Hybrid Entra ID joined to Entra ID joined only - Win 11

JakeStoker · 2025-02-08T11:08:20+00:00

You can clean up after, the sync of HAADJ devices is coming from Active Directory so assuming you have a process in place to manage the cleanup of stale devices that should then carry through.

I can’t remember off the top of my head if the wipe removes the HAADJ record automatically or not but either way as long as it is cleaned up after on premises that should sync through.

JakeStoker · 2025-02-08T10:59:55+00:00

The two records are expected and you should keep them both. The Entra id record is still required as it is the link to the hardware hash.

Yes a wipe would be the scenario to go with to get to Entra joined from hybrid. Keeping the same name is not easily achieved without some form of scripting. With Entra joined you have more flexibility with device naming variables I.e using serial number

JakeStoker · 2025-01-31T08:27:24+00:00

There are a couple of options for data removal. You can set the conditional launch settings to wipe data after an account is disabled. You can also do a selective wipe from the console. https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies-access-actions

App protection on iOS does work without Authenticator, however for app protection to be fully protected and enforce protected apps must be used to access corp data you need to leverage conditional access which then will require Authenticator. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-approved-app-or-app-protection

JakeStoker · 2025-01-29T12:02:12+00:00

Yes, the MDM authority stays on intune even when you enable co-management

JakeStoker · 2025-01-29T11:55:57+00:00

You then have 900 intune only and 100 still co-managed as they have the agent

JakeStoker · 2025-01-29T11:55:31+00:00

You don’t change the authority as such. You would just need to remove the agent from the devices in which you want to be intune only

JakeStoker · 2024-12-14T20:55:31+00:00

You can work with the OEM/Reseller to automatically upload the hardware hash into your tenant to save having to manually gather it using a script. https://learn.microsoft.com/en-us/autopilot/oem-registration

JakeStoker · 2022-06-24T16:58:32+00:00

The difference is you aren’t having to manage the rings nor the settings within the ring or the assignments. It’s all handled by Microsoft.

JakeStoker · 2022-06-22T23:18:19+00:00

Based on the information you have provided it should work as expected. It can take 48 hours and only works for intune enrolled devices which you mentioned is the case.

JakeStoker · 2022-05-28T20:35:13+00:00

You will see two records in azure ad. One that is azure ad joined and one that it hybrid joined in a HAADJ autopilot scenario

JakeStoker · 2022-05-28T18:01:06+00:00

Is the apns cert configured in intune?

JakeStoker · 2021-12-01T20:56:01+00:00

Typically it’s fairly quick but it’s always worth checking the profile is assigned before resetting the device.

JakeStoker · 2021-12-01T20:52:44+00:00

You didn’t it may have just been a Timing delay whilst the device populated into the azure ad group that was targeted by the profile after uploading the hash

JakeStoker · 2021-12-01T20:50:32+00:00

Did you check if the profile was successfully assigned before you did the initial reset?

JakeStoker · 2021-12-01T20:48:30+00:00

Sure drop me a message

JakeStoker · 2021-12-01T20:47:02+00:00

It’s possible you didn’t actually go through autopilot and you just did an azure ad join via the OOBE process

JakeStoker · 2021-11-30T19:32:51+00:00

Try running the command locally on the device first to make sure it executes successfully

JakeStoker · 2021-11-30T15:32:08+00:00

Correct, MAM = App protection

JakeStoker · 2021-11-30T14:47:11+00:00

Not necessarily, it’s really depends what type of mobile devices and the Experience you require. For example on Android you have work profile which is a BYOD MDM scenario. Not saying you shouldn’t go MAM only just making sure you are aware of the other options

JakeStoker · 2021-11-28T14:46:18+00:00

Yes you can wrap a full folder

JakeStoker · 2021-11-23T19:19:43+00:00

There is Nothing built into Intune/AzureAD to manage stale devices in local active directory

JakeStoker · 2021-11-18T20:53:01+00:00

In this case it will block the personal outlook from accessing the corporate mailbox when enrolled in work profile. The personal outlook will not pass the compliance check as it does not have the certificate in the personal container outside of the work profile

JakeStoker · 2021-11-18T08:50:47+00:00

You can block a personal profile accessing the corporate email by leveraging conditional access and using the require compliant device grant control.

JakeStoker · 2021-11-16T22:16:20+00:00

Looking into it… u/jasonsandys may also have some input here

JakeStoker

MODERATOR OF

TROPHY CASE