question

dilannanayakkara-8008 avatar image
0 Votes"
dilannanayakkara-8008 asked CdricPerion-5162 answered

Intune Automatic Enrollment not happned in Hybrid Azure AD joined scenario

Hi All,

I have configured the HAAD joined + Automatic Intune enrollment for our on-premises devices, but whoever login with subdomain's UPN suffix, it won't enroll with Automatic Intune.

For example, let say our Azure AD primary UPN suffix is @abc.com, and if user xyz@abc.com logon to the device, it is working without an issue. the issue is that if user xbt@sd.abc.com logon to their PC, it will registered as a Hybrid AAD joined device, but it won't enroll with Intune.

When I checked the device management logs in event viewer below is the error that I can see.

Device Credential (0x0), Failed (Mobile Device Management (MDM) is not configured.)

further, if I checked the dsregcmd /status, I have identified SSO state showing as NO. please refer the below screenshot.


198789-image.png



198749-image.png


appreciate the help!

Thanks,
Dilan


azure-active-directorymem-intune-generalmem-intune-enrollmentazure-ad-hybrid-identity
image.png (561.1 KiB)
image.png (25.6 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered Crystal-MSFT commented

@dilannanayakkara-8008, Thanks for posting in our Q&A. From your description, I know we are doing Intune enrollment for Hybrid Azure AD join device. But it seem s the AzureAdPrt is NO. If there's any misunderstanding, please let us know.

Based on my researching, for AzureADprt, if it shows No, it means there's issue when acquiring the PRT status from Azure AD. And the user isn't authenticated to Azure Active Directory (Azure AD) when signing in to the device. As you mentioned, if the user is login with @abc.com, it is working. if the user is login with sd.abc,com, it is not. Given the situation, please go through the following article to check if our on-premise AD users UPN support for Hybrid Azure AD join.
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join

From your picture, I notice the error code 0x80072ee7. It seems the server name or address couldn't be resolved. Please also check network connectivity to https://enterpriseregistration.windows.net.

Here is a troubleshooting article with more details for the reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current#troubleshoot-post-join-authentication-issues

As I am not familiar with Hybrid AAD join issue. I notice "azure-ad-hybrid-identity" is added in this thread. And I also add "azure-active-directory" tag to see if AAD or hybrid AAD support can be involved to help on this issue. Or as another method, you can open a new thread to only add the two tags to let the thread go to the right channel to find the support.

For Intune enrollment, as AzureADPrt yes is one prerequisite of it. we need to firstly fix the AzureAdprt issue before we do Intune enrollment. If the Intune enrollment is still failed after the above issue is fixed, feel free to contact us to look into the enrollment issue.

Thanks for the understanding and have a nice day!

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dilannanayakkara-8008 avatar image dilannanayakkara-8008 ·

@Crystal-MSFT

Thank you!

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT dilannanayakkara-8008 ·

@dilannanayakkara-8008, Thanks for the reply. If there's anything else we can help in the future, feel free to let us know.

Have a nice day!

0 Votes 0 ·
CdricPerion-5162 avatar image
0 Votes"
CdricPerion-5162 answered

Hi @dilannanayakkara-8008,

As @Crystal-MSFT say your PRT is set to NO.
With AADHJ you must have the prt to yes.

  • Check first that user connected is licence with Intune licence.

  • After that, connect to portal.office.com with the user in the windows session to force prt

  • after you can force the schedule task in Microsoft/aadjoin to start

  • check again with dsreg

Normally prt is yes and if gpo is Configure for Intune, you should see you device in Intune.

Thanks
Cédric

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.