I always have a rule of thumb “if it takes more than an hour to solve, it deserves sharing”, and that’s always been the story of my blogs over the last decade plus. The biggest struggle is finding the time to sit down, pull all my notes together, and sharing it with the larger IT community. With a holiday weekend and time off, since I’m not WORKING working, I figured why not start a fun series in the Microsoft Modern Workplace space I spend most of my time architecting, deploying & speaking about!
Volume 1 will cover a topic that has been near and dear (and a pain in my rear) to me, and it has to do with the Microsoft Device Management story as it pertains to Hybrid AD devices. Azure AD is the nirvana, mountain top goal that all organizations should be aiming, but as a realist in recognizing that takes time, time, and more time, starting off with Cloud management is a baby step in bringing the rest of an organization.
To meet the prerequisites for the SCCM Co-Management story, Hybrid AD and Intune registered devices for MDM are necessary; see:
In a Hybrid AD scenario this requires line of sight to a domain controller (which also applies to AutoPilot and Hybrid AD, but that’s for another Volume), but what happens with a remote workforce? Let’s dig into the “gotchas” to bring these devices into the fold.
Hybrid AD PC Connectivity
The first step of populating your PCs into Azure AD is to ensure AD Connect has “Device Writeback” properly configured; see:
Also – be sure your users have an Azure Active Directory Premium (P1/P2) license assigned!!
Once this is configured, and PCs begin to sync into Azure AD, you’re halfway there – but only the easiest part is done! The next step is changing that Pending status under Registered to showing a last contacted timestamp. For your remote workforce, this requires some Jedi-like
Connect the machine to your network!
In the field, there are still a number of PC clients that do not support connection at the login screen. This is typically where the Workplace Join task typically fires off at log in, but because there is no network connectivity / line-of-site to the domain controller, we need to manually kick off the Hybrid AD Join process.
Fire up Task Scheduler and down under the Microsoft\Windows folder, run the Automatic Device Join task
Once it’s had a chance to run, NOW REBOOT!
After a few moments you should see the status of the Device in Azure AD with a Timestamp
Registering with Intune
This one is a little trickier because there are some GOTCHAs to make this work properly:
- Windows 10 at 1709 or higher
- GPO to push the MDM registration!
Also – be sure your users have an Intune license assigned!!
Once you see these, LOG OFF and back on.
The Ghost of SCCM
In some cases where Configuration Manager agent was uninstalled but the PC is still reporting as Externally Managed. In this case change the following registry key
ExternallyManaged REG_DWORD to 0
Wait 30-60 seconds
Check under the Device Management event viewer for status, which is at:
This process can take a little bit of time to allow the back and forth communication between the machine and the Intune service.
If everything is successful, the first thing you should see Intune Management Extension installation (which you can validate under the Service MMC) and Company portal install
Finally, once all is well inside of Azure AD you should see MDM as Microsoft Intune
Once these are complete, any Device Configuration and Compliance policies you have set
In the ever-evolving field of Cloud Device Management, these Notes From The Field should help in troubleshooting the first step of a Co-Managed environment, no matter where in the world your Hybrid AD devices may be housed.