locked
Workplace join and autoenrollment Intune RRS feed

  • Question

  • The environment
    1x Windows 10 1703 domain joined
    1x Windows 10 1703 workgroup joined
    1X ADFS Server 2012R2 (configured for device registration, claim rules)


    Currently testing the workplace join and device registration for domain joined machines. There's only one user with a 'Enterprise Mobility + Security E3' license assigned. The user is a testuser for both machines (domain joined and workplace joined).

    When i log into azure and check the users i can see there's one PC registered to the user, the one that's workplace joined. |
    The other domain joined/device registered machine is not visible, however i'm not sure if it's normal behaviour? Because a never seen a domain joined/device registered machine with an owner assigned...

    If i check the status using 'dsregcmd /status' everything seems to be ok, i can see the tenantname , MDMUrl and so on. Also the eventviewer shows that the device registration is successfull. 

    So the devices seems to register themselves without any issues, except that for the domain joined machine it doesn't show an user.

    The MDM authority has been set to Intune, the MDM user scope has been set to 'all'. The output of 'dsregcmd /status' confirms that the device receives the correct URL to auto-enroll in Intune.

    Also checked the DNS records and performed a test in Azure, no errors found.

    But still the device isn't enrolled in intune? Am i missing something?

    Sunday, June 4, 2017 11:34 PM

Answers

All replies

  • Do you see the device as registered in Azure portal?
    Monday, June 5, 2017 11:25 AM
  • The strange is, the workplace and device registration seems to work for the user.
    Workplaced joined machine: when i open portal.office.com it redirects me to the AD FS sign page
    Domain joined/device registered machine: when i open portal.office.com it redirects me to the AD FS page and automatically signs me in.

    The tenant and configuration was setup yesterday so the devices should be visible by now.

    Unfortunately not, attached image (Azure AD)

    However the workplace joined device has been written back to the local AD, meaning there has to be an entry somewhere

    This a dsregcmd /status output of the domain joined client

    and a few screenshots from the eventviewer, as seen below it seems to be picking up the MDM policies?

    The CNAME test shows no errors

    If i install an intune client directly on the client it shows in Azure AD (But not as a registered device)

    And the device settings in Azure




    • Edited by Marc-1983 Monday, June 5, 2017 7:31 PM
    Monday, June 5, 2017 3:02 PM
  • Found an answer to one of my questions in the FAQ (Why the domain joined device didn't appear under the user)

    Q: I registered the device recently. Why can’t I see the device under my user info in the Azure portal?
    A: Windows 10 devices that are domain-joined with automatic device registration do not show up under the USER info. You need to use PowerShell to see all devices.
    Only the following devices are listed under the USER info:
    All personal devices that are not enterprise joined
    All non-Windows 10 / Windows Server 2016
    All non-Windows devices

    Tuesday, June 6, 2017 1:43 PM
  • See below for the "Get-MSOLDevice -all", it seems that devices have been registered in Azure?
    1st machine: workplace joined
    2nd machine: domain joined and device registered (auto)
    3rd machine: intune client installed

    Enabled                       : True

    ObjectId                      : 066ffc45-3df5-40f5-8a59-0926b8ad1bde

    DeviceId                      : 50d79bf8-468c-4a42-8850-8f62b899c566

    DisplayName                   : PC00005

    DeviceObjectVersion           : 2

    DeviceOsType                  : Windows

    DeviceOsVersion               : 10.0.15063.0

    DeviceTrustType               : Workplace Joined

    DeviceTrustLevel              : Authenticated

    DevicePhysicalIds             : {}

    ApproximateLastLogonTimestamp : 6/4/2017 2:35:52 PM

    AlternativeSecurityIds        : {X509:<SHA1-TP-PUBKEY>CB64EEB29EE6453F74C8D0F6F08963842860D0594rdimUv7fn02yvSrPK7GVq9yh

                                    kC41UeMQPV+x9sAGFc=}

    DirSyncEnabled                :

    LastDirSyncTime               :

    RegisteredOwners              :

    GraphDeviceObject             : Microsoft.Azure.ActiveDirectory.GraphClient.Device

    #######################################################

    Enabled                       : True

    ObjectId                      : 88493432-bf97-49b9-b978-13dba036f12f

    DeviceId                      : 43f5be98-e146-476f-8fed-637c019eb4d4

    DisplayName                   : WINDOWS10WPJ

    DeviceObjectVersion           : 2

    DeviceOsType                  : Windows 10 Enterprise

    DeviceOsVersion               : 10.0 (15063)

    DeviceTrustType               : Domain Joined

    DeviceTrustLevel              : Managed

    DevicePhysicalIds             : {}

    ApproximateLastLogonTimestamp : 6/4/2017 4:15:58 PM

    AlternativeSecurityIds        : {X509:<SHA1-TP-PUBKEY>02040CA858DB4611FF1BACF25FEF5965FBE441E9ftv3Gi4oFtsqkGNKipuAg/LWr

                                    OQwBcCOmJBR8ubHW8g=}

    DirSyncEnabled                : True

    LastDirSyncTime               : 6/4/2017 4:38:51 PM

    RegisteredOwners              :

    GraphDeviceObject             : Microsoft.Azure.ActiveDirectory.GraphClient.Device

    #######################################################

    Enabled                       : True

    ObjectId                      : 953352dd-29ae-409b-b7e4-bd5e02806223

    DeviceId                      : afd3dbc8-74fa-4ba0-8d62-54dd7c640b50

    DisplayName                   : PC00006

    DeviceObjectVersion           : 1

    DeviceOsType                  : Desktop

    DeviceOsVersion               : 1.0

    DeviceTrustType               : Workplace Joined

    DeviceTrustLevel              : Authenticated

    DevicePhysicalIds             : {}

    ApproximateLastLogonTimestamp :

    AlternativeSecurityIds        : {晡㍤扤㡣㜭昴戴ち㠭㙤摤挷㐶戰〵}

    DirSyncEnabled                :

    LastDirSyncTime               :

    RegisteredOwners              :

    GraphDeviceObject             : Microsoft.Azure.ActiveDirectory.GraphClient.Device

    Tuesday, June 6, 2017 9:11 PM
  • Nobody that might know what the problem is? 
    Wednesday, June 7, 2017 6:02 PM
  • Issue has been solved, i removed all the accounts and devices, once verified that everything was removed I've performed another workplace join and it worked.

    Workplace join = working
    Azure AD join = working
    Device registration for domain joined devices = not yet, troubleshooting

    Is it possible to only enable MFA/Windows Hello for a specific group? 

    Wednesday, June 7, 2017 8:48 PM
  • Thanks for the update.

    Could you elaborate on this "Is it possible to only enable MFA/Windows Hello for a specific group?"

    Thursday, June 8, 2017 2:25 AM
  • Thanks for the update.

    Could you elaborate on this "Is it possible to only enable MFA/Windows Hello for a specific group?"

    When registering a device it asks to setup a PIN and MFA, is it possible to disable this requirement for a group of users? In Other words: exclude a specific group of user from MFA?
    Monday, June 19, 2017 6:01 PM
  • This is completed - https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/10596201-the-possibility-to-disable-two-step-verification

    Refer to - https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-manage-in-organization

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Thursday, June 22, 2017 10:51 AM
  • Thanks Sadiqh your answer pointed me in the right direction, another usefull link: https://blogs.technet.microsoft.com/enterprisemobility/2015/07/22/microsoft-passport-and-azure-ad-eliminating-passwords-one-device-at-a-time/
    Thursday, June 22, 2017 8:14 PM
  • Your welcome.

    Wednesday, June 28, 2017 5:53 AM
  • You removed everything from where?

    What is the users are already setup with computer profiles?

    Thursday, September 28, 2017 11:53 PM