Mar 01 2021 04:48 AM
Hello,
Project: Configure Auto-Pilot Hybrid Join for new users and laptops (with White Glove from Dell)
Process works and pre-provisioning is successful, a VPN (Cisco AnyConnect) that auto-starts at the login screen via a certificate.
At this stage the user is being targeted with Azure MFA via Conditional Access
Once the user logs in, non of the Microsoft Endpoint Manager policies get picked up, Teams does not Automatically sign in (But prompts the user to sign in)
If we leave it 30 mins (Waiting for Azure AD Connect to Sync the device. We reboot and we get the same, none of the policies get picked up, bit locker does not encrypt, teams doesn't auto sign in etc.
If we do a dsregcmd /status on a CMD window, it shows as Domain Joined but not Azure AD joined.
Then we look inside of "Work and School Account" we see the info button, we click this, and under "Sync" button has an error, with something on the lines of "Cannot authenticate your credentials" etc etc. - I then click sync and it pops up with the Microsoft Loin Box, I select my account (connected to windows) and sign in - it then throws an MFA prompt to MS Authenticator. If I approve, it syncs and the device starts to get all the policies it requires.
=============
So, I decided to do another test, this time excluding the user from Azure MFA (CA Policy) and ran a new deployment.
- Pre-provisions OK
- Can login with AD credentials at login
- Teams automatically signs in
- dsregcmd /status shows everything is correct, it is Azure AD Joined and Local AD Joined
- wait 30 min for Hybrid AD Join to happen from the DC through AD Connect sync
- Reboot the machine, at next login, everything works, bit locker encrypts, oneDrive auto-signs in.
- The world is a good place.
It would therefore lead me to believe that with MFA enabled on the user that is signing into the machine, it blocks the initial Azure AD join process tied to that user and stops policies from pulling down to the machine.
However, I cannot find any reference material surrounding MFA being the catalyst as to why the Hybrid Azure AD Join over VPN just does not work properly. Or how we can bypass it on AutoPilot deployments 'Hybrid' deployments.
Note: In Azure AD > Devices > Device Settings - the option for "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" is set to NO (Thought worth a mention, even though I think it does not apply to Hybrid AD join devices)
Another note, is if the user is enabled for MFA and we then deploy inside the corp network (which is bypassing/excluded from MFA) then this works without a problem too.
The CA Policy for MFA targets All Cloud Apps. We even tried to exclude "Intune Enrollment / Intune / Azure Management" - without success.
So we're super stumped as what to do - Does anyone have any info on MFA being a problem with AutoPilot Hybrid Join over VPN?
Mar 01 2021 06:35 AM
Mar 01 2021 07:51 AM
@Cibavision No - It has every thing to do with Windows 10 deployment.
Mar 01 2021 09:37 AM
Mar 15 2021 01:28 AM
Mar 18 2021 06:48 AM
Hi Maya,
Thanks for your response - I too think maybe AutoPilot is being asked in other forums too, as Cibavision says - no one posts in here :)
However, to answer your question - we now have this working, we had to create a explicit CA rule that targets AutoPilot devices that granted access to the App "Intune Enrollment" and "Intune" for Hybrid AD Joined Devices.
Now when we do AutoPilot hybrid AD Join enrolment (outside of the corporate network, i.e. from home) we don't have a problem with MFA for the device. Users still require MFA to log into Teams etc for the first time but the device joins OK.
We still have the issue (but I think this can't be avoided) where you need to reboot the laptop after some time of joining it (usually around 30mins) and after we reboot it, it gets all the policies from MDM and GPO.
This is the rule we used:
Assignment - Specific user or group
Cloud App - Include: Intune & Intune Enrolment. Exclude: None
Condition - Device Platform: Windows
Access Controls - Grant & Require Hybrid Azure AD Joined device