Enrolling your devices into Microsoft Intune allows your Windows 10 devices to get access to your organization’s secure data, including email, files, and other resources. If your users want to access your organization's data from their BYOD windows 10 device , they can do so by themselves with simple steps without the need of admin.
Here is the Quick start: Enroll your Windows 10 device https://docs.microsoft.com/en-us/intune/quickstart-enroll-windows-device
Even though the steps are simple to enroll windows 10 device using the quick start guide , it is always required to create user guide documentation with limitations and some FAQ’s as per the organization needs.
For example ,a company do not allow windows 10 home edition to be enrolled due to limitation on WIP policies on MDM devices. To block windows 10 home edition from being enrolled, we can enable bitlocker setting in device compliance policy in intune which will allow only pro,enterprise and education to bitlocker (Windows 10 home edition do not have bitlocker).
Since this is BYOD scenario ,it is difficult to troubleshoot when user hit into any issues remotely.
One of our user tried to enroll windows 10 device using the guide and completed the enrollment process.
User tried to access teams on the device but it failed with following error:
You can’t get there from here with device state unregistered and is because ,we have conditional access with grant access compliant .
so device must be compliant with the set of device compliance policies that we enforced.
Have asked user to check if the device enrollment is successful or not. I have also checked in intune portal for the device but i could not find entry to validate the compliance status.
So, have asked user one more time to send the screenshot of the device sync status from work/school account page and is below.
Device Sync Status: The sync could not be initiated (0x82ac019e)
Even though user tried to enroll the device, it did not complete the sync successfully ,hence there is no computer entry in intune portal.
I checked the EMS (intune and Azure AD ) license and also settings for the user +MDM enrollment group permissions and everything looks good .
The next ask from me to user was ,to send the work or school account configuration on the BYOD device.
As you can see above ,user device already Azure AD join to Eskonr.com Org and enrolled to different organization which is not supported by Microsoft.
It is not supported to enroll or register the device into multiple organization and is because ,conditional access allows only one identity per device at this time.
So the solution is to unregister from Azure AD join (simply select the Azure AD account and Click disconnect) and then perform the device sync (the account used to enroll the device) to get complete the device sync successful and start accessing the organization data.
We expect to have clear error message on the the device sync status page for this type of scenario ,so user know what need’s to be done. OR atleast have a mechanism to notify user during the enrollment that ,your device already joined to different organization hence you cannot perform this step.
Here is the user voice for this request https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37477378-dont-allow-windows-enrollment-to-different-org-whe .Please vote for it.
Hope it helps!
1 Comment
Pingback: Windows Devices Stopped Syncing With Intune? – Sweet Saw