thub.users.profile.tabs.comments.personalized


Looks like Azure services hasn’t been configured. On the link I posted, you need to make sure the prerequisites are met to do the sync.

Not exactly what you're looking for, but you could send out a USB key that contains a script to automatically upload the hardware hash and assign a group tag. You could take some ideas from https://www.youtube.com/watch?v=nelpwJLQJDk

Test it out before you do it in production, but you should be able to change the Intune Connector for Active Directory service (from services.msc to run as an AD user account) and that account needs to have permissions in all domains as specified here https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit You can't control which connector receives the request (its first come, first serve), which is why it needs permissions to create computer objects in all domains as noted here https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#install-the-intune-connector

The docs state:
https://docs.microsoft.com/en-us/mem/intune/protect/certificate-connector-prerequisites#azure-active-directory-user


"When configuring the connector, you'll need to use a user account that: is either a Global Admin or Intune Admin, has an Intune license assigned, and must be a synchronized account from your local Active Directory."

Yes, check out ccmsetup.log and those other log files on the client in C:\Windows\ccmsetup\Logs

Can you post the settings that you used for your PKCS certificate template in Intune? (mask any sensitive info so it isn't shared)

So you're using PKCS instead of SCEP? If so, did you follow the documentation exactly to create the cert template? Mainly around the private key part - https://docs.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure#configure-certificate-templates-on-the-ca

Have you tried adding the virtual TPM under settings of the VM?

If you are using a task sequence to reimage, you can run a script to get the HW hash and authenticate using graph and Azure app registration. See https://www.youtube.com/watch?v=erUTkLY_MHo

See the note here https://docs.microsoft.com/en-us/windows/whats-new/windows-11-plan#windows-11-availability

"If you use Windows Update for Business to manage feature update deployments today, you will need to leverage the Target Version policy rather than Feature Update deferrals to move from Windows 10 to Windows 11. Deferrals are great for quality updates or to move to newer version of the same product (from example, from Windows 10, version 20H2 to 21H1), but they cannot migrate a device between products (from Windows 10 to Windows 11).
Also, Windows 11 has a new End User License Agreement. If you are deploying with Windows Update for Business Target Version or with Windows Server Update Services, you are accepting this new End User License Agreement on behalf of the end-users within your organization."

https://twitter.com/ariaupdated/status/1441056423564087297
"Your managed devices will NOT automatically upgrade to #Windows11.

For #WUfB you'll need to specifically select/enter "Windows 11" on the Feature Update Deployments page in Intune or the Target release version policy. Deferrals alone won't move you to windows 11."

The licenses need to be assigned. If you go into the Azure AD portal (aad.portal.azure.com) and go to Users, select an example user, then Licenses. What type of Licenses do the users have assigned?

The other method is in the link I posted.

Have you looked at using Autopilot and self-deploying mode then? https://docs.microsoft.com/en-us/mem/autopilot/self-deploying