Hybrid Join skip AD connectivity check
Hi, With this new option "Skip AD connectivity check" during deployment to remote machines, will the machine ever attempt to complete the Hybrid Join between AAD and AD on premise? It is a great option for deploying devices to remote workers who do not have line of site access to a DC during initial deployment. Would be great to understand the process behind the Hybrid Join recovery if there is one. Thanks
Intune Auto Enrollment and Hybrid AAD Join error
I'm working with a customer that has AD domain joined devices setup to Hybrid Join and Auto Enroll into Intune, but the results are very sporadic. The AAD Connect is syncing the users and devices in scope. The users have Intune licenses. The devices appear to be stuck at completing the Hybrid Join (pending), so the Intune enrollment doesn't happen (which is the goal). There are 3 things that keep logging in the Device Management-Enterprise-Diagnostics event log: Auto MDM Enroll <Dm Raise Toast Notification And Wait>* Failure (Unknown Win32 Error code: 0x8018002a) "Auto MDM Enroll Get AAD Token: Device Credential (0x0), Resource <>* (https://enrollment.manage.microsoft.com/), Resource <>* 2 (NULL), Status (Unknown Win32 Error code: 0x8018002a)" Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002a) I had them run the following script to test connectivity: https://learn.microsoft.com/en-us/samples/azure-samples/testdeviceregconnectivity/testdeviceregconnectivity/ Both systems they tested completed all checks successfully (1 on-prem and 1 on VPN). Still not completing the Intune Enrollment. Has anyone been able to resolve a similar registration/enrollment error? Thanks!AutoPilot Hybrid Join with White Glove - Issue at first login (MFA we think)
Hello, Project: Configure Auto-Pilot Hybrid Join for new users and laptops (with White Glove from Dell) Process works and pre-provisioning is successful, a VPN (Cisco AnyConnect) that auto-starts at the login screen via a certificate. At this stage the user is being targeted with Azure MFA via Conditional Access Once the user logs in, non of the Microsoft Endpoint Manager policies get picked up, Teams does not Automatically sign in (But prompts the user to sign in) If we leave it 30 mins (Waiting for Azure AD Connect to Sync the device. We reboot and we get the same, none of the policies get picked up, bit locker does not encrypt, teams doesn't auto sign in etc. If we do a dsregcmd /status on a CMD window, it shows as Domain Joined but not Azure AD joined. Then we look inside of "Work and School Account" we see the info button, we click this, and under "Sync" button has an error, with something on the lines of "Cannot authenticate your credentials" etc etc. - I then click sync and it pops up with the Microsoft Loin Box, I select my account (connected to windows) and sign in - it then throws an MFA prompt to MS Authenticator. If I approve, it syncs and the device starts to get all the policies it requires. ============= So, I decided to do another test, this time excluding the user from Azure MFA (CA Policy) and ran a new deployment. - Pre-provisions OK - Can login with AD credentials at login - Teams automatically signs in - dsregcmd /status shows everything is correct, it is Azure AD Joined and Local AD Joined - wait 30 min for Hybrid AD Join to happen from the DC through AD Connect sync - Reboot the machine, at next login, everything works, bit locker encrypts, oneDrive auto-signs in. - The world is a good place. It would therefore lead me to believe that with MFA enabled on the user that is signing into the machine, it blocks the initial Azure AD join process tied to that user and stops policies from pulling down to the machine. However, I cannot find any reference material surrounding MFA being the catalyst as to why the Hybrid Azure AD Join over VPN just does not work properly. Or how we can bypass it on AutoPilot deployments 'Hybrid' deployments. Note: In Azure AD > Devices > Device Settings - the option for "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" is set to NO (Thought worth a mention, even though I think it does not apply to Hybrid AD join devices) Another note, is if the user is enabled for MFA and we then deploy inside the corp network (which is bypassing/excluded from MFA) then this works without a problem too. The CA Policy for MFA targets All Cloud Apps. We even tried to exclude "Intune Enrollment / Intune / Azure Management" - without success. So we're super stumped as what to do - Does anyone have any info on MFA being a problem with AutoPilot Hybrid Join over VPN?Windows Hello for Business prompt after Hybrid Azure AD Joining Win 10 Device | WHFB disabled
Hello, I'm looking for some clarification on the behaviour around Windows Hello for Business after Hybrid Azure AD joining Windows 10 devices. I recently enabled HAADJ in AAD Connect. As expected first of all, the devices acquire a userCertificate attribute as part of the WorkplaceJoin schedule task, sync to AzureAD as part on the next AADConnect sync cycle and show up in the Azure AD tenant as a HAAD device. The issue I encounter is with the Windows Hello for Business prompt. When a synced user logs in, they're prompted to setup a Windows Hello for Business PIN. You can skip the process and continue but every subsequent login ask you to set-up a PIN which you can sync. The devices are HAADJ but not enrolled into Intune for MDM. In the AzureAD Portal under Microsoft Intune\Device Enrollment\Windows Enrollment\Windows Hello for Business, it was set as Not Configured. I also changed this to Disabled, but the users still get the prompt. I only way forward I'm finding to deal with this is by setting the settings “Use Windows Hello for Business” under "User Configuration\Administrative Templates\Windows Components\Windows Hello for Business” to Disabled. It was previously set to Not Configured. This stops the setup PIN prompt coming up after login, however, notifications still appear in the notification area after login saying that The system is configured to use Windows Hello for Business, Click here to setup you PIN. I do not get this behaviour in other environments where I have HAADJ configured, with seemingly the same settings. End goal is wanting to retain HAADJ but disable all the prompts for setting up Windows Hello for Business. Any ideas?Inability to delete Autopilot devices leads to endless supply of never cleaned up devices in AAD
I realize that the ability to delete Autopilot-enabled devices in Azure AD is by design, but I think I might be missing something. In Microsoft Store for Business, or in Endpoint Manager under Devices > Enroll Devices > Windows Autopilot Devices - I have my true list of unique hardware devices that are registered for Autopilot. I don't want to delete any of these that are not actually decommissioned. The problem I'm seeing, is with either regular Autopilot or Hybrid Autopilot, since/when devices are getting named with random characters (which for Hybrid Autopilot cannot be changed), I end up with orphaned AAD devices that cannot be deleted from anywhere. I haven't tested, but I believe with regular Autopilot, I could take advantage of the ability to always set the same device name. If so, then this issue I'm reporting is only a thing for Hybrid Autopilot. Is there any solution to delete old copies of the same machine. For example, I've reset the device, now it has two instances in AAD which cannot be deleted, but still just one instance in the MS Business Store or under Autopilot Devices in Endpoint Manager. If I again reset the device down the road, I'll have 3, and so on. Any suggestions/clues? Thanks in advance.Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment
[New https://www.linkedin.com/feed/hashtag/?keywords=blogpost&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6903182459475771392] Bit of an interesting take on how to perform a controlled Hybrid AAD Join deployment and make the workstations ready for https://www.linkedin.com/feed/hashtag/?keywords=intune&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6903182459475771392 and https://www.linkedin.com/feed/hashtag/?keywords=mem&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6903182459475771392 depending on the OU selection in the Azure AD Connect Sync tool. https://shehanperera.com/2022/02/26/hybridaadjoin-methods/ https://www.linkedin.com/feed/hashtag/?keywords=azuread&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6903182459475771392 https://www.linkedin.com/feed/hashtag/?keywords=modernwork&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6903182459475771392 https://www.linkedin.com/feed/hashtag/?keywords=moderndevices&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6903182459475771392 https://www.linkedin.com/feed/hashtag/?keywords=hybrid&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6903182459475771392 https://www.linkedin.com/feed/hashtag/?keywords=microsoft365&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6903182459475771392Hybrid Azure Join
Hello everyone, we want to use the Hybrid Azure Join Now my question is, can we use Cloud GPO's (CSP/ADMX) AND On Prem GPO's? So for example, can I roll out printers via local GPO and software, onedrive settings via Intune from the cloud? Unfortunately I can't find any information here, if Google is not my friend today Best Regards, Phil
Do I need to do a domain join to avoid multiple logins?
Hi, We are just starting with InTune and using AutoPilot, however I see by default these new computers do not appear in the local, on prem Active Directory, so this means when staff rock up at the office, they login to their laptop but they are not on the domain so if they try and access a network share or a network app they are prompted to sign in, constantly in some casese! So, my question is this, we have a lot of legacy apps, we can't move fully to Azure just yet, we need staff working in the office on certain software, so do we make these new AutoPilot computers hybrid domain joined devices to get around this network prompt? Also, when we do this will it rename the computer account? I see it assigns a random 15 character code as the machine name, but it isn't clear if it actually renames the computer itself or just makes this a reference in AD? Any help much apprecited. TIA Stuart
Hybrid Azure AD Join option missing from Azure AD Connect
https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join#managed-domains I am attempting to follow this document to setup Hybrid Azure AD Join The version of Azure AD Connect available for download currently is version 2.1.1.0 (https://www.microsoft.com/en-us/download/details.aspx?id=47594) I install Azure AD Connect and attempt to setup according to document But the steps do not match the downloaded version of Azure AD Connect With the Hybrid Azure AD Join option completely missing I would appreciate any advice on this Thanks for taking the time to consider my question 🙂
