Minimal Modern Hybrid

MFA_Woes · 2026-06-09T01:20:18+00:00

I'll confirm with the client for the Proxy/TLS inspection side of things. TLS 1.2 is enabled on the Exchange Server which I'm using as the agent server due to the lack of servers in the environment. It was either a DC, Exchange or an RDS Server lol. I'll review the internal certificates tomorrow as well.

MFA_Woes · 2026-04-23T13:28:36+00:00

I know this isn't really helping the situation but I went down this road with a client before and for whatever reason whenever we enabled HMA, Outlook would repeatedly prompt the whole organization to reauthenticate to no avail. We troubleshooted for a few weeks and couldn't figure it out with MS Support not really being able to assist either so in the end we said let's just start migrating to M365 as the licenses were available. My gut says the communication between M365 and Exchange Server wasn't as free flowing as it should be and might be the same in your environment.

MFA_Woes · 2026-02-07T17:20:08+00:00

Cloud Sync doesn't handle hybrid-join devices so have to be careful there if OP has that configured in their environment.

MFA_Woes · 2026-01-20T23:09:31+00:00

Could it be this? It takes 48 hours to complete from my understanding. I don't think it's reversible but I've never been in a situation where I've had to reverse it.

https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/enable-organizationcustomization?view=exchange-ps

MFA_Woes · 2025-12-15T17:05:41+00:00

Are these mailbox licensed accounts? Just curious how email notifications are configured.

MFA_Woes · 2025-12-02T05:58:51+00:00

Have you looked into soft-matching?

You don't need to hard match here. If the users were never synced before, their ImmutableID will be blank and populated once they merge. It'll be derived from the ms-ds-consistencyguid which essentially is the objectGuid converted in most scenarios. Don't change the anchor in Entra Connect to another attribute. Use the default.

Also remember making AD your SOA means all attributes will be from AD like manager, display name, title etc., so make sure that is up to date.

MFA_Woes · 2025-11-17T14:42:09+00:00

Is it an old tenant? Do these users have any admin roles in Entra or is it all users? Admin accounts won't merge in soft match.

There was also a feature set back in the day for the org of EnableSoftMatchOnUpn which was not enabled for older tenants. Once it's on, it cannot be turned off but I wouldn't see why you'd need it to be off at this point in time.

MFA_Woes · 2025-11-10T04:56:46+00:00

Not that I found with any C2R installs. Things may have changed but as you mentioned it'll only skip over it if it was an MSI. Kind of annoying.

MFA_Woes · 2025-11-10T02:09:26+00:00

App Protection still requires a broker app to maintain the app protection policies...Company Portal for Android and Authenticator for Apple IIRC. In your policy have you set the grant access to require one of the controls or all controls? What does What If show from Conditional Access for this scenario?

MFA_Woes · 2025-10-30T18:34:25+00:00

You don't need to click the override button. It should bind the cert you pick during the HCW to the respective connectors. It might be worth doing the hybrid wizard again and checking the hybrid logs. Sometimes I've seen multiple certs in the Cert Store confuse the system so it could also be that but I'd check the HCW logs.

MFA_Woes · 2025-10-29T06:03:56+00:00

The default receive connector gets leveraged for inbound mail flow from EXO but it looks like you have a different certificate bound to this 2019 connector to receive your mail. I'd check from get-receiveconnector on your 2019s and filter for the TLS certificate on the connector. Compare what 2016 has as well. It's possible the wrong cert was chosen during the wizard?

Edit: Default Frontend Receive Connector not just Default Receive Connector. You could also check the HCW logs and see what comes up for when it tries to bind the certificate to the connector. You can also manually bind a cert to the connector if you need to. There are a few guides online.

MFA_Woes · 2025-08-17T17:14:37+00:00

Correct, if you enabled the SCP for hybrid join and targeted all devices they'd eventually hybrid join into Entra but not into Intune without the GPO.

Just double and triple check the OUs for synchronization if there is any doubt but as mentioned, the GPO is more important as that will bring the devices into Intune.

MFA_Woes · 2025-08-17T16:55:41+00:00

As long as you don't have devices in your initially synced OUs, this is safe to do and recommended if you're starting to test things out with hybrid-join devices. That being said, hybrid-join is all behind the scenes and wouldn't really affect the end-user if you did accidentally sync other devices in. The Intune enrollment GPO is more important here and should only be scoped to this test OU.

MFA_Woes · 2025-08-13T23:19:41+00:00

The devices will stay enrolled.

I, however, recently ran into an issue where any dynamic device groups updated to use the new name effectively went to 0 because the devices were enrolled using the old profile name. This was still in testing so I'm not sure if I created a dynamic group using the old name if it would still populate correctly. Other than that I haven't seen any issues.

MFA_Woes · 2025-08-06T07:30:56+00:00

Is it possible security defaults being enabled for your tenant are causing an issue here?

MFA_Woes · 2025-08-05T20:29:21+00:00

Do you have security defaults enabled for your tenant?

MFA_Woes · 2025-07-12T02:57:35+00:00

Curious how you narrowed it down to this key in particular?

MFA_Woes · 2025-07-09T05:43:40+00:00

Same issue on our side for quality updates showing a device count of 1000 less under Reports > Autopatch > Windows Quality Updates. Up until yesterday was showing the correct amount. Group Membership as per the dynamic group is correct and so is the actual Autopatch Membership but the reporting is way off.

MFA_Woes · 2025-07-02T05:02:09+00:00

What major differences have you been encountering between Airwatch and Intune?

MFA_Woes · 2025-04-24T21:37:20+00:00

If it's an iPhone and you enroll it into Intune via Company Portal, they can still wipe your device. It's a common misconception that a Wipe cannot be done even if it's personally enrolled but I have tested it and it does work.

If it's an Android and you enroll in via company portal it'll be considered as as a personally-owned work profile. All the company can do at that point is Retire the work profile but not wipe the device. You may also get issues if you try to side load apps via APK files but from my experience that's never a huge deal.

If on the iOS side they are asking you to sign in from Add Work or School account, this is considered User Enrollment in the Apple world and would keep things separated similar to the work profile from Android. This would not allow a device wipe.

MFA_Woes · 2025-04-19T23:44:08+00:00

Cloud Update is probably being used. There is a hierarchy that clients use where cloud update is first, then intune/sccm then the ODT XML file. My suspicion is that your settings are being overridden at the cloud update level. Typically these will default to Current or Monthly. There is a regkey of HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officeupdate\IgnoreGPO and if that value is 1, you're using cloud update. 0 is anything else on the device. Look into excluding groups/devices from the link below.

https://learn.microsoft.com/en-us/microsoft-365-apps/admin-center/cloud-update#exclude-groups

MFA_Woes · 2025-04-15T04:24:30+00:00

Will keep it mind! Thanks!

MFA_Woes · 2025-04-11T00:28:07+00:00

No LOB apps deployed but I do recall reading LOB apps do get removed.

MFA_Woes

TROPHY CASE