Jump to content


Alexandros

SCCM 1802 Co-Management not properly detecting Hybrid AzureAD Joined devices (shows as AzureAD Joined)

Recommended Posts

I am facing a very weird issue with SCCM CoManagement where Windows 10 machines registered to AzureAD in Hybrid Azure AD Join, are shown as Azure AD Joined.

I will be focusing on one machine so we see the issue in depth.

Configuration details

  • SCCM Current Branch 1802 with all three hotfixes installed
  • Windows 10 Enterprise 1803 with latest updates
  • Co-Management Enabled for All Devices (no pilot group)
  • No workloads have yet been migrated to Intune
  • Group Policies for Automatic Enrollment to MDM and Automatic Registration with AzureAD enabled
  • SCCM Client Cloud option for Automatic Registration enabled
  • Intune set as Standalone
  • Intune Enrollment set as MDM only (MAM disabled)
  • ADFS Federated Domain 3.0 (2012R2) with AAD Connect Federation

Facts

  • SSO et. all are working as expected on the client
  • Client detects client as Hybrid Azure AD Joined
  • Intune detects client as Hybrid Azure AD Joined

Issue

  • SCCM detects client as Azure AD Joined

I will now provide all relevant screenshots from Intune, SCCM and Client.

SCCM

As seen below, SCCM thinks the device is Azure AD Join and not Hybrid Azure AD Join.

co-management-piechart.png.2492192a566cf88dd255161b056c02dc.png

ccm-devices.thumb.png.7366fdb07538f3a323f2bbe629dc24a5.png

I also used the following SCCM query:

select SMS_R_System.NetbiosName, SMS_Client_ComanagementState.Authority, SMS_Client_ComanagementState.AADDeviceID, SMS_Client_ComanagementState.ComgmtPolicyPresent, SMS_Client_ComanagementState.EnrollmentErrorDetail, SMS_Client_ComanagementState.EnrollmentFailed, SMS_Client_ComanagementState.EnrollmentStatusCode, SMS_Client_ComanagementState.HybridAADJoined, SMS_Client_ComanagementState.MDMEnrolled, SMS_Client_ComanagementState.MDMWorkloads, SMS_Client_ComanagementState.AADJoined from SMS_R_System inner join SMS_Client_ComanagementState on SMS_Client_ComanagementState.ResourceID = SMS_R_System.ResourceId where SMS_Client_ComanagementState.ComgmtPolicyPresent = 1 and SMS_Client_ComanagementState.MDMEnrolled = 1

And had the following results, same probem. Azure AD Joined = Yes, Hybrid Azure AD Joined = No

sccm-report-comanagement.thumb.png.a08143d84bd1bac4e46597b0c289ae0b.png

AzureAD
As seen on the Devices > Azure AD Devices, the machine is properly detected as Hybrid Azure AD Joined

AAD-Device-Details.png.286db684bb21343b867dae075328a6f2.png

As seen below, DeviceTrustType = Domain Joined and DeviceTrustLevel = Managed should be correct (see here).

Get-MsolDevice -Name hp-eb-g3


Enabled                       : True
ObjectId                      : cxxxxxxxxxxxxxxxxxxxxxxxx0
DeviceId                      : 2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2
DisplayName                   : HP-EB-G3
DeviceObjectVersion           : 2
DeviceOsType                  : Windows 10 Enterprise
DeviceOsVersion               : 10.0 (17134)
DeviceTrustType               : Domain Joined
DeviceTrustLevel              : Managed
DevicePhysicalIds             : {[USER-GID]:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2,
                                [GID]:g:6xxxxxxxxxxxxxxxx2,
                                [USER-HWID]:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2,
                                [HWID]:h:6xxxxxxxxxxxxxxxxxx2}
ApproximateLastLogonTimestamp : 27/07/2018 15:00:56
AlternativeSecurityIds        : {X509:<SHA1-TP-PUBKEY>0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
DirSyncEnabled                : True
LastDirSyncTime               : 03/08/2018 02:31:16
RegisteredOwners              : {}
GraphDeviceObject             : Microsoft.Azure.ActiveDirectory.GraphClient.Device

Intune

This is how the device shows up in Intune

Intune-View.thumb.png.6efec52a479b6bf3c2541aa92ad92ba9.png

Client

DeviceManagement Log event 75 properly happened

MDM-Enrollment-Logs.png.20a1aa8d2724182770d1d8f8ad62b639.png

Client properly seeing management from Intune

client-mdm-gui-1.png.1341e6755c93971d2359acd91d1f9212.png

client-mdm-gui-2.thumb.png.26527a355d1541ac776f05928212e7f0.png

dsregcmd properly recognizes machine as AAD and MDM enrolled and AD Domain Joined

dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
                  DeviceId : 2xxxxxxxxxxxxxxxxxxxxxxxxx2
                Thumbprint : 0xxxxxxxxxxxxxxxxxxxxxxA
            KeyContainerId : cxxxxxxxxxxxxxxxxxxxxxx7
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES
              KeySignTest: : PASSED
                       Idp : login.windows.net
                  TenantId : 9xxxxxxxxxxxxxxxxxxx2
                TenantName : Axxxxxxxxxxxxxs
               AuthCodeUrl : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxx2/oauth2/authorize
            AccessTokenUrl : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxxxxxxx2/oauth2/token
                    MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
                 MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
          MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
               SettingsUrl :
            JoinSrvVersion : 1.0
                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/9xxxxxxxxxxxxxxxxxxxxxxxxxxxx2/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVersion : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
              DomainJoined : YES
                DomainName : XXXXXXXXXX

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId : https://login.microsoft.com
            WamDefaultGUID : {Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0} (AzureAd)
                AzureAdPrt : YES
       AzureAdPrtAuthority : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxxxxxxxx2
             EnterprisePrt : NO
    EnterprisePrtAuthority :

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+

             IsUserAzureAD : YES
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : NO
            CertEnrollment : none
         AadRecoveryNeeded : NO
              PreReqResult : WillNotProvision

 

Can anyone having a similar configuration crosscheck and let me know what difference there is?

References:
https://www.imab.dk/flipping-the-switch-how-to-enable-co-management-in-configuration-manager-current-branch/
https://allthingscloud.blog/automatically-mdm-enroll-windows-10-device-using-group-policy/

--

Alex

Share this post


Link to post
Share on other sites

Hi Alexandros,

Seems like everything is set up correctly and I can't replicate the issue since I have no SCCM configured (cloud only). I suppose you did a thorough research and perhaps you already found the following blog about Windows 10 “co-management” A-Z with some more troubleshooting tips. Did you open a support case with Microsoft? Would be my next step while in the meantime perhaps someone else could shed some light on this issue. Wondering if it's a config issue or a bug. Sorry I couldn't be of more help.

 

Regards,

Oktay

Share this post


Link to post
Share on other sites

Thanks a lot Oktay for looking into this!

I have sent the forum thread to Microsoft Intune support as they have a dedicated topic for Comanagement. Let's hope they help me out here.

I am also seeing a weird issue when I do gpupdate:

"Windows failed to apply the MDM policy settings"

Have you noticed any similar issue?

 

Thanks a lot.

Alex

gpupdate.PNG

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...