hybrid joined workstations cannot go to on prem file shares until GPO forced on workstation.

hersheys99 0 Reputation points
2025-01-27T15:01:25.9533333+00:00

we have an existing on prem environment,

this is synced to azure with the v2 connector,
the connector syncs specific user OU and workstation OU

our servers OU is not currently synced.
we have successfully hybrid joined our workstations and they show MDM as intune and dsregcmd shows them azure joined and domain joined.

we have on prem file shares that are pushed VIA gpo, they are set as create and reconnect.

when users sign into their workstations, using domain username and password (not windows hello)
they see the file shares but attempts to browse give them a "location cannot be found" error.

once we do a gpupdate /force, the drives become available.

upon log out and log back in, same behaviour "location cannot be found" rinse and repeat.

this happens on windows 10 and 11 devices both.

we have checked for DNS entry errors, we have checked for conflicting intune policies / GPO errors, we found some duplicated workstation entries in Azure where they show not MDM connected, so we removed those leaving only the registered / hybrid joined device ID.

so my questions now are.
does our FS need to be hybrid joined? (we prefer not to as its offline)
does the OU in our onprem AD at least need to be synced so Azure knows where to point the workstations?
is there something I'm missing to the setup? firewall entries that need to be whitelisted perhaps?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,875 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,545 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Geoff McKenzie 315 Reputation points
    2025-01-28T03:40:23.8166667+00:00

    HI Hersheys99,

    This is a bit of a random thought but....

    Have you tested with this GPO setting.

    1. Always wait for the network at computer startup and logon (Computer->Administrative Templates->System->Logon)

    Regards,

    Geoff

    0 comments No comments

  2. Crystal-MSFT 51,891 Reputation points Microsoft Vendor
    2025-01-28T08:08:03.0633333+00:00

    @hersheys99, Thanks for posting in Q&A. It sounds like you're experiencing a complex issue with your hybrid environment and file shares. Here are my answers for your question:

    1. Does our FS need to be hybrid joined?
      • No, your file server (FS) does not necessarily need to be hybrid joined. However, it does need to have a line of sight to a domain controller for authentication purposes. This means that the file server should be able to communicate with the domain controller to authenticate users.
    2. Does the OU in our on-prem AD at least need to be synced so Azure knows where to point the workstations?
      • Yes, syncing the Organizational Unit (OU) in your on-premises Active Directory (AD) to Microsoft Entra ID can help ensure that Azure knows where to point the workstations. This synchronization helps maintain consistency and ensures that the devices are properly recognized and authenticated.
    3. Is there something I'm missing to the setup? Firewall entries that need to be whitelisted perhaps? There could be several factors contributing to the issue. Here are a few things to check:
      • Firewall and Network Configuration: Ensure that the necessary ports and protocols are open and not being blocked by firewalls. This includes ports for SMB (Server Message Block) and other relevant protocols. You can capture a netmon log to see if we can find where the issue is.
      • Group Policy Settings: Verify that the Group Policy Objects (GPOs) are correctly configured and applied. The fact that gpupdate /force resolves the issue temporarily suggests that there might be a delay or issue in the policy application.
      • Hybrid Join Configuration: Make sure that the hybrid join process is correctly configured and that there are no issues with the device registration in Microsoft Entra ID. Check if the last check in is updated.

    If there's anything unclear, feel free to let us know.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.