locked
Hybrid Autopilot - double AAD objects RRS feed

  • Question

  • Hi folks,

    I am setting up Hybrid Autopilot in a customer environment, and it seems to be working as intended for the most part, but one thing that keeps bugging me is that I end up getting two almost identical device objects in my AAD for each enrolment.


    Looking at the object GUIDs on these two objects, my conclusion is that the first one (The Azure AD joined one) is originating from my Autopilot registration, while the second one (The Hybrid AD joined one) is the "real" object, that is created from the hybrid join.

    Now, I can technically see why this is happening, since the Autopilot AD object is created when I register the device, and the Hybrid AD object is created by AD Connect during sync(?).

    Question is, is this the expected result from running Hybrid Autopilot, or do I need to tweak my settings to have the objects merge?
    I´m thinking maybe I need to do some config in AD Connect to keep the AAD object "intact" all the way from Autopilot to Hybrid state, but I have no clue what.

    Also, I managed to reproduce the whole thing in my lab environment.

    Tested on Win 10 1903 (october update) and 1909.

    Wednesday, November 27, 2019 7:25 PM

Answers

  • I totally understand your frustration in dealing with this issue. And during my test environment, I met this issue as well. It is highly suggested that you post a request in Intune User Voice. Many features of our current products are designed and upgraded based on customer feedback. We strive to capture any negative reviews in order to ensure that we are continuously improving our products to meet our customers' needs. With your efforts, we are committed to improving our products. Once I get any information, I will inform you as soon as I can. Here is the link:

    https://microsoftintune.uservoice.com/forums/291681-ideas 

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 4, 2019 7:08 AM

All replies

  • Usually, it will not cause a problem for having duplicate devices. In cases where you re-deploy a PC or wipe a phone, old entries remain in Azure Active Directory but the correct one gets selected automatically.

    I have done a lot of research, but there is no inbuilt solution for handling these duplicates but there are some custom solutions that you can try. Devices are only removed from AAD if you unjoin them from AAD/Intune. 

    https://ronnydejong.com/2018/04/11/keep-your-microsoft-intune-tenant-clean-and-tidy-w-azure-automation-graph-api/

    If the duplicates start to cause an issue you can just remove them and then re-register/join. If you want to see the last device used you can check out "ApproximateLastLogonTimeStamp" in the Get-AzureADDevice cmdlet.

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 28, 2019 7:59 AM
  • I guess they are not exactly causing any issues other than appearing like junk data in AAD.
    Since the Autopilot-object is never really used except when enrolling it will look like any other stale object after a while, that´s the problem I see arising. Eventually someone will clean it up, and then we are gonna have a problem when we try to reset and re-enroll the device.

    I dont have a problem with the Autopilot registration having it´s own object in the AAD, quite the opposite!
    But it would be really nice if it was possible to distinguish it from a "real" Azure AD device.
    Tuesday, December 3, 2019 7:41 AM
  • I totally understand your frustration in dealing with this issue. And during my test environment, I met this issue as well. It is highly suggested that you post a request in Intune User Voice. Many features of our current products are designed and upgraded based on customer feedback. We strive to capture any negative reviews in order to ensure that we are continuously improving our products to meet our customers' needs. With your efforts, we are committed to improving our products. Once I get any information, I will inform you as soon as I can. Here is the link:

    https://microsoftintune.uservoice.com/forums/291681-ideas 

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 4, 2019 7:08 AM
  • Just got off the phone with Microsoft Support, and they confirm this is the expected behaviour in Hybrid Autopilot as well (didnt see your response until now).

    Thanks Cici!
    Wednesday, December 4, 2019 10:52 AM
  • Thanks very much for your reply. I will provide a brief summary that may easy for end users that visit this thread to understand this issue. If you have any new issue, you are welcome to submit new threads to our forum and we will continue to do our best to assist you.

    Problem/Symptom:

    Hybrid Autopilot deployment has double AAD objects. Azure AD joined one and Hybrid AD joined one.

    Solution:

    After confirming with Microsoft, this is the expected behavior in Hybrid Autopilot.

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 5, 2019 3:10 AM