I
Intune_Support_Team
While not the preferred setup, Windows Autopilot with Microsoft Entra hybrid join provides the ability to automatically connect devices to the cloud from an on-premises Active Directory. For guidance on whether to use hybrid join, refer to the article: Microsoft Entra Joined vs. Hybrid Microsoft Entra Joined in Cloud-Native Endpoints.
Recently, we identified an issue affecting Microsoft Entra hybrid devices which also impacts Windows Autopilot hybrid deployment. It occurs when hybrid devices are unjoined and rejoined to Microsoft Entra without first being unenrolled from mobile device management (MDM). This disruption can impact the device experience for users.
The problem arises when Microsoft Entra hybrid joined devices are unjoined and rejoined after they’ve been enrolled. If the device isn’t unenrolled from MDM before rejoining, critical device properties can become misaligned. The device’s policies and certificates are removed because the system no longer recognizes the device’s original object ID, leading to inconsistencies in how settings and software are applied. This includes attributes like the OrderID (important for Windows Autopilot) and OS properties that Intune uses for dynamic group targeting.
Failing to properly manage the unjoin-rejoin process can result in:
When a hybrid device is unjoined and rejoined without being unenrolled from MDM, Microsoft Entra creates a new device object with a new object ID, but retains the same device ID. This can cause problems with how Intune manages compliance and policy application, including:
To avoid these issues, we recommend that you avoid unjoining and rejoining hybrid devices as this process can introduce complications and disruption to your users. The hybrid Microsoft Entra join process relies heavily on the integrity and consistency of device objects in Microsoft Entra. Unjoining and rejoining hybrid devices from your MDM causes considerable issues, including the removal of critical policies and applications.
If you need to unjoin and rejoin a hybrid device, it’s critical to unenroll hybrid devices from MDM before unjoining and rejoining them to Microsoft Entra. This ensures a smoother re-enrollment process and maintains the integrity of your device policies, apps, and settings.
If you have any questions or feedback, leave a comment on this post or reach out on X @IntuneSuppTeam.
Continue reading...
Recently, we identified an issue affecting Microsoft Entra hybrid devices which also impacts Windows Autopilot hybrid deployment. It occurs when hybrid devices are unjoined and rejoined to Microsoft Entra without first being unenrolled from mobile device management (MDM). This disruption can impact the device experience for users.
What happens when hybrid devices are rejoined?
The problem arises when Microsoft Entra hybrid joined devices are unjoined and rejoined after they’ve been enrolled. If the device isn’t unenrolled from MDM before rejoining, critical device properties can become misaligned. The device’s policies and certificates are removed because the system no longer recognizes the device’s original object ID, leading to inconsistencies in how settings and software are applied. This includes attributes like the OrderID (important for Windows Autopilot) and OS properties that Intune uses for dynamic group targeting.
Failing to properly manage the unjoin-rejoin process can result in:
- Device targeting issues where policies and configurations don’t apply correctly.
- Disruptions in Windows Autopilot configurations, potentially leaving devices mismanaged or without the necessary apps and settings.
What’s the impact of not unenrolling from MDM?
When a hybrid device is unjoined and rejoined without being unenrolled from MDM, Microsoft Entra creates a new device object with a new object ID, but retains the same device ID. This can cause problems with how Intune manages compliance and policy application, including:
- Policy removal:
- Static Groups: Policies assigned to static groups will be removed from the device because the new object ID breaks the link to previous group memberships.
- Dynamic Groups: Policies assigned through dynamic groups can be removed for up to two weeks until the new device object is synced, restoring the device’s group memberships.
- Conditional Access policies can block access to corporate resources: Newly created Microsoft Entra device objects are treated as non-compliant by default, meaning users may be blocked from accessing corporate resources. It may take up to two weeks for Intune to fully re-evaluate the device’s compliance status and apply Conditional Access policies, causing potential downtime to the user.
Best Practice: Unenroll from MDM before rejoining
To avoid these issues, we recommend that you avoid unjoining and rejoining hybrid devices as this process can introduce complications and disruption to your users. The hybrid Microsoft Entra join process relies heavily on the integrity and consistency of device objects in Microsoft Entra. Unjoining and rejoining hybrid devices from your MDM causes considerable issues, including the removal of critical policies and applications.
If you need to unjoin and rejoin a hybrid device, it’s critical to unenroll hybrid devices from MDM before unjoining and rejoining them to Microsoft Entra. This ensures a smoother re-enrollment process and maintains the integrity of your device policies, apps, and settings.
If you have any questions or feedback, leave a comment on this post or reach out on X @IntuneSuppTeam.
Continue reading...