Share via

Some Hybrid Azure AD joined Devices do not show up in Intune

Andreas Rausch 0 Reputation points
2023-02-27T11:27:25.65+00:00

Dear all,

I am currently in the process of setting up Intune in our environment, which I recently joined in supporting.

We have various on-prem servers (AD, RDS, File Server) connected to Azure AD. Microsoft 365 Business Premium licenses for the users.

However, so far only the users were synced from on-prem AD and not the devices. Since the Azure environment has existed for a few years now, but was never greatly maintained, only Azure AD registered devices were found there.

Now that we have also synchronized the devices via the Azure AD Connector, they are consequently displayed as "Hybrid Azure AD joined".

However, only about 70% of the devices are displayed in Intune. All others have the status "Hybrid Azure AD joined", but MDM says "none".

My research has not yielded any results so far, but I suspect a connection with the user profiles themselves. Perhaps some users have forgotten to check one or the other box over the last few years when logging into Outlook or similar. When I log in to such a device with my own credentials, the device is later displayed in Intune.

Maybe someone here has a hint how I can solve this issue from the Azure console, or on-prem AD, without logging into each machine individually.

Thanks a lot in advance!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-02-28T22:51:46.7033333+00:00

    Hi Andreas Rausch ,

    I understand that some of your Hybrid Azure AD joined devices are not showing up in Intune.

    Here are some settings and troubleshooting steps to confirm:

    1. Make sure that you do not have a Conditional Access policy applied that could be enforcing MFA for those users. Depending on the conditions this might prevent the domain join.
    2. Confirm that the Certificates for Hybrid Azure AD Join are valid.
    3. Confirm that the Active Directory and Azure Active Directory UPNs match.
    4. Make sure you don’t have a ConfigMgr client policy that is blocking enrollment.
    5. Check the dsregcmd/status for additional clues. If you are trying to Hybrid Azure AD join the devices, the devices need to be able to Resolve the DNS records for the Active Directory domain and the Active Directory domain controller. The domain also has to be publicly routed since the enrollment process will search for this domain publicly.

    Hybrid Azure AD devices should be auto enrolled using either Group policies or Autopilot. To ensure that the auto-enrollment feature is working as expected, you need to verify the auto-enrollment requirements and settings.

    To verify that the auto-enrollment worked correctly, you can view the event logs on the target Windows 10 device.

    To collect the Event Viewer logs:

    1. Open Event Viewer.
    2. Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
    3. Search for Event ID 75. If you can't find event ID 75 in the logs, it means that the auto-enrollment failed. If you see event ID 76, it means that the auto-enrollment failed and you will need to investigate the error attached to the event ID. If you don't see either event ID 75 or 76, it means that the auto-enrollment did not trigger at all and you will need to investigate the task scheduler.

    For more details, see Troubleshoot auto-enrollment of devices.

    Additional resources:

    Troubleshoot hybrid Azure AD joined devices

    Troubleshooting legacy hybrid Azure Active Directory joined down-level devices

    Let me know if this helps and if you have further questions. If the suggestions do not work, feel free to share error messages and GPO settings so that we can further troubleshoot.

    -

    If the information provided helped narrow down the issue, please Accept the answer. This will help us as well as others in the community who might be researching the same problem.

    0 comments
  2. Dinesh Singh 0 Reputation points
    2023-07-25T10:45:14.52+00:00

    Can you elaborate below if have in the environment. 1. Make sure you don’t have a ConfigMgr client policy that is blocking enrollment. 2.Make sure that you do not have a Conditional Access policy applied that could be enforcing MFA for those users. Depending on the conditions this might prevent the domain join. ....we have Microsoft intune and Microsoft intune enrollment MFA in azure portal so which we have to exclude

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.