none
Maddening! Windows 10 and Intune Problem

    Question

  • This is making me crazy. On a brand new Windows 10 notebook, I want to enroll in Intune and Azure AD (both of which are working). I join the PC to Azure AD, it's fine. Can log in fine with AD accounts. However PC is not enrolled. So I go through this:

    - Try to join via control panel Work/School join. No luck (that might be just for work folders anyway).

    - Try to join via the website like previously. All I get is a "Learn how to join a Windows 10 PC webpage" This points me to the Company portal app in the app store. Which, since we don't use MSA accounts doesn't let me download. So I break my own rule, set up an MSA account, go into the store, download and run the Company Portal app. No place to enroll, only a link to 'Learn how to enroll devices' under devices. The web instructions don't match the app, the website or ever let you enroll.

    Web portal doesn't have the software (as I assume it's built in to Win10) but also can't 'turn it on' either. Use is in Intune, but not his PC. No account seems to be able to enroll, and it's not clear where that even is. Is this even done yet?


    Curt Kessler - FLC

    Wednesday, August 12, 2015 7:35 PM

Answers

  • I actually heard from MS support today via phone call that the model of having a device joined to AAD and managed as a "computer" (not mobile device) in Intune is not a supported yet. (!!)

    I had really been struggling to get that scenario in place, but couldn't. Here's what I had tried:

    First Preparation:

    Had to call MS support to put tenant into "Co-existence" mode which would allow both Intune and O365 MDM to act as device MDM authorities. (as Jon mentions above)

    Within O365 user mgmt, assign Intune (EMS) licenses to users who I want to be managed by Intune.

    Add those same users into an AAD group, which I called "[TenantName] Intune".

    In AAD, under Applications/Intune/Configure, specify that Intune will manage devices for users of the following group (the one described above) as opposed to "All" or "None" that Sergey is referring to above.

    Now, that all seems great, but the problem is that when you join a Win10 Pro machine through OOBE welcome process into an AAD domain, it automatically enrolls it in Intune as a mobile device (BTW, if you don't do the above preparatory steps, it will set the O365 basic MDM as the authority). So anyway, now you have a record in AAD for the device, registered to your O365 user, and a record in Intune, showing as a mobile device, Corporate=yes, AAD registered=yes.

    The problem is that the device is set as a mobile device and you can only get into "computer" mode, with all associated management reports and actions, if you install the Intune client.

    When you do this, it will orphan the original Intune mobile device record and create a new computer record in MDM with Corporate=blank, AAD registered=Unknown. Intune seems to work otherwise, letting you execute remote tasks on the computer (restart, etc), push updates, and acquire inventory. However, it's not linked to the AAD device registration record anymore. The computer itself, however, remains joined to AAD. But this disconnect is what I want(ed) to solve.

    I've gone through a number of permutations of the steps - installing win10 with local user account to start with, installing Intune client, and then attempting to join domain. The problem with installing client first is that the AAD join process will error out with the message "Something went wrong" and error code 8019000a. As of 10/7, you cannot join AAD with the Intune client already installed. Only after running the uninstall commandlets or the online management agent uninstall process to clean off the intune agent was I able to join AAD. Removing the device from Intune (and leaving the agent resident) is not enough.

    Incidentally, for grins I tried doing this AAD join with Intune client installed with an enabled local Administrator account just to eliminate some variables. Bit of trivia here - the local admin user acct is forbidden by local policy from opening the browser for security reasons. Consequently, when you try to join AAD, which relies on firing up an IE or Edge process, the window will flash and disappear. You can't join AAD with the local Admin user acct and that's apparently why. Interesting, eh? But we shouldn't be using that account anyway, right? :)

    So back to it - I've gone through just about every permutation I could think of between joining aad and installing the client, enrolling through the portal and straight from OOBE welcome and after, and nothing worked. I always ended up with dead records for the AAD registered device, and intune agent records with unknown status for AAD registration.

    Finally this morning, Matt from MS told me that they don't support that use case, and I'm not the first customer to complain about it. I told him just by way of feedback that as a customer/partner, it seems like the model I'm seeking is what MS is actively selling today, but it's apparently just not quite there.

    So your options are: manage the Win10 device as a mobile device with the limitations therein, or manage the device as a computer but not have it tied to the AD record. I'm not fully aware of what the limitations are in the latter scenario, though the advantages of inventory, etc are clear. From what I can tell, if you decide to wipe/retire the device, you'll have to remember to hop over to AAD and drop the computer from its domain membership (since Intune doesn't know that it's joined to AAD). You can still manually associate the device with the user. The advantages there seem to be limited to reporting.

    Wednesday, October 7, 2015 10:14 PM
  • If your MDM authority is Office 365 MDM, your devices will be managed there, not Intune.

    Contact support and ask for a Co-Existence MDM setup.  That will you allow you to have devices managed in both systems, if the user has an Intune license the device will show up in the Intune portal.


    Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.

    Saturday, August 29, 2015 6:01 AM
    Moderator

All replies

  • If you have joined your client to azure active direcory, that you wrote in the first few words. this button will be grayed out, if you would join this way your client is only manageable as a mdm device and no more as a azure joined device, this is a or option, just one way is working. That was my expiriance last week on a phisical computer with win10 education version.
    This mdm option is more for using BYOD and work with live-id accounts.
    The aad join is with bussiness useres that are synced with azure like intune or o365.

    It is all wroted down on the new intune technet docs...

    Wednesday, August 12, 2015 8:05 PM
  • So I think I understand the point, I have somehow added them to MDM rather than Intune. So how does one add a device to Intune in Windows 10 without a Microsoft Account for the Company Portal app?

    I want the PC managed in Intune and the user logging in with their Azure AD ID. There seems to be no way to get to that point, or there is some step I did wrong. Workplace Join is not something we have, and adding the work account appeared to be the only way to add it. These are corporate owned devices, so really less BYOD and more centrally managed and tracked asset.


    Curt Kessler - FLC

    Wednesday, August 12, 2015 9:17 PM
  • I know for sure that the other way around works, which means first enrolling the Windows 10 device to Microsoft Intune and than join it to AzureAD. I'm using that already for a long time on my company Windows 10 device. Also, it's good to note that, if you're having AzureAD Premium, the option to automatically enroll to Microsoft Intune with a AzureAD Join is now available in preview. That would be the ideal solution.

    Whether or not it's a scenario for business devices, that's a whole different discussion. I like to think that Windows 10 devices joined to AzureAD and managed by Microsoft Intune are a solid solution, also for business devices. Especially with the OMA DM capabilities builtin to Windows 10. Of course it does depend on the usage of the device.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude


    Thursday, August 13, 2015 6:24 AM
  • I think there is another Point, if you would like to use the store apps with linked apps from the MS-Store, with the Intune webportal you can see the published apps (linked from the  MS-Store) if you like to install an app you have to log on with a MS-Live-ID and then you can install the apps. In this case you have to wait for the official release of the Businessstore.microsoft.com. If it's released you can use your Company User account to install linked apps. here is a session from Ignite https://blogs.office.com/2015/07/29/windows-10-updates-for-office-365-admins/

    in this case you din't Need a MS-Live-ID account to install Apps from this Businessstore. Just the user would like to install Apps for him selfe and also pay These apps by himselve.

    What i have done is, i create a MS-Live-ID account without any Kredit Card informations. Then i installed the Intune Agent, after that i Joined the the Device to AAD and add the MS-Live-ID account (the same for all users) that they have a Chance to install apps trough the Webportal from Intune.

    When the Businessstore is public i will Change to full Integration with the Businessstore.

    Thursday, August 13, 2015 7:02 AM
  • I agree that enrolling Intune at the same time as AAD join is ideal, but currently that seems to get stolen by Office 365 MDM, not entirely sure how to change that behavior (it may be that because I do not have AAD premium, this is the result).

    How are you enrolling the Windows 10 PC before doing the join? I'd like to test this out, but one block is most corporate users will not (nor do I wish them to) have a Microsoft Account, which seems to be the only way to the company portal in Windows 10.

    Maybe I'm just too early on all of this.


    Curt Kessler - FLC

    Thursday, August 13, 2015 3:24 PM
  • You don't need a Microsoft Account to enroll a Windows 10 device. You can enroll your Windows 10 device as a mobile device via Settings > Accounts > Work access. This will allow you to manage the Windows 10 device via the buildin OMA-DM agent.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Proposed as answer by Fred Kat Wednesday, August 31, 2016 5:12 PM
    Thursday, August 13, 2015 6:50 PM
  • I have been around this block a few times now and no clear path is visible.  What worked?   We deployed Windows 10 on a PC and allowed the user to logon to Intune.  The user in question then logged in at https://portal.manage.microsoft.com.  In the portal it said the device isn't enrolled or recognised and we clicked on the message.  This gave us some options and we selected the enroll capability, which started the download of the agent. The agent installed and things worked.  This also disabled the "Access to Work" button in Windows 10.

    I also created the CNAME in DNS pointing enterpriseenrollment.company.com to manage.microsoft.com as per KB.

    The side effect was that a normal Windows 10 PC could join Intune by using the "Work Access" option, but it appeared as Personal and Mobile in Windows Intune.  Not as a computer.

    We also joined a PC to Azure AD and this did zero and then added it to "Work Access".  The same thing.  Windows 10 rocked up as a mobile device in Intune.

    The new company portal app in the App Store has no Enroll Option.

    The only thing that seems to work is as described:

    1. Load Windows 10, no portal app

    2. Go to https://portal.manage.microsoft.com and enroll

    3. This installs the agent and enrolls the desktop.

    We are now testing Windows 10 Professional.  The challenge in all of this is the confusing deployment options on the Microsoft sites.

    Monday, August 17, 2015 1:50 PM
  • You're describing two different management capabilities of Windows 10 via Microsoft Intune. Using the Work access -method will enroll the Windows 10 device as a mobile device. This will make the device show as a mobile device in Microsoft Intune and will give you less management options. Using the client install -method will install a full client on the Windows 10 device. This will make the device show as a computer in Microsoft Intune and will give you full management options. That means that what you're seeing is expected behavior.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Monday, August 17, 2015 5:13 PM
  • Yes, but what we've found is that if you use Azure AD join (not work access) you can no longer install the Intune client. The web installer just points you to the store app, which does not include enrollment and requires an MSA. There seems to be a particular order required.

    These options also seem to be sprinkled around rather than in one place. It would make more sense to have one panel that allowed you to select the right (and explained) service to join and make it so you can switch. Basically we have a company owned Windows 10 PC with Office 365 under Intune. We want to join it to Intune but if you do any steps out of order your access path is closed. This really should get cleaned up with clear options in the panel. I'm going to reset the device and see if I can find the right order.


    Curt Kessler - FLC

    Monday, August 17, 2015 10:28 PM
  • Curt - did you ever get this figured out?  I'm trying to do the same think as you.  My test user was enrolled automatically, but with the Work Access option and the computer shows up as a mobile device.  I too want it to show up as a computer by using the client install.
    Wednesday, August 26, 2015 7:08 PM
  • I haven't figured this out yet...it looks like everything in Windows 10 settings you do will get directed into Azure AD (fine) and then Office MDM (sometimes not what I want). Once that happens, you can't enroll the device in Intune. We're going to try again today with another PC, we will just do a local account on the Windows 10 box, then enroll in Intune, then add to Azure AD if it will let us.

    I think this stuff is just broken and not working as intended--everything we've tried so far always results in MDM with Intune blocked.


    Curt Kessler - FLC

    Wednesday, August 26, 2015 7:18 PM
  • Hi Curt,

    First, can you open a support case with us so we can help you troubleshoot your issues?

    Tell me if I'm understanding your scenario, as I just walked through what I think you're doing and I was able to enroll my Windows 10 machine (Enterprise sku)

    1. Build a new Windows 10 VM
    2. Join Azure AD when prompted to join domain with your Intune Credentials
    3. Once at the desktop, click Start, Settings, Accounts, Work Access
    4. Click "Connect" and enter your Intune credentials

    Assuming your have the proper CNAME DNS entries, you should be enrolled at this point.

    Am I missing a step or configuration you are performing?

    Thanks,


    Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.

    Wednesday, August 26, 2015 10:30 PM
    Moderator
  • At this point it does not appear that enrolling a Windows 10 Device like a PC does any good. It does not appear that it does much of anything... You have to enroll it via MDM. Let me know if I am wrong on this..

    Thursday, August 27, 2015 9:29 PM
  • MDM and PC Enrollment are both supported for Windows 10.  If you're having issues please open support cases so we can assist you.

    Thanks,


    Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.

    Friday, August 28, 2015 5:33 AM
    Moderator
  • Yep, will have to open a ticket--on an out of the box Windows 10 machine, no Azure AD join, going to the enrollment portal still only gives the "learn how to enroll" rather than the software download.

    Curt Kessler - FLC

    Friday, August 28, 2015 5:06 PM
  • So here's my experience:

    1. Windows 10 Pro (not Ent.), OOBE, create local account or Org. owned PC, neither works
    2. Join Azure AD upfront or in Accounts after set up.
    3. Go to Work Access, Connect, my organization cannot be found. Last week I did add the CNAME records to our domain for Intune enrollment, so they've had almost a week to sync, still nothing:

    enterpriseenrollment.mydomain.com 3600
    manage.microsoft.com.

     
    enterpriseregistration.mydomain.com 3600
    enterpriseregistration.windows.net.

    It prompts for a server name after I enter the account. The account I'm using has functioning Intune and AAD, Office 365 and domain access I've been using for months, just fails on Windows 10 Intune.


    Curt Kessler - FLC

    Friday, August 28, 2015 5:18 PM
  • One interesting thing, if I put in the user account, and then when it asks for server I use manage.microsoft.com as the server name, it says it works. It shows connected in the Work access area as my domain. However, the PC never shows up in Intune. It does show up in Office 365/MDM. I don't really want it there, I want it in Intune, but there seems to be no way of controlling this. I've installed in all different orders of joining/connecting, always results in MDM. Never, not once, in Intune under Windows 10.

    Plus Office 365 MDM seems to shut off Cortana as a 'company policy' even though it's set for ON in O365 and no other policies are set. This all just seems a little half baked--but nothing I do gets it in Intune.


    Curt Kessler - FLC

    Friday, August 28, 2015 6:28 PM
  • If your MDM authority is Office 365 MDM, your devices will be managed there, not Intune.

    Contact support and ask for a Co-Existence MDM setup.  That will you allow you to have devices managed in both systems, if the user has an Intune license the device will show up in the Intune portal.


    Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.

    Saturday, August 29, 2015 6:01 AM
    Moderator
  • Yep, that's nice. But, there seems to be no way of adding a Windows 10 machine to Intune. Ignore MDM for a moment, I put that off (installing Office or joining to Azure AD).

    No matter what order I install or join, it goes to MDM. Never, not once, Intune. Even if you go right out of the box to the Intune portal and attempt to enroll, you never get the install, just 'learn how to enroll Windows 10 in Intune'. There it goes through the idea of a company portal app (which is only accessible if you put in an MSA, not desirable on a corporate PC). But even then, you install the app and never get anything to let you install or enroll the Intune client.

    Even when I manually put in the server on the Connect page (manage.microsoft.com) it says it's now enrolled as a device but in the Intune portal, the device never shows up. Not as a PC. Not as a mobile device. Nothing. Then, if you join to Azure AD, that connect is no longer valid and it shows up in MDM.

    The only way we've been able to see a Windows 10 machine in Intune is enrolling it in Windows 8, then upgrading to Windows 10 (that works fine). Then it shows. Something is just not right here. I will check out co-existence MDM, that's the first reference I've ever heard of it.


    Curt Kessler - FLC

    Monday, August 31, 2015 3:16 PM
  • I was stumped by this behavior earlier today when test-driving Azure AD with Windows 10.

    http://blogs.technet.com/b/ad/archive/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud.aspx - this blog really helped.

    The one piece I was missing was going to Azure AD - Applications - Intune - and flipping the "Manage Devices for these users" switch from "NONE" to "ALL".

    That allowed me to deploy a new Windows 10 machine, add Intune client, have it show up in Intune as a managed device, and be linked to the user in AAD.

    Wednesday, September 23, 2015 9:16 PM
  • I actually heard from MS support today via phone call that the model of having a device joined to AAD and managed as a "computer" (not mobile device) in Intune is not a supported yet. (!!)

    I had really been struggling to get that scenario in place, but couldn't. Here's what I had tried:

    First Preparation:

    Had to call MS support to put tenant into "Co-existence" mode which would allow both Intune and O365 MDM to act as device MDM authorities. (as Jon mentions above)

    Within O365 user mgmt, assign Intune (EMS) licenses to users who I want to be managed by Intune.

    Add those same users into an AAD group, which I called "[TenantName] Intune".

    In AAD, under Applications/Intune/Configure, specify that Intune will manage devices for users of the following group (the one described above) as opposed to "All" or "None" that Sergey is referring to above.

    Now, that all seems great, but the problem is that when you join a Win10 Pro machine through OOBE welcome process into an AAD domain, it automatically enrolls it in Intune as a mobile device (BTW, if you don't do the above preparatory steps, it will set the O365 basic MDM as the authority). So anyway, now you have a record in AAD for the device, registered to your O365 user, and a record in Intune, showing as a mobile device, Corporate=yes, AAD registered=yes.

    The problem is that the device is set as a mobile device and you can only get into "computer" mode, with all associated management reports and actions, if you install the Intune client.

    When you do this, it will orphan the original Intune mobile device record and create a new computer record in MDM with Corporate=blank, AAD registered=Unknown. Intune seems to work otherwise, letting you execute remote tasks on the computer (restart, etc), push updates, and acquire inventory. However, it's not linked to the AAD device registration record anymore. The computer itself, however, remains joined to AAD. But this disconnect is what I want(ed) to solve.

    I've gone through a number of permutations of the steps - installing win10 with local user account to start with, installing Intune client, and then attempting to join domain. The problem with installing client first is that the AAD join process will error out with the message "Something went wrong" and error code 8019000a. As of 10/7, you cannot join AAD with the Intune client already installed. Only after running the uninstall commandlets or the online management agent uninstall process to clean off the intune agent was I able to join AAD. Removing the device from Intune (and leaving the agent resident) is not enough.

    Incidentally, for grins I tried doing this AAD join with Intune client installed with an enabled local Administrator account just to eliminate some variables. Bit of trivia here - the local admin user acct is forbidden by local policy from opening the browser for security reasons. Consequently, when you try to join AAD, which relies on firing up an IE or Edge process, the window will flash and disappear. You can't join AAD with the local Admin user acct and that's apparently why. Interesting, eh? But we shouldn't be using that account anyway, right? :)

    So back to it - I've gone through just about every permutation I could think of between joining aad and installing the client, enrolling through the portal and straight from OOBE welcome and after, and nothing worked. I always ended up with dead records for the AAD registered device, and intune agent records with unknown status for AAD registration.

    Finally this morning, Matt from MS told me that they don't support that use case, and I'm not the first customer to complain about it. I told him just by way of feedback that as a customer/partner, it seems like the model I'm seeking is what MS is actively selling today, but it's apparently just not quite there.

    So your options are: manage the Win10 device as a mobile device with the limitations therein, or manage the device as a computer but not have it tied to the AD record. I'm not fully aware of what the limitations are in the latter scenario, though the advantages of inventory, etc are clear. From what I can tell, if you decide to wipe/retire the device, you'll have to remember to hop over to AAD and drop the computer from its domain membership (since Intune doesn't know that it's joined to AAD). You can still manually associate the device with the user. The advantages there seem to be limited to reporting.

    Wednesday, October 7, 2015 10:14 PM
  • Thank you for this! - Someone needs to put this on the Intune help page!!!!!!!

    Wasted the past few days constantly resetting W10 and trying different pathways and none of them work! 

    As you mentioned, MS have really been pushing the 'AAD join and Intune' management process, though they still don't allow a computer to be enrolled AS a computer. 

    Here I am trying to push our organisation into cloud management, and I am stuck with either:

    • Intune set up properly/Computer not joined to AAD
    • Intune not set up properly/Computer joined to AAD

    Surely they are working on a way to fix this right? Or at least give us WARNING that this isn't possible!! 


    • Edited by Lukezag Friday, December 18, 2015 1:03 AM
    Friday, December 18, 2015 1:03 AM
  • Does anyone know if this issue has been resolved as yet - I've wasted several days trying to get this functionality to work as proposed by MS. The process seems simple to me - OOBE Azure AD join which in turn enrols client into Intune as a computer device and deploys Intune management agent thus allowing full device management.

    It would seem now that my way around this is to install the Intune management client and not join AAD as per Lukezag's post, I'm yet to test further but this seems crazy.

    Any chance a Microsoft representative could comment on this further or provide us with an update?

    Many thanks

    Richard

    Wednesday, May 11, 2016 10:43 PM
  • Enrolling in Intune as an MDM device and using the Intune client agent are mutually exclusive. There's no way to really push the agent either. As eluded to above, the long term goal is to have the MDM agent in Win10 as *the* method to manage Windows. With that in mind, you won't see them working on what you've outline above at all.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, May 12, 2016 12:28 AM
  • Thanks for your comments Jason- having read a little more and as you alluded to in your post I guess the way forward that Microsoft will be developing is the use of the embedded OMA-DM agent within Window 10.
    Saturday, May 14, 2016 9:47 PM
  • The issue at hand then are the differences between MDM and full-client support. I wish the documentation was clearer in this regards. The documentation at one point is contradictory.

    Jason Yates

    Wednesday, July 27, 2016 10:49 PM
  • This worked for me. I removed the account for MDM and was able to enroll using the Intune client.
    Wednesday, August 31, 2016 5:13 PM
  • Holy cow. I was about to go into the hell you are in, but thankfully ran into your post. 

    You know what you're doing and can't get it to work- I'm not going to have a chance.

    I, too, am trying to do something similar- take a Windows 10 laptop, attach it to Azure AD, and manage it. It is exactly what I see explained as a product feature, but I can't find any documentation on how to actually do this. 

    A solution posted is, "Contact support and ask for a Co-Existence MDM setup" - how am I supposed to know what that even means, let alone ask for it and figure out how to then implement it.

    I'm not a dumb guy- but administration of Windows 10 using the Office 365 portal and/or Azure AD and/or Intune are completely unclear, undocumented, and I am worried... Unfinished. 

    :(


    Thursday, October 27, 2016 9:14 PM
  • I'm facing the exact problem you did when you posted this a year ago. Any success in figuring this out?
    Thursday, October 27, 2016 9:16 PM
  • Hi Peter,

    Can you please clarify if ADFS is mandatory for automatic enrollment as you mentioned "Also, it's good to note that, if you're having AzureAD Premium, the option to automatically enroll to Microsoft Intune with a AzureAD Join is now available in preview."

    Thanks in advance.

    Sunday, December 18, 2016 7:53 PM
  • ADFS enables different authentication scenarios between AzureAD and your on-prem AD and has nothing to do explicitly with enrollment of devices.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, December 19, 2016 3:24 PM
  • I'm facing the exact problem you did when you posted this a year ago. Any success in figuring this out?
    I'm facing the same issues.  Any updates on this?
    Wednesday, May 31, 2017 4:14 PM