Co-Managed Windows 10 Device Doesn't Show Azure Domain in 'Access Work or School' Settings

NotSoMagic Mike 121 Reputation points
2022-03-02T19:18:42.137+00:00

We are performing a targeted deployment (formerly controlled validation) to Hybrid Azure AD Join our Windows 10 workstations. We have a federated environment. We're using MECM (formerly SCCM), so the machines will be co-managed once they are Hybrid Joined. The first batch of machines that we successfully hybrid joined (according to 'dsregcmd /status' and a 'Hybrid Join' join type in Azure Active Directory), do not show the Azure AD domain in the 'Access Work or School' settings. However, the on-prem Active Directory domain is there. In MECM, we're using the pilot option for Cloud Attach, so we can gradually switch the workloads over from MECM/Group Policy to Intune. Present, the only workload transferred is Endpoint Security, which should include cloud policy settings directly related to Defender.

I discovered the AAD domain was missing from 'Access work or school' when I attempted to perform a policy sync. The procedure is to go into the 'Access work or school' settings and trigger a policy sync from the AAD domain connection item. Obviously I can't do that if the only connection item is the on-prem domain. Perhaps it won't appear until I switch over one of the other workloads to Intune?

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,811 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,477 questions
Microsoft Configuration Manager
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,849 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-03-02T20:20:35.087+00:00

    What you are seeing is correct and expected. To sync the MDM policy from Intune on a HAADJ Windows endpoint, you need to select the on-prem AD domain in Access work or school, click the Info button, scroll to the bottom, and click Sync.

    Because you only have the Endpoint Security workload switched over, only profiles and settings related to Endpoint security will apply.

    Also note that co-management and co-management workloads have nothing to do with group policy and won't in any way arbitrate or prevent group policies from applying. You need to control this using group policy targeting constructs like OUs, security filtering, and WMI filters.

    Finally, it was never "SCCM" and has always been (at least since it was SMS) and still is ConfigMgr.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful