Tech Community Live: Microsoft Intune
Oct 01 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Issues with AAD Registered endpoint when switching to AAD Joined, Solved but never reached Intune

Copper Contributor

Hello community,

 

I am having an Issue with a device that used to belong to an AD but the department split and now that sector

has a Full Cloud environment on AAD (A completely dedicated different tenant). The plan is to enroll the devices to Intune and later on to Defender 365.

While trying to enroll the first one, we came across that one Issue (error 80180026) in which the former AD connection prevents the "Join to AAD"

option to be displayed even when you delete the device from AAD and disconnect it from the endpoint in question.

 

The solution is to login with a local account, disconnect from former AD and then connect to AAD through Settings/Connect Work or school account.

So far everything works fine, until you input the UPN and throws an error that you can solve by disabling auto enrollment from Intune enrollment settings. So we did, and we could successfully enroll the device as AAD Joined... only that the device never showed up in Intune.

 

Here's the workaround:

 

OpsecGuy_4-1659021020631.png

According to the picture above, it is still part of the error 80180026.

 

So the question is: Is it okay to disable auto enrollment? My main concern (aside of the device not showing up at all) is the fact that the info displays that it is used

for scenarios such as BYOD...so... is the cure the disease? Maybe I am getting something wrong here, the info does tend to be confusing some times.

 

The info:

 

OpsecGuy_5-1659021047708.png

 

By default, these options show like this:

 

OpsecGuy_6-1659021064777.png

 

And according to the above workaround we set it to this:

 

OpsecGuy_7-1659021082731.png

 

 

NOTICE: That is not the actual tenant, it is used for reference purposes only.

 

Thank you very much!!

3 Replies
If you set MDM scope to NONE no Windows device will be able to auto enroll. You covered that part fine 🙂
That means you can join AAD without it automatically getting enrolled.
What is your goal?

@MMelkersen_MVP , Oh I get it! Well, my goal was actually to get the device enrolled. So according to what you say, I should be able to see "Enroll only as device management" from User's account settings right?

 

Thanks!

To be sure I understand the question:So the devices were already enrolled into AAD but not in Intune because of the mdm scope was configured to some instead of all (I asumme those users weren't a part of that "some" group)
And now you want to enroll them into intune? so you need to change the mdm scope so users can now enroll the device automatically in intune.... but that doesn't happen automatically? or did I misread the question a bit 😉 ?