AutoPilot Hybrid Join with White Glove - Issue at first login (MFA we think)

%3CLINGO-SUB%20id%3D%22lingo-sub-2174212%22%20slang%3D%22en-US%22%3EAutoPilot%20Hybrid%20Join%20with%20White%20Glove%20-%20Issue%20at%20first%20login%20(MFA%20we%20think)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2174212%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3EProject%3C%2FSTRONG%3E%3A%26nbsp%3BConfigure%20Auto-Pilot%20Hybrid%20Join%20for%20new%20users%20and%20laptops%20(with%20White%20Glove%20from%20Dell)%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EProcess%20works%20and%20pre-provisioning%20is%20successful%2C%20a%20VPN%20(Cisco%20AnyConnect)%20that%20auto-starts%20at%20the%20login%20screen%20via%20a%20certificate.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAt%20this%20stage%20the%20user%20is%20being%20targeted%20with%20%3CSTRONG%3EAzure%20MFA%20via%20Conditional%20Access%26nbsp%3B%26nbsp%3B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOnce%20the%20user%20logs%20in%2C%20non%20of%20the%20Microsoft%20Endpoint%20Manager%20policies%20get%20picked%20up%2C%20Teams%20does%20not%20Automatically%20sign%20in%20(But%20prompts%20the%20user%20to%20sign%20in)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20leave%20it%2030%20mins%20(Waiting%20for%20Azure%20AD%20Connect%20to%20Sync%20the%20device.%20We%20reboot%20and%20we%20get%20the%20same%2C%20none%20of%20the%20policies%20get%20picked%20up%2C%20bit%20locker%20does%20not%20encrypt%2C%20teams%20doesn't%20auto%20sign%20in%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we%20do%20a%26nbsp%3B%3CSTRONG%3Edsregcmd%20%2Fstatus%26nbsp%3B%3C%2FSTRONG%3Eon%20a%20CMD%20window%2C%20it%20shows%20as%20Domain%20Joined%20but%20not%20Azure%20AD%20joined.%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EThen%20we%20look%20inside%20of%20%22%3CSTRONG%3EWork%20and%20School%20Account%3C%2FSTRONG%3E%22%20we%20see%20the%20info%20button%2C%20we%20click%20this%2C%20and%20under%20%22Sync%22%20button%20has%20an%20error%2C%20with%20something%20on%20the%20lines%20of%20%22Cannot%20authenticate%20your%20credentials%22%20etc%20etc.%26nbsp%3B%20-%20I%20then%20click%20sync%20and%20it%20pops%20up%20with%20the%20Microsoft%20Loin%20Box%2C%20I%20select%20my%20account%20(connected%20to%20windows)%20and%20sign%20in%20-%20it%20then%20throws%20an%20MFA%20prompt%20to%20MS%20Authenticator.%26nbsp%3B%20If%20I%20approve%2C%20it%20syncs%20and%20the%20device%20starts%20to%20get%20all%20the%20policies%20it%20requires.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20I%20decided%20to%20do%20another%20test%2C%20this%20time%20excluding%20the%20user%20from%20Azure%20MFA%20(CA%20Policy)%20and%20ran%20a%20new%20deployment.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Pre-provisions%20OK%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Can%20login%20with%20AD%20credentials%20at%20login%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Teams%20automatically%20signs%20in%26nbsp%3B%3C%2FP%3E%3CP%3E-%20%3CSTRONG%3Edsregcmd%20%2Fstatus%26nbsp%3B%3C%2FSTRONG%3Eshows%20everything%20is%20correct%2C%20it%20is%20Azure%20AD%20Joined%20and%20Local%20AD%20Joined%3C%2FP%3E%3CP%3E-%20wait%2030%20min%20for%20Hybrid%20AD%20Join%20to%20happen%20from%20the%20DC%20through%20AD%20Connect%20sync%3C%2FP%3E%3CP%3E-%20Reboot%20the%20machine%2C%20at%20next%20login%2C%20everything%20works%2C%20bit%20locker%20encrypts%2C%20oneDrive%20auto-signs%20in.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20The%20world%20is%20a%20good%20place.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20therefore%20lead%20me%20to%20believe%20that%20with%20MFA%20enabled%20on%20the%20user%20that%20is%20signing%20into%20the%20machine%2C%20it%20blocks%20the%20initial%20Azure%20AD%20join%20process%20tied%20to%20that%20user%20and%20stops%20policies%20from%20pulling%20down%20to%20the%20machine.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20cannot%20find%20any%20reference%20material%20surrounding%20MFA%20being%20the%20catalyst%20as%20to%20why%20the%20Hybrid%20Azure%20AD%20Join%20over%20VPN%20just%20does%20not%20work%20properly.%20Or%20how%20we%20can%20bypass%20it%20on%20AutoPilot%20deployments%20'Hybrid'%20deployments.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CU%3ENote%3C%2FU%3E%3A%20In%20Azure%20AD%20%26gt%3B%20Devices%20%26gt%3B%20Device%20Settings%20-%20the%20option%20for%20%22%3CSPAN%3E%3CSTRONG%3EDevices%20to%20be%20Azure%20AD%20joined%20or%20Azure%20AD%20registered%20require%20Multi-Factor%20Authentication%3C%2FSTRONG%3E%22%26nbsp%3Bis%20set%20to%20%3CSTRONG%3ENO%26nbsp%3B%3C%2FSTRONG%3E(Thought%26nbsp%3Bworth%20a%20mention%2C%20even%20though%20I%20think%20it%20does%20not%20apply%20to%20Hybrid%20AD%20join%20devices)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CU%3EAnother%20note%3C%2FU%3E%2C%20is%20if%20the%20user%20is%20enabled%20for%20MFA%20and%20we%20then%20deploy%20inside%20the%20corp%20network%20(which%20is%20bypassing%2Fexcluded%20from%20MFA)%20then%20this%20works%20without%20a%20problem%20too.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20CA%20Policy%20for%20MFA%20targets%20All%20Cloud%20Apps.%26nbsp%3B%20We%20even%20tried%20to%20exclude%20%22Intune%20Enrollment%20%2F%20Intune%20%2F%20Azure%20Management%22%20-%20without%20success.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20we're%20super%20stumped%20as%20what%20to%20do%20-%20Does%20anyone%20have%20any%20info%20on%20MFA%20being%20a%20problem%20with%20AutoPilot%20Hybrid%20Join%20%3CSTRONG%3Eover%20VPN%3C%2FSTRONG%3E%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2174212%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAutopilot%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%20Azure%20AD%20Join%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2174426%22%20slang%3D%22en-US%22%3ERe%3A%20AutoPilot%20Hybrid%20Join%20with%20White%20Glove%20-%20Issue%20at%20first%20login%20(MFA%20we%20think)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2174426%22%20slang%3D%22en-US%22%3EIsn't%20this%20an%20Azure%20Community%20discussion%3F%3CBR%20%2F%3ENot%20that%20I'm%20having%20great%20vibes%20from%20this%20techcommunity%20thing%20anyway%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2174591%22%20slang%3D%22en-US%22%3ERe%3A%20AutoPilot%20Hybrid%20Join%20with%20White%20Glove%20-%20Issue%20at%20first%20login%20(MFA%20we%20think)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2174591%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F980794%22%20target%3D%22_blank%22%3E%40Cibavision%3C%2FA%3E%26nbsp%3BNo%20-%20It%20has%20every%20thing%20to%20do%20with%20Windows%2010%20deployment.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello, 


Project: Configure Auto-Pilot Hybrid Join for new users and laptops (with White Glove from Dell)

Process works and pre-provisioning is successful, a VPN (Cisco AnyConnect) that auto-starts at the login screen via a certificate.


At this stage the user is being targeted with Azure MFA via Conditional Access  

Once the user logs in, non of the Microsoft Endpoint Manager policies get picked up, Teams does not Automatically sign in (But prompts the user to sign in) 

 

If we leave it 30 mins (Waiting for Azure AD Connect to Sync the device. We reboot and we get the same, none of the policies get picked up, bit locker does not encrypt, teams doesn't auto sign in etc. 

 

If we do a dsregcmd /status on a CMD window, it shows as Domain Joined but not Azure AD joined. 

 
 

Then we look inside of "Work and School Account" we see the info button, we click this, and under "Sync" button has an error, with something on the lines of "Cannot authenticate your credentials" etc etc.  - I then click sync and it pops up with the Microsoft Loin Box, I select my account (connected to windows) and sign in - it then throws an MFA prompt to MS Authenticator.  If I approve, it syncs and the device starts to get all the policies it requires.  

=============

 

So, I decided to do another test, this time excluding the user from Azure MFA (CA Policy) and ran a new deployment.  

 

- Pre-provisions OK 

- Can login with AD credentials at login 

- Teams automatically signs in 

- dsregcmd /status shows everything is correct, it is Azure AD Joined and Local AD Joined

- wait 30 min for Hybrid AD Join to happen from the DC through AD Connect sync

- Reboot the machine, at next login, everything works, bit locker encrypts, oneDrive auto-signs in. 

- The world is a good place. 

 

It would therefore lead me to believe that with MFA enabled on the user that is signing into the machine, it blocks the initial Azure AD join process tied to that user and stops policies from pulling down to the machine. 

 

However, I cannot find any reference material surrounding MFA being the catalyst as to why the Hybrid Azure AD Join over VPN just does not work properly. Or how we can bypass it on AutoPilot deployments 'Hybrid' deployments. 

Note: In Azure AD > Devices > Device Settings - the option for "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" is set to NO (Thought worth a mention, even though I think it does not apply to Hybrid AD join devices)

 

Another note, is if the user is enabled for MFA and we then deploy inside the corp network (which is bypassing/excluded from MFA) then this works without a problem too.   

 

The CA Policy for MFA targets All Cloud Apps.  We even tried to exclude "Intune Enrollment / Intune / Azure Management" - without success. 

 

So we're super stumped as what to do - Does anyone have any info on MFA being a problem with AutoPilot Hybrid Join over VPN?

 

5 Replies
Isn't this an Azure Community discussion?
Not that I'm having great vibes from this techcommunity thing anyway :)

@Cibavision No - It has every thing to do with Windows 10 deployment. 

Well, as I said I mostly wanted to check if anybody actually check these forums and who is actually active.
Hard to tell if you should have post here or on a more specific Azure section. I don't see a lot of feedback or participation considering this should be the official Microsoft Techcommunity :)

Morning Adam,

I am in a similar configuration so to speak hybrid join/MFA and CA and using anyconnect - but MFA has never been an issue. and we have devices require MFA set to yes and this is something you want as well.
I am struggling as well with applying policies :) so far i am unsuccesfull at having them applied at first logon - always requiring a reboot to see them applied whether policies are coming from MDM or GPO.

Do you have the privilege to run Start-ADSyncSyncCycle -PolicyType delta on your AD connect box ?
Do you have ESP user disabled ?
You could run a user-driven autopilot install - run a delta sync after the machine rebooted after ODJ ( expedite the HAADJ ) - and observe behavior you have .

I dont see as well much activity on autopilot subject or i am looking on wrong forums ...

Maya

@MayaK06 

 

Hi Maya,

 

Thanks for your response - I too think maybe AutoPilot is being asked in other forums too, as Cibavision says - no one posts in here :)

 

However, to answer your question - we now have this working, we had to create a explicit CA rule that targets AutoPilot devices that granted access to the App "Intune Enrollment" and "Intune" for Hybrid AD Joined Devices.

 

Now when we do AutoPilot hybrid AD Join enrolment (outside of the corporate network, i.e. from home) we don't have a problem with MFA for the device. Users still require MFA to log into Teams etc for the first time but the device joins OK.

 

We still have the issue (but I think this can't be avoided) where you need to reboot the laptop after some time of joining it (usually around 30mins) and after we reboot it, it gets all the policies from MDM and GPO.

 

This is the rule we used:

 

Assignment - Specific user or group

Cloud App - Include: Intune & Intune Enrolment. Exclude: None

Condition - Device Platform: Windows

Access Controls - Grant & Require Hybrid Azure AD Joined device