Automatic enrollment for Hybrid Azure AD Joined Devices
Missing the ability to automatically enroll Windows 10 devices that are hybrid Azure AD Joined, for agentless management. This would favour the use of agentless management for domain joined devices.
We have a university with general access computers - these devices are utilizing the shared device license for M365. Now that we wish to modernize to Intune, we require the ability to register these devices through device token vs user token to avoid the max user associations of 15.
Have spoken with Microsoft and they identified this has been an issue with AD Connect since version 18.104.22.168.
Microsoft - please fix this as it is a much needed feature.
"We are investigating an incident where some customers are experiencing an issue with existing Hybrid Azure AD joined devices after upgrading to this version of Azure AD Connect. We advise customers who have deployed Hybrid Azure AD join to postpone upgrading to this version until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible."
Going to add to this that requiring TPM 2.0 or requiring user input is uniquely limiting for enrollment of existing devices into InTune vs any other endpoint management / MDM for windows.
Not sure why it is necessary when a domain and azure AD trust are already in-place. It makes it a huge pain to enroll shared meeting room devices and kiosks that auto login and do not have any Azure ad logins being used on them.
Ryan Morash commented
This was added in Windows 10 1709 (Fall Creators Update): https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
Also really missing this feature. Customers moving to Azure AD and the new "modern management" now have 2 bad choices
1) Add another on prem system to manage devices. But they are transitioning to all cloud. They want to get rid of it
2) They have to manually enroll, which is causing extra work. So they might decide to postpone the transition to the AAD
Why is this not implemented? Other things, like the Windows E3/E5 upgrade are triggered correctly when the first users logs in to the device. All the MDM URL's are provisioned correctly (dsregcmd shows it). So it shouldnt be too hard?
This really is a big issue for us at the moment. Many companies already have a domain on prem and there should be a way to automatically add these devices to Intune. Hybrid Azure AD join is good (I can see the device in Azure) but this is quite pointless if it doesn't auto-enrol the same as Azure Domain Joined devices. If this isn't possible, is there a script or anything that can be pushed via GPO to enrol users/devices in to Intune?