Troubleshooting Co-management enrollment issues–hybrid Azure AD join

I was troubleshooting the client issue for co-management and found that the device was not hybrid Azure AD Joined.

Hybrid Azure AD joined (if your devices are on-prem) is one of the pre-requisites for co-management.

To check if the devices are hybrid Azure AD joined or not, you can open cmd and run dsregcmd /status

If the device is hybrid Azure AD joined, the status for AzureAdJoined=Yes (This field is applicable for both AAD or hybrid AAD).

image

On the problematic machine, there is no data for the dsregcmd.

For more information about configuring the Hybrid Azure AD joined and troubleshooting, please refer part 1 & Part 2 and the troubleshooting

For device registration process in hybrid azure ad joined task, we usually refer to the event viewer logs located at event viewer/Microsoft/Windows/User Device Registration/Admin

Under this path, there are no logs related to the device registration process.

The device registration process will be initiated by a task scheduler called Workplace Join during the system boot and this task will run with system account.

This task is located under Task Scheduler Library> Microsoft > Windows > Workplace Join > Automatic-Device-Join Task

image

The task is disabled on the system hence the device registration task did not run.

Enable the task and run it. (Running the task require local admin rights).If you do not have local admin rights, reboot the system, the task will run automatically with system account.

This task is disabled by default on windows 10 workgroup computer but when you join the device to domain, it will be enabled automatically. For some reason, the task did not enable.

If you want to enable the task on all your windows 10 computers, you can make use of GPO

image

There could be lot of devices with the task scheduler disabled which will impact the co-management enrollment.

How do we identify the device that have Automatic-Device-Join Task disabled?

In SCCM, we can make use of scripts feature, CMPivot or configuration baseline.

In this blog post, i will discuss about 2 options 1) configuration baseline and 2) Scripts.

For configuration baseline, we will use simple PowerShell script to detect the status of the schedule task and the same script can also be used in scripts feature.

In your SCCM, Create a configuration Item and choose the PowerShell script.

you can also use this as scripts and run it on targeted computers or

$status=(Get-ScheduledTask | ? TaskName -eq Automatic-Device-Join | Select State).state
if ($status -eq 'Disabled')
{
write-host "Non-Compliant"
}
else
{
write-host "compliant"
}

image

image

If you use scripts feature, running the script on target computer will get you the output status either compliant (enabled) or non-compliant (disabled).

image

I have uploaded the exported copy of configuration baseline to github.

You can download, import and deploy to your windows 10 collection to check if any devices has this task disabled.

Understanding hybrid Azure AD join and co-management
https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-hybrid-azure-ad-join-and-co-management/ba-p/2221201

Post Comment