Issues with MDM enrollment of AAD joined devices

%3CLINGO-SUB%20id%3D%22lingo-sub-2019345%22%20slang%3D%22en-US%22%3EIssues%20with%20MDM%20enrollment%20of%20AAD%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2019345%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20windows%2010%20devices%20already%20AAD%20joined%20prior%20to%20configuring%20Intune.%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20enrolling%20those%20devices%20into%20MDM%2C%20we%20get%20the%20following%20issues%20in%20MEM%3A%3C%2FP%3E%3CUL%3E%3CLI%3EDiscovered%20apps%3A%26nbsp%3B%3CSPAN%3ENo%20installed%20applications%20found%20on%20this%20device%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3EBitlocker%20recovery%20keys%3A%20%3CSPAN%3ENo%20BitLocker%20recovery%20key%20found%20for%20this%20device%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EWhile%20the%20devices%20have%20an%20autopilot%20policy%20assigned%2C%20autopilot%20reset%20is%20greyed%20out%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ERegistering%20a%20new%20device%20to%20the%20tenant%20works%20as%20expected%2C%20without%20the%20above%20issues.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20we%20get%20our%20AAD%20joined%20devices%20to%20play%20along%20nicely%20with%20Intune%20MDM%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2019345%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2022505%22%20slang%3D%22en-US%22%3ERe%3A%20Issues%20with%20MDM%20enrollment%20of%20AAD%20joined%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2022505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F907109%22%20target%3D%22_blank%22%3E%40roelheymans%3C%2FA%3EI%20think%20the%20best%20practice%20will%20be%20to%20enable%20the%20same%20user%20group%20to%20be%20able%20to%20join%20devices%20to%20Azure%20AD%20and%20also%20enroll%20them%20into%20intune...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20sure%20how%20you%20have%20done%20the%20setup%20is%20everyone%20allowed%20to%20join%20their%20devices%20to%20Azure%20AD%20and%20then%20what%20is%20the%20enrollment%20rule...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhat%20I%20have%20done%20to%20make%20it%20easy%20have%20created%20a%20static%20Security%20group%20where%20I%20add%20manually%20users%20when%20they%20come%20on%20board...%20the%20same%20group%20is%20allowed%20on%20Azure%20that%20only%20this%20group%20can%20join%20devices%20to%20Azure%2C%20and%20in%20the%20Intune%20enrollment%20section%20the%20same%20group%20is%20allowed%20to%20enroll%20the%20devices%20into%20intune...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20this%20way%20once%20someone%20clicks%20on%20Add%20the%20devices%20to%20Azure%20Active%20Directory%20in%20the%20same%20process%20the%20device%20is%20joined%20to%20Azure%20AD%20and%20then%20enrolled%20into%20Intune...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20let%20me%20know%20if%20you%20have%20anything%20else%20specific....%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We have windows 10 devices already AAD joined prior to configuring Intune. 

When enrolling those devices into MDM, we get the following issues in MEM:

  • Discovered apps: No installed applications found on this device
  • Bitlocker recovery keys: No BitLocker recovery key found for this device
  • While the devices have an autopilot policy assigned, autopilot reset is greyed out

Registering a new device to the tenant works as expected, without the above issues. 

 

How do we get our AAD joined devices to play along nicely with Intune MDM?

 

 
 
 
 
2 Replies

@roelheymansI think the best practice will be to enable the same user group to be able to join devices to Azure AD and also enroll them into intune...

 

I am not sure how you have done the setup is everyone allowed to join their devices to Azure AD and then what is the enrollment rule...

 

what I have done to make it easy have created a static Security group where I add manually users when they come on board... the same group is allowed on Azure that only this group can join devices to Azure, and in the Intune enrollment section the same group is allowed to enroll the devices into intune...

 

so this way once someone clicks on Add the devices to Azure Active Directory in the same process the device is joined to Azure AD and then enrolled into Intune...

 

Please let me know if you have anything else specific....

That is indeed the way we have set it up and it works for new devices.

However, devices already AAD joined before MDM was configured, end up partially configured with no apparent way to correct it.