Conditional Access
Intune
mobile device management (mdm)
Ion Zubia's avatar
Ion Zubia
Brass Contributor
Jan 31, 2020

Thanks for that Christian_Hemken

 

I wasn't aware of this being logged by Window's events. There are some error logs stating "Error validating credentials due to invalid username or password" , there's also a request error log with a link that leads to this:

Further more, there's a 3rd type of error:

"Error description: AADSTS50126: Error validating credentials due to invalid username or password"

 

Quite a clear error,  we do not use password hash sync and as far as I understand it isn't required with the way we are trying to auto-enroll the devices. But could that be the source of this error? I thought that since on prem accounts are synced to Azure AD's with Azure AD connect, it would have access to the right credentials.

 

Manual enrollment with company portal works, but of course then a local admin account is required.

Moe_Kinani's avatar
Moe_Kinani
Bronze Contributor
Jan 31, 2020
Do you get this error when you try to manual enroll it from Access or work school Acounds-> Enroll in Device management?

If yes, could you insert the reg below and give it another try?

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"DisableADALatopWAMOverride"=dword:00000001

Moe
  • mlister's avatar
    mlister
    Copper Contributor
    Feb 10, 2021

    Nilesh_M_Patel 

     

    you can delete both machines in azure ad because the aad connect will sync them again. Users can register machines in azure ad 

    https://www.youtube.com/watch?v=WhywVF8tqfs&t=131s is worth a watch to explain how to prevent them from registering through modern apps then only hybrid joined machines will be there.

  • Nilesh_M_Patel's avatar
    Nilesh_M_Patel
    Copper Contributor
    Feb 10, 2021

    Pa_D 

     

    No SCCM and no Federation.  I would my issue set my MAM to None and it apparently worked.

    Why not sure but now I have duplicate one being Azure Hybrid and other Azure registered so need to remove one of them now.. 

     

    Not sure how to do that but will get there.

     

  • Pa_D's avatar
    Pa_D
    Brass Contributor
    Feb 10, 2021

    Nilesh_M_Patel 

    1) Does the PC have SCCM client on it?

    2) Do you have the domain federated, if so what is federation provider?

  • mlister's avatar
    mlister
    Copper Contributor
    Feb 10, 2021
    Are you using sccm as well in your environment?
  • Nilesh_M_Patel's avatar
    Nilesh_M_Patel
    Copper Contributor
    Feb 09, 2021

    mlister 

    I am having the same issue with Intune.  Can see as hybrid-joined.

    But no Intune.  setup GPO.. but not sure what is missing.

     

    Nilesh

  • mlister's avatar
    mlister
    Copper Contributor
    Sep 04, 2020

    Moe_Kinani 

    Did you find an answer to this one? It works fine in my lab but in our environment we have just reconfigured AAD Connect and the machines are appearing in Azure AD as Hybrid.

    We are also seeing duplicate machines where they were AD Registered beforehand by the user, but the version of Windows we are on i've read will resolve the duplicate ID issue. 

     

    Mine just aren't enrolling in to intune at the moment and i'm not sure why.