Dual State HAADJ and AADJ Devices - Autopilot
I have a Server 2022 domain and building Win 10 22H2 devices via Autopilot with HAADJ...and getting the dual device in AAD. Have re-checked all the documentation and even reworked the steps. Have even tried the BlockAADWorkplaceJoin entry and that does nothing! We see two entries for every device, with both showing a 'join' value. This differs from other posts I have seen where you will have dual devices with one being Joined and the other Registered. These devices do not automatically clean themselves up. I am well aware AADJ is far superior to HAADJ. Please do not reply with 'just use AADJ'. https://www.reddit.com/r/Intune/comments/r5ktyf/device_both_hybrid_azure_ad_joined_and_azure_ad/ - this reference is for Join & Registered https://learn.microsoft.com/en-us/azure/active-directory/devices/faq#why-do-i-see-a-duplicate-azure-ad-registered-record-for-my-windows-10-11-hybrid-azure-ad-joined-device-in-the-azure-ad-devices-list - also references Join & Registered. During our tests, the users are not accepting any prompts to join work or school. Reviewed - https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-stateWindows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled
Hello, I'm looking for some clarification on the behaviour around Windows Hello for Business after Hybrid Azure AD joining Windows 10 devices. I recently enabled HAADJ in AAD Connect. As expected first of all, the devices acquire a userCertificate attribute as part of the WorkplaceJoin schedule task, sync to AzureAD as part on the next AADConnect sync cycle and show up in the Azure AD tenant as a HAAD device. The issue I encounter is with the Windows Hello for Business prompt. When a synced user logs in, they're prompted to setup a Windows Hello for Business PIN. You can skip the process and continue but every subsequent login ask you to set-up a PIN which you can sync. The devices are HAADJ but not enrolled into Intune for MDM. In the AzureAD Portal under Microsoft Intune\Device Enrollment\Windows Enrollment\Windows Hello for Business, it was set as Not Configured. I also changed this to Disabled, but the users still get the prompt. I only way forward I'm finding to deal with this is by setting the settings “Use Windows Hello for Business” under "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled. It was previously set to Not Configured. This stops the setup PIN prompt coming up after login, however, notifications still appear in the notification area after login saying that The system is configured to use Windows Hello for Business, Click here to setup you PIN. I do not get this behaviour in other environments where I have HAADJ configured, with seemingly the same settings. End goal is wanting to retain HAADJ but disable all the prompts for setting up Windows Hello for Business. Any ideas?
