Intune Management Extension not installing

Just stumbling across this issue now after manually enrolling 50 or so devices and not realizing that PowerShell will not work on these devices.  Will using the local security policy editor "gpedit.msc" to set this attribute work for 100% remote devices?  I'll be trying this on a few but for the sake of time per device, it'd be nice to be able to disjoin from Work or School and then just set this bit and leave.

Computer Configuration > Administrative Templates > Windows Components > MDM

Microsoft also has provisions in the portal to change a device from "Personal" to "Corporate" owned... why would they not flip that device to Hybrid Joined then instead of making admins jump on all these machines physically... makes no sense.

AlexanderKarls 

Well, the conclusion is that it's simply not supported for devices that are "manually" joined to Intune, e.g. when using add/remove account or the company portal.

You need to use Windows Autopilot or Azure AD join during setup, or setup Hybrid environment (syncing computers) and rolling out Intune using GPO.

WalterPrem: Did you ever solved this? I got exactly the same problem 😞 

Oliver Kieselbach 

So today, surprisingly, I got the Intune Management Extension working on a WorkplaceJoined PC by removing the work account, and then choosing Enroll only in device management instead (almost hidden on the right...).

For some reason, MDMdiag XML now reports MDMFull instead of MDMFullWithAAD, and to my surprise, after installing the IME, I'm receiving powershell scripts.

Again I have a lot of trouble finding documentation on the difference between the above, and why it's working if I use the Enroll only button rather than the CONNECT button.

The problem is still that, all our devices are joined to Intune with the CONNECT button either via the add school/work account menu or via the company portal.

This means I would still need to un-enroll and re-enroll all our "WorkplaceJoined" devices.

Maybe you know of a way to get "MDMFullWithAAD" devices to be "MDMFull"?

Oliver Kieselbach 

Thanks Oliver,

Yes, the confusion also comes from me thinking that "hybrid Azure AD domain joined" simply means being in a hybrid situation. Since, if you add a local-AD machine to Intune, it's also added to Azure AD and becomes Hybrid. We have AD connect set up (for password sync) and when people login to Outlook, the devices shows in Azure AD devices (even before add school/work account).

The other confusing part is that I would think MAM exists for BYOD scenarios (instead of WPJ), and I can use MDM if I decide to use all intune features on every devices I have (including local AD joined laptops). From my end, the devices don't look WPJ at all. They show as fully managed by intune MDM.

I will go over the hybrid AD join methods you linked and see if this can fix our issues. 
I still believe it would be beneficial for all if every MDM intune (not MAM) would support the IME.
Thanks for you time.

Okay your issue is that you have technically a WorkPlace Joined (WPJ) device and not hybrid AADJ. Because of the use of manually add work/school acount the device is treated as WPJ. The WPJ scenario is not supported by MS for the Intune Management Extension (IME) and I'm not sure it will in near future. As WPJ is more targeted to BYOD and MS don't want to mess with BYOD devices by installing agents on personal devices.

To make the agent work you would need to WPJ un-enroll them and hybrid AADJ them via:

How To: Plan your hybrid Azure Active Directory join implementation
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

I'm sorry if this introduces efforts on your side.

The documentation is telling the fact only implicit by not telling that the IME is supported on WPJ devices:

The Intune management extension supports Azure AD joined, hybrid Azure AD domain joined, and co-managed enrolled Windows devices.

This is a bit confusing.

best,

Oliver

WalterPrem Oliver Kieselbach 

I had Azure AD joined device and autenrolled in Intune. Management extension was installed properly. I retire the device from Intune ( WIndows 10 1809) and device get disconnected from Azure AD (from documentation this should not happen)

I logged on with local admin and joined the device again to Azure AD.  Device is enrolled in Intune but management extension is not installed. I tried to deploy one script but nothing happen, management extension is not installed. Did some of you had similar scenario? 

Oliver Kieselbach 

Well, the update you mentioned is now under "What's new" for this week:

"You can assign your Win32 apps to be installed on Intune enrolled Azure AD joined devices."

At the same time, win32 apps are no longer in preview (coincidence..?).

Unfortunately, my hybrid AD, add work/school joined device, still doesn't receive the intune management extention. I tried removing them from intune and re-enrolling. I re-added them to the software distribution group. Regular apps get installed, but the win32 hangs on "waiting for install status". The Win32 apps don't appear in portal on the client, and the Intune management extension doesn't get installed.

I'm guessing that - unfortunately - this only applies to Azure AD joined machines who are not yet enrolled into Intune.

I hope the same will be done for Hybrid machines; Hybrid is listed as supported by Microsoft, and I don't see why it would matter whether a device is hybrid or azure joined, when both use the same method to enroll.

If you could pass this feedback in any way that would be great.

Thanks,

Walter

Oliver Kieselbach 

Well, the update you mentioned is now under "What's new" for this week:

https://docs.microsoft.com/en-us/intune/whats-new

"You can assign your Win32 apps to be installed on Intune enrolled Azure AD joined devices."

At the same time, win32 apps are no longer in preview (coincidence..?).

Unfortunately, my hybrid AD,  add work/school joined device, still doesn't receive the intune management extention. I tried removing them from intune and re-enrolling. I re-added them to the software distribution group. Regular apps get installed, but the win32 hangs on "waiting for install status". The Win32 apps don't appear in portal on the client, and the Intune management extension doesn't get installed.

I'm guessing that - unfortunately - this only applies to Azure AD joined machines who are not yet enrolled into Intune.

I hope the same will be done for Hybrid machines; Hybrid is listed as supported by Microsoft, and I don't see why it would matter whether a device is hybrid or azure joined, when both use the same method to enroll.

If you could pass this feedback in any way that would be great.

Thanks,

Walter

Oliver Kieselbach 

Oliver Kieselbach 

Well, the update you mentioned is now under "What's new" for last week:

https://docs.microsoft.com/en-us/intune/whats-new

"You can assign your Win32 apps to be installed on Intune enrolled Azure AD joined devices."

At the same time, win32 apps are no longer in preview (coincidence..?).

Unfortunately, my hybrid AD,  add work/school joined device, still doesn't receive the intune management extention. I tried removing them from intune and re-enrolling. I re-added them to the software distribution group. Regular apps get installed, but the win32 hangs on "waiting for install status". The Win32 apps don't appear in portal on the client, and the Intune management extension doesn't get installed.

I'm guessing that - unfortunately - this only applies to Azure AD joined machines who are not yet enrolled into Intune.

I hope the same will be done for Hybrid machines; Hybrid is listed as supported by Microsoft, and I don't see why it would matter whether a device is hybrid or azure joined, when both use the same method to enroll.

If you could pass this feedback in any way that would be great.

Thanks,

Walter