Join Devices using a provisioning package (.ppkg) in Azure AD - how does it work in detail?
For a project, we are checking whether there is a way to join the devices into AAD using a provisioning package. When creating a project with the Windows Configuration Designer under "Account Management" is the task for "Enroll in Azure AD" and "Get Bulk Token". Here are my questions about it: Which account do I normally used to register the token? Which rights and licenses must the account have? An enterprise app is being created, but I still must do something with the permissions? Something else needs to be done with the user that is created in AAD (package_)? Are there hurdles in sight regarding conditional access? I ask myself the questions because I tried it and failed with the following message (from the event log of the client which I wanted to integrate into AAD) Client: Windows 10 Pro 21H2, Windows 10 Enterprise 1909 (same Error) ProvXML category 'DeviceAADJoin' failed with '0x80180014' at CSP node 'AADJ/BPRT'. Provisioning failedAutoPilot Hybrid Join with White Glove - Issue at first login (MFA we think)
Hello, Project: Configure Auto-Pilot Hybrid Join for new users and laptops (with White Glove from Dell) Process works and pre-provisioning is successful, a VPN (Cisco AnyConnect) that auto-starts at the login screen via a certificate. At this stage the user is being targeted with Azure MFA via Conditional Access Once the user logs in, non of the Microsoft Endpoint Manager policies get picked up, Teams does not Automatically sign in (But prompts the user to sign in) If we leave it 30 mins (Waiting for Azure AD Connect to Sync the device. We reboot and we get the same, none of the policies get picked up, bit locker does not encrypt, teams doesn't auto sign in etc. If we do a dsregcmd /status on a CMD window, it shows as Domain Joined but not Azure AD joined. Then we look inside of "Work and School Account" we see the info button, we click this, and under "Sync" button has an error, with something on the lines of "Cannot authenticate your credentials" etc etc. - I then click sync and it pops up with the Microsoft Loin Box, I select my account (connected to windows) and sign in - it then throws an MFA prompt to MS Authenticator. If I approve, it syncs and the device starts to get all the policies it requires. ============= So, I decided to do another test, this time excluding the user from Azure MFA (CA Policy) and ran a new deployment. - Pre-provisions OK - Can login with AD credentials at login - Teams automatically signs in - dsregcmd /status shows everything is correct, it is Azure AD Joined and Local AD Joined - wait 30 min for Hybrid AD Join to happen from the DC through AD Connect sync - Reboot the machine, at next login, everything works, bit locker encrypts, oneDrive auto-signs in. - The world is a good place. It would therefore lead me to believe that with MFA enabled on the user that is signing into the machine, it blocks the initial Azure AD join process tied to that user and stops policies from pulling down to the machine. However, I cannot find any reference material surrounding MFA being the catalyst as to why the Hybrid Azure AD Join over VPN just does not work properly. Or how we can bypass it on AutoPilot deployments 'Hybrid' deployments. Note: In Azure AD > Devices > Device Settings - the option for "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" is set to NO (Thought worth a mention, even though I think it does not apply to Hybrid AD join devices) Another note, is if the user is enabled for MFA and we then deploy inside the corp network (which is bypassing/excluded from MFA) then this works without a problem too. The CA Policy for MFA targets All Cloud Apps. We even tried to exclude "Intune Enrollment / Intune / Azure Management" - without success. So we're super stumped as what to do - Does anyone have any info on MFA being a problem with AutoPilot Hybrid Join over VPN?
