MDM-only PCs not installing all Required apps from Intune

Question

MDM-only PCs not installing all Required apps from Intune

Jon Resele 60

tl;dr at the bottom

For reasons I won't get into, we don't have an SCCM server, so co-management is not an option (right now?). But within our environment we have "assigned-user" PCs for Faculty and Staff, and "no-assigned-user" PCs like classrooms, computer labs, and kiosks.

For the PCs with specific users, we can get computers into Intune using User Credential auto-enrollment through GPO. But without SCCM, we cannot use device credentials to get them in as co-managed; so we need to enroll them manually via "enroll in MDM only"

I tried setting up a "workplace" enrollment with the Windows Configuration Designer, but only got errors. And we are Hybrid-joined, so autopilot and .ppkg aren't going to work. (when uploading HWIDs into Autopilot they are automatically becoming Entra-joined, so they can't then hybrid-join ADDS because they are already Entra-joined).

Our Hybrid-joining works by connecting the PC to AD, then about 15 minutes later it's synced with Entra as a Hybrid-joined computer.

When manually "enrolling in MDM only" we are finding that a second object is being created in Entra ID, one is Hybrid-joined and is not enrolled into Intune, the other has no join status, and is enrolled into Intune. This is somewhat problematic because scripted remediations only run on computers that are Entra-joined or Hybrid-joined, and MDM-only is neither.

I also noticed that after enrolling, the MDM-only PCs would install some of the apps required by their Entra group assignments, then it would fail to install anything else.

As an example, we have a group in Entra that is called "Intune-Classrooms" and has a dynamic filter to put all the PCs that are in classrooms into that group. Then we assign apps that are needed in every classroom to that Entra group; such as Chrome and Firefox. The MDM-only PC would install the Intune Management Extension, LAPS, and Chrome, but then fail to install anything else; though all device configuration (as far as I could tell) was performed, it was only required apps that weren't being installed.

As a test, I performed a wipe through Intune on that PC, and after the wipe was done, it reinstalled Firefox, VLC, SPSS, and LAPS, but this time decided that Chrome wasn't worth its time. After waiting overnight it installed a few more apps like R and Rtools, but still hadn't installed Mathematica.

The MDM-only PCs aren't even showing up as having attempted but failed to install the apps when checking the app deployments; though that same app would install on PCs that had been joined using User Credentials and were Entra Hybrid-joined.

Is there a reason why an MDM-only device would not install all required apps if it exists in the same Entra group as a computer that installed all those apps but was Entra Hybrid-joined?

If we're resetting/refreshing a lab or a classroom, we don't really have 72+ hours to wait to see if the apps will be installed or not.

Accepted answer

0 additional answers

Your answer

Answer 1

Crystal-MSFT 53,991 Microsoft External Staff

@Jon Resele, Thanks for posting in Q&A. For Microsoft Entra hybrid joined device, the enrollment method we can choose is GPO enrollment, co-management or Autopilot. For our scenario, the recommended one is GPO enrollment. For kiosk or shared device, the support enrollment methods are windows automatic enrollment, Autopilot or co-management. Here is a link with more details.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows

For Enroll only in device management option. This option doesn't register the device in Microsoft Entra ID. From an Intune perspective, we don't recommend this MDM-only option for BYOD or personal devices. Also this is not for corporate device either. For your scenario, although the device has Microsoft Entra Hybrid joined device recorded, this record will not associate with the Intune records.

User's image

Meanwhile, for app deployment, some apps have requirements for example, win32 app needs the device enroll into Intune and also it needs to be Microsoft Entra registered, Microsoft Entra joined or Microsoft Entra hybrid joined. For Enroll only in device management option, it will not create Microsoft Entra device record to associate. So it may fail.

https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management#prerequisites

For your scenario, please change another enrollment method instead of Enroll only in device management option for these devices.

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2024-09-11T02:21:08.4866667+00:00

@Jon Resele, For the shared devices, you can enroll into Intune and let the device to be Microsoft Entra joined device. Then deploy kiosk or shared device profile to let guest account instead domain account to access.

https://learn.microsoft.com/en-us/mem/intune/configuration/kiosk-settings-windows

https://learn.microsoft.com/en-us/mem/intune/configuration/shared-user-device-settings-windows
Jon Resele 60 Reputation points

2024-09-11T03:39:19.0166667+00:00

Due to our reliance on Active Directory, having devices that are only Entra-joined is a no-go.

We use Deep Freeze to keep open-lab computers from breaking weekly, but we've been looking at shared profiles as an alternative (if we can deploy apps via MDM-only enrollment)
Jon Resele 60 Reputation points

2024-09-11T03:42:41.18+00:00

GPO was working for User-assigned PCs auto-enrolling with User Criteria, but without SCCM to create the GUID SMSCFG.ini with the device identifier, using GPO for Device Credentials to enroll isn't going to happen (which is why we might need to just create an SCCM server that literally is just to create device identifiers)

I'll take a look at the apps that install vs the apps that don't to see if one app has "all devices" with a filter applied, where others are an Entra ID group.
Jon Resele 60 Reputation points

2024-09-11T03:46:49.8666667+00:00
Devices must be enrolled in Intune and either:

Microsoft Entra registered

Microsoft Entra joined

Microsoft Entra hybrid joined

looks like we need to make a new SCCM server...
Jon Resele 60 Reputation points

2024-09-11T04:18:57.2666667+00:00

Can confirm: the apps that were installing on the MDM-only PCs were the MSI "line of business" apps and the packaged Win32 were not installing.
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2024-09-11T05:08:32.44+00:00

@Jon Resele, Thanks for the reply. SCCM deployment is not a small project. For these not user assigned devices which still need to domain join on-premise domain, you can put them to one specific OU and leave them to be managed with GPO instead.
Jon Resele 60 Reputation points

2024-09-12T04:24:24.7533333+00:00

We might need to re-evaluate how we push apps out to non-user-assigned PCs, if we can just rely on Ghost Solution Suite to manually push installs out instead of Intune for app installs.

It boils down to the difference between just putting an app in one place, and have it push (like uploading Zoom Workplace in one place and have it push) or doing it twice and manually pushing during a Deep Freeze thaw period...
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2024-09-12T06:10:50.0266667+00:00

@Jon Resele, Thanks for the information. If anything else from Intune side we can provide, feel free to let us know.

Share via

MDM-only PCs not installing all Required apps from Intune

0 additional answers

Your answer