Problem:
Recently ,i was looking at customer intune related issue (POC) . Customer had setup conditional access policies (device to be compliant or hybrid Azure AD join) ,intune device compliance policies and also configured Mobility (MDM and MAM).
Customer is purely using on-prem domain join and no hybrid azure AD join and no SCCM. They want to try intune features to manage windows 10 devices for now .
as part of testing , they have enrolled windows 10 device which was on-prem domain joined to intune using work /school account and device enrollment was successful.
Under the work/school account, i can see the info and disconnect tab .clicking on info tab shows that ,the recent date and time with sync successful.
Everything went fine on the device but , when user try to configure onedrive/activate proplus or use any o365 application that was configured with conditional access ,it throws an error ‘You can’t get there from here’ .
Troubleshooting/Solution:
When i saw the above error ‘You can’t get there from here’ , i checked the user sign-in logs in Azure AD to go through the conditional access policies that are being applied to user , so that would help me monitor the device status.
The conditional access clearly shows that ,the control needed is ‘either device compliant or hybrid Azure AD join’. Since the customer is not on hybrid Azure AD join ,device must meet the compliance policy.
So now ,i moved to intune blade ,look at all devices section (this node basically contain devices that are managed /enrolled by intune) to check if the device appear there or not .
I could not able to find the device in intune blade .So what next ? Device enrollment was successful but device did not get enroll to intune .
I then take step back and look under Azure AD devices ,i found the device present there with join type is ‘Azure AD registered’ but MDM is ‘None’ with compliant ‘N/A’.
windows 10 Intune enroll devices always have Join Type as ‘Azure AD registered’ but MDM will be set to Microsoft Intune and with compliant status .
As you can see above, the device is registered but not enrolled to intune and MDM type is not set to ‘Microsoft Intune’ .
since the device is not intune enrolled ,there is no way to apply the device compliance policies hence conditional access always block the device until it get compliant.
Until everything looks good from Conditional access ,Intune device compliance but there is 1 more portion to check on the intune MDM configuration.
In order for windows 10 devices to be enrolled to intune ,there is piece of information that need to be configured which is MDM enrollment.
Configure automatic MDM enrollment:
Following is the setting configured at customer Azure Portal.
The user who is trying to enroll windows 10 device is member of intune_users which is configured in both MDM and MAM user scope.
As per TechNet guide ,For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
As you can see above settings for MAM and MAM user scope, they both are set to same group and always MAM will take precedence which will get the device register in Azure AD but not intune enrollment .
If the device is not enrolled ,the device compliance policies will not get in hence conditional access wont let the device to connect to office 365.
The fix is ,either change the conditional access policy by unchecking the device compliant/hybrid Azure AD join(if not configured in on-prem) or change the Intune MAM user scope and only enable MDM user scope to get the device enrolled to intune.
Once the MAM user scope setting is changed to None and leaving the MDM user scope ,un-enroll/disconnect the windows 10 device from work /school and start adding the account which help to enroll the device successfully to intune followed by conditional access.
Though the fix is simple but need to go through lot of steps to find out what’s going on.
References:
https://docs.microsoft.com/en-us/intune/windows-enroll
Hope it helps!