Jump to content




Alexandros

SCCM 1802 Co-Management not properly detecting Hybrid AzureAD Joined devices (shows as AzureAD Joined)



Recommended Posts

I am facing a very weird issue with SCCM CoManagement where Windows 10 machines registered to AzureAD in Hybrid Azure AD Join, are shown as Azure AD Joined.

I will be focusing on one machine so we see the issue in depth.

Configuration details

  • SCCM Current Branch 1802 with all three hotfixes installed
  • Windows 10 Enterprise 1803 with latest updates
  • Co-Management Enabled for All Devices (no pilot group)
  • No workloads have yet been migrated to Intune
  • Group Policies for Automatic Enrollment to MDM and Automatic Registration with AzureAD enabled
  • SCCM Client Cloud option for Automatic Registration enabled
  • Intune set as Standalone
  • Intune Enrollment set as MDM only (MAM disabled)
  • ADFS Federated Domain 3.0 (2012R2) with AAD Connect Federation

Facts

  • SSO et. all are working as expected on the client
  • Client detects client as Hybrid Azure AD Joined
  • Intune detects client as Hybrid Azure AD Joined

Issue

  • SCCM detects client as Azure AD Joined

I will now provide all relevant screenshots from Intune, SCCM and Client.

SCCM

As seen below, SCCM thinks the device is Azure AD Join and not Hybrid Azure AD Join.

co-management-piechart.png.2492192a566cf88dd255161b056c02dc.png

ccm-devices.thumb.png.7366fdb07538f3a323f2bbe629dc24a5.png

I also used the following SCCM query:

select SMS_R_System.NetbiosName, SMS_Client_ComanagementState.Authority, SMS_Client_ComanagementState.AADDeviceID, SMS_Client_ComanagementState.ComgmtPolicyPresent, SMS_Client_ComanagementState.EnrollmentErrorDetail, SMS_Client_ComanagementState.EnrollmentFailed, SMS_Client_ComanagementState.EnrollmentStatusCode, SMS_Client_ComanagementState.HybridAADJoined, SMS_Client_ComanagementState.MDMEnrolled, SMS_Client_ComanagementState.MDMWorkloads, SMS_Client_ComanagementState.AADJoined from SMS_R_System inner join SMS_Client_ComanagementState on SMS_Client_ComanagementState.ResourceID = SMS_R_System.ResourceId where SMS_Client_ComanagementState.ComgmtPolicyPresent = 1 and SMS_Client_ComanagementState.MDMEnrolled = 1

And had the following results, same probem. Azure AD Joined = Yes, Hybrid Azure AD Joined = No

sccm-report-comanagement.thumb.png.a08143d84bd1bac4e46597b0c289ae0b.png

AzureAD
As seen on the Devices > Azure AD Devices, the machine is properly detected as Hybrid Azure AD Joined

AAD-Device-Details.png.286db684bb21343b867dae075328a6f2.png

As seen below, DeviceTrustType = Domain Joined and DeviceTrustLevel = Managed should be correct (see here).

Get-MsolDevice -Name hp-eb-g3


Enabled                       : True
ObjectId                      : cxxxxxxxxxxxxxxxxxxxxxxxx0
DeviceId                      : 2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2
DisplayName                   : HP-EB-G3
DeviceObjectVersion           : 2
DeviceOsType                  : Windows 10 Enterprise
DeviceOsVersion               : 10.0 (17134)
DeviceTrustType               : Domain Joined
DeviceTrustLevel              : Managed
DevicePhysicalIds             : {[USER-GID]:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2,
                                [GID]:g:6xxxxxxxxxxxxxxxx2,
                                [USER-HWID]:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxx2,
                                [HWID]:h:6xxxxxxxxxxxxxxxxxx2}
ApproximateLastLogonTimestamp : 27/07/2018 15:00:56
AlternativeSecurityIds        : {X509:<SHA1-TP-PUBKEY>0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
DirSyncEnabled                : True
LastDirSyncTime               : 03/08/2018 02:31:16
RegisteredOwners              : {}
GraphDeviceObject             : Microsoft.Azure.ActiveDirectory.GraphClient.Device

Intune

This is how the device shows up in Intune

Intune-View.thumb.png.6efec52a479b6bf3c2541aa92ad92ba9.png

Client

DeviceManagement Log event 75 properly happened

MDM-Enrollment-Logs.png.20a1aa8d2724182770d1d8f8ad62b639.png

Client properly seeing management from Intune

client-mdm-gui-1.png.1341e6755c93971d2359acd91d1f9212.png

client-mdm-gui-2.thumb.png.26527a355d1541ac776f05928212e7f0.png

dsregcmd properly recognizes machine as AAD and MDM enrolled and AD Domain Joined

dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
                  DeviceId : 2xxxxxxxxxxxxxxxxxxxxxxxxx2
                Thumbprint : 0xxxxxxxxxxxxxxxxxxxxxxA
            KeyContainerId : cxxxxxxxxxxxxxxxxxxxxxx7
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES
              KeySignTest: : PASSED
                       Idp : login.windows.net
                  TenantId : 9xxxxxxxxxxxxxxxxxxx2
                TenantName : Axxxxxxxxxxxxxs
               AuthCodeUrl : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxx2/oauth2/authorize
            AccessTokenUrl : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxxxxxxx2/oauth2/token
                    MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
                 MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
          MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
               SettingsUrl :
            JoinSrvVersion : 1.0
                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/9xxxxxxxxxxxxxxxxxxxxxxxxxxxx2/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVersion : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
              DomainJoined : YES
                DomainName : XXXXXXXXXX

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId : https://login.microsoft.com
            WamDefaultGUID : {Bxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0} (AzureAd)
                AzureAdPrt : YES
       AzureAdPrtAuthority : https://login.microsoftonline.com/9xxxxxxxxxxxxxxxxxxxxxxxxxx2
             EnterprisePrt : NO
    EnterprisePrtAuthority :

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |
+----------------------------------------------------------------------+

             IsUserAzureAD : YES
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : NO
            CertEnrollment : none
         AadRecoveryNeeded : NO
              PreReqResult : WillNotProvision

 

Can anyone having a similar configuration crosscheck and let me know what difference there is?

References:
https://www.imab.dk/flipping-the-switch-how-to-enable-co-management-in-configuration-manager-current-branch/
https://allthingscloud.blog/automatically-mdm-enroll-windows-10-device-using-group-policy/

--

Alex

Share this post


Link to post
Share on other sites


Hi Alexandros,

Seems like everything is set up correctly and I can't replicate the issue since I have no SCCM configured (cloud only). I suppose you did a thorough research and perhaps you already found the following blog about Windows 10 “co-management” A-Z with some more troubleshooting tips. Did you open a support case with Microsoft? Would be my next step while in the meantime perhaps someone else could shed some light on this issue. Wondering if it's a config issue or a bug. Sorry I couldn't be of more help.

 

Regards,

Oktay

Share this post


Link to post
Share on other sites

Thanks a lot Oktay for looking into this!

I have sent the forum thread to Microsoft Intune support as they have a dedicated topic for Comanagement. Let's hope they help me out here.

I am also seeing a weird issue when I do gpupdate:

"Windows failed to apply the MDM policy settings"

Have you noticed any similar issue?

 

Thanks a lot.

Alex

gpupdate.PNG

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×