question

Mark-0366 avatar image
0 Votes"
Mark-0366 asked LuDaiMSFT-0289 commented

Joining a Win 10 device gives message "Workplace join is required to register the device"

We have MDM setup for company devices, and use MAM for both company and BYOD. We want to prevent people signing in to a device which is not protected by one of these.

To achieve this, we have setup a conditional access policy which enforces a Terms of Use policy.

When trying to join a Win 10 Home device to our workplace, we get the message "Workplace join is required to register the device.". Trying to join again gives the same message so I am stuck in loop.

Does anyone know what the issue is?

The user hasn't reached the max number of devices.

Thanks for your help.



114622-1.png

114602-2.png

114570-3.png

114641-4.png

114539-5.png

114530-6.png

114597-7.png

114540-8.png

114577-9.png


mem-intune-conditional-access
1.png (42.7 KiB)
2.png (122.8 KiB)
3.png (112.5 KiB)
4.png (116.7 KiB)
5.png (237.8 KiB)
6.png (143.1 KiB)
7.png (64.7 KiB)
8.png (124.9 KiB)
9.png (46.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered

@Mark-0366 Thanks for posting in our Q&A. From the information you provided, it seems that this failure occurs because of the conditional access policy.

Please check if the user account that is used to enroll this Win 10 home device is in the conditional access policy's user group. If yes, please remove the user account from the group.

If this issue still exists, please understand that the conditional access policy is a feature in Azure AD. Given this situation, it is suggested to open an online support ticket with Azure AD to handle this issue more effectively. Here is the online support link and hope it helpful.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto

Thanks for the understanding.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Mark-0366 avatar image
0 Votes"
Mark-0366 answered LuDaiMSFT-0289 commented

Thanks for your help.

I have removed the user from the conditional access policy then went to join it to the workplace.

I was greeted with the screen asking to confirm additional security verification similar to below. After accepting this I was able to join the device.

115007-multi-factor-authentication-office-phone.png

After the device joined, I removed the device from workplace then added the user back to the conditional access policy. I can then join successfully to the workplace.

So unless there is something else at play, it looks as though there is a bug while joining a device when a user is required to confirm additional security verification?

I have tried to recreate it by selected 'Require Re-Register MFA' for the user, but this prompts me to re-enter the MFA details during join which is expected behaviour. Unless there is another way to recreate this?

I have raised a support ticket.

Thanks again



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Mark-0366 Thanks for your update.

From the situation that you description, it seems that you set "require MFA" which leads this behavior. And MFA is also a feature in Azure AD. From intune's point of view, there is a limited understanding of this feature.

So, let's wait for the Azure AD support and get the detailed analysis.

Hope this issue will be solved as soon as possible.

0 Votes 0 ·