This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 79%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED6%3C/text%3E%3C/svg%3E)
I am having an issue with hybrid joined AAD devices onboarding to Intune. Across the multiple locations we have, devices will only onboard when I am located at one specific location. It seems to be tied to that IP address for me as well as others in my organization except for one person. All accounts are E5 licensed. We are not hitting device enrollment restrictions either. I have also looked through conditional access policies and none of those seem to be the problem as far as I can tell. I have had a case opened for months now with no answer. Has anyone come across a similar problem and what was your resolution?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@DavidJTavares-6375,Thanks for posting in Q&A.
From your description, I know you have problem with enrolling hybrid joined devices in Intune from multiple locations.
Based on my research, there may be the locations restrictions in Conditional Access policy which will allow the trusted locations to enroll in Intune and block rest of others to enroll in Intune.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition
There are some methods you can try to resolve this issue.
1.Please go to Intune portal to check if there exist Conditional access policy to block Intune enrollment and delete the policy.
2.You can use VPN to configure the specific IP address to successfully enroll in Intune.
Please try above information, if there is any update, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
There is no conditional access policy that blocks intune enrollment. 2 is not an option.
@DavidJTavares-6375, Thanks for your update.
There are some network requirements for endpoints, please check whether your network meet the requirements.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints
What kind of enrollment type you are using?
Please provide us the enrollment failure message and check if there exist some error message in Event Viewer. Location: Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider/Admin
If there is any unclear, feel free to contact me.