Following up on a similar post I did here about requiring Azure AD User Discovery and Active Directory user discovery so Windows 10 machines can communicate over the CMG using Hybrid Azure Active Directory – https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/
You may run into an issue where a specific Windows 10 client cannot communicate with the CMG. In ccmmessaging.log you will see “Post to http://<CMG>.COM/CCM_Proxy_MutualAuth/<ID>/ccm_system/request failed with 0x87d00231.”
You can run through the CMG Connection Analyzer to confirm that everything is working fine.
Then you realise it is something on the Windows 10 device end.
If you run “dsregcmd /status” and see that AzureAdJoined is set to No, then you know that the device is not Hybrid Azure AD joined, thus it cannot communicate with the SCCM CMG.
This particular machine was put in an OU that was not synced to Azure AD using Azure AD Connect. After moving it in the correct OU and doing another Azure AD Connect Sync (Start-ADSyncSyncCycle -PolicyType Delta) the device can then communicate over the CMG fine.
Microsoft recently added “Require app protection policy (Preview)” to conditional access. App Protection Policies in Intune are a great way to secure the apps on either a managed device or an unmanaged device.
Suggested Reading – https://docs.microsoft.com/en-us/intune/app-protection-policy
This blogpost will show creating an example Conditional Access policy leveraging the “Require an app protection policy (Preview)” control, targeting Exchange Online, and the user experience for a device that does not have any App Protection Policies assigned.
In devicemanagement.microsoft.com go to Conditional Access, and create the new policy.
Give the policy a name, and in my policy I am testing out this policy, so I have only targeted one user.
I will be testing this policy only for Exchange Online.
I will only be using iOS and Android for this policy.
I have configured the conditions for all apps.
I have selected the control to require app protection policy.
The policy has now been created and enabled.
Below is the user experience when trying to add an email account targeted by the CA policy to the native mail app on an iOS device. You can see that it is blocked (similar to what happens if you require an approved client app in the CA policy)
Now If I try and setup the account in Outlook, I get the error saying that no application protection policies have been assigned.
In the Whats new Page for Intune (https://docs.microsoft.com/en-us/intune/whats-new), you can see that Microsoft recently added some BitLocker encryption reports in Preview.
For more information: https://docs.microsoft.com/en-us/intune/encryption-monitor
To access the Bitlocker reports, go to the Intune portal (portal.azure.com or devicemanagement.microsoft.com) and go to Device Configuration > Encyrption report (preview)
An example of the Bitlocker report is below:
You can also use the Filter button to filter the encryption readiness by Ready/Not ready and Encryption status by Encrypted/Not encrypted
The example below shows the devices that are not encrypted:
Recently when working with a customer I was troubleshooting why their devices were showing up as Azure AD Registered in the Azure portal in Azure Active Directory when they should be Hybrid Azure AD joined. These were Windows 10 1809 devices.
When running “dsregcmd /status” on one of the machines, it would show as AzureAdJoined : NO. When it is Hybrid Azure AD joined, it should still say Yes.
If you run the command as admin, you will see there is Diagnostic Data section. On my devices, it said:
Client ErrorCode : 0x801c03f2
Server ErrorCode : DirectoryError
Server Message : The device object by the given id (guid) is not found.
This is because the device(s) has not been synced to Azure AD by Azure AD Connect. Make sure that the OU’s that the computer objects are in are set to sync to Azure AD. In my customer’s configuration, they had additional filtering where the users and computer objects needed to be in a Security Group to be synced to Azure AD.
Once the Azure AD Connect sync had completed successfully, and the device registration task had run again on the client, the machine now shows as Hybrid Azure AD joined in the Azure portal.