Edit 01/06/2022 : updating this article to include Azure Virtual Desktop Windows 10 / Windows 11 multi-session enrollment command using Device Credential

--------

There are several ways to enroll a Windows 10 PC to Microsoft Intune:

Manually

During the Out-of-the-box Experience (OOBE), when starting a Windows 10 PC for the first time
In the Windows Settings, after the PC configuration

Manual enrollment will require that the user enters his Azure AD credentials.

Automatically

Using Azure AD Join + automatic Intune enrollment
Using Hybrid Azure AD Join + automatic Intune enrollment

Automatic enrollment can be triggered using a Group Policy, SCCM Co-Management or Windows AutoPilot.

Windows 10 automatic enrollment requires the creation of public DNS records enterpriseregistration and enterpriseenrollment. More info here.

However, sometimes it is possible that a Windows 10 PC is in an inconsistent enrollment state, with error "The sync could not be initiated".

This can happen because:

The PC was shut down during a long time, and the Microsoft Intune certificate is expired (located in Local Machine / Certificates / Personal)
Someone manually deleted the Microsoft Intune certificate
The PC is enrolled in another Intune tenant

Prerequisites: check Hybrid Azure AD Join status

Before re-enrolling your device to Microsoft Intune, you need to make sure that the certificates for Hybrid Azure AD Join are not expired as well.

Follow this procedure to Manually re-register a Windows 10 / Windows 11 or Windows Server machine in Hybrid Azure AD Join.

Method 1: With data and configuration loss

The easiest way to unenroll a Windows 10 PC from Microsoft Intune is to disconnect the work or school account.

Just go to All settings > Accounts > Access work or school, select your corporate account and click Disconnect.

Important: this menu is not available on Windows 10 / Windows 11 multi-session edition for Azure Virtual Desktop.

However, the problem with this is that all data and configuration pushed by Microsoft Intune will be deleted from the PC.

Method 2: Without data or configuration loss

There is a way to manually re-enroll your Windows 10 PC without loosing all the current configuration and apps deployed by Microsoft Intune.

This method is not officially supported by Microsoft

As you may know, automatic enrollment can be triggered either by a Group Policy Object or by the SCCM client on a co-managed device.

In both cases, the feature will basically create a scheduled task to enroll the PC at next logon. The command is different if you are trying to enroll Windows 10 / Windows 11 Enterprise multi-session devices from Azure Virtual Desktop (using Device Credential) or a regular Windows 10 / Windows 11 device using User Credential:

Windows 10 / Windows 11 Enterprise (with User Credential)

Task launched in the SYSTEM context:

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

Windows 10 / Windows 11 Enterprise Multi-session for Azure Virtual Desktop (with Device Credential)

Task launched in the SYSTEM context:

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDMUsingAADDeviceCredential

To manually re-enroll the PC, we will need to clean up the environment and relaunch this command in the SYSTEM context to re-enroll the PC.

Here are the steps that you need to follow to make it work:

Delete stale scheduled tasks
Delete stale registry keys
Delete the Intune enrollment certificate
Restart the enrollment process

Step 1: Delete stale scheduled tasks

Follow this procedure:

Run the Task Scheduler as an administrator.

Go to Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt. Write down the enrollment ID somewhere, you will need it for the cleanup.

Delete all the existing tasks the enrollment folder.

Delete the enrollment ID folder.

Step 2: delete stale registry keys

Use the previous enrollment ID to search the regitry:

Open the Registry Editor as an administrator.

Search for the enrollment ID you wrote in the following locations and if found, delete the key that is containing the ID:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\xxxxxxxxxxxxx
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\xxxxxxxxxxxxx

DO NOT delete registry keys that are not in the list above. They will be overwritten after the new enrollment.

Step 3: delete the Intune enrollment certificate

Follow the procedure:

Search for the option "Manage computer certificates" or use the command certlm.msc as an administrator.

Go to Personal > Certificates and delete the certificate issued by either "Microsoft Intune MDM Device CA" or "SC_Online_Issuing" (depending on the date of the enrollment).

Step 4: Restart the enrollment process

To be properly executed, the enrollment command must be entered in a SYSTEM context. We will use the PSExec tool for that purpose.

Download the PSExec tool from Microsoft website

Use PSExec to launch a Command Prompt as SYSTEM:

psexec /i /s cmd

In the Command Prompt, enter one of the following command depending on your enrollment type:

Windows 10 / Windows 11 Enterprise (using User Credential)

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

Windows 10 / Windows 11 Enterprise Multisession for Azure Virtual Desktop (using User Credential)

%windir%\system32\deviceenroller.exe /c /AutoEnrollMDMUsingAADDeviceCredential

In the computer certificate store, check that a new Intune certificate has been enrolled for the device:

You are now ready to start a policy sync from the Windows Settings, and check that the connection with the Intune service is now OK:

Tags: azure active directory, azure ad, azure virtual desktop, co-managed pc, co-management, intune, microsoft intune, sccm, windows 10, windows 10 multi-session, windows 10 multisession, windows 10 pc, windows 11, windows 11 multi-session, windows 11 multisession, windows virtual desktop

Hybrid Azure AD Join devices are machines under Windows 10+ or Windows Server 2016+ that are:

Joined to an on-premises Active Directory domain
Registered in Azure AD as a hybrid device

Having a Hybrid Azure AD Joined device enables the following features:

Automatic device enrollment in Microsoft Intune
Device-based conditional access for corporate devices
Backup of the BitLocker recovery key in Azure AD
Sync of some Windows settings by the Enterprise State Roaming

Sometimes, a machine can be in an inconsistent registration state in Azure Active Directory. This can happen because:

The machine was shut down during a long time, and the Azure AD device registration certificate is expired (located in Local Machine / Certificates / Personal)
Someone manually deleted the device registration certificate
Someone manually deleted the device object in the Azure AD portal
The machine is registered in another Azure AD tenant

Please note that this method will only succeed if your organization meets all the prerequisites for Hybrid Azure AD Join. For more information, please refer to this documentation.

Step 1: Unregister the device from Azure AD

Follow this procedure:

On the machine to unregister, launch a Command Prompt as an administrator and type the following command:

dsregcmd /leave

Make sure the certificates issued by "MS-Organization-Access" and "MS-Organization-P2P-Access [xxxx]" have been deleted from the local machine Personal certificate store:

Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:

dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+
AzureAdJoined : NO  <-----
EnterpriseJoined : NO
DomainJoined : YES  <-----

Step 2: Re-register the device as a Hybrid Azure AD Join

Follow this procedure:

On the machine to re-register, run the Task Scheduler as an administrator.

Go to Task Scheduler Library > Microsoft > Windows > Workplace Join and manually start the task "Automatic-Device-Join".

Make sure the certificates issued by "MS-Organization-Access" and "MS-Organization-P2P-Access [xxxx]" have been created in the local machine Personal certificate store:

Type the command dsregcmd /status in a Command Prompt, and make sure the following parameters have the appropriate values:

dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+
AzureAdJoined : YES  <-----
EnterpriseJoined : NO
DomainJoined : YES

Reboot the PC.

Start an Azure AD Connect delta synchronization.

Tags: azure ad, azure ad join, dsregcmd, ems, enterprise mobility + security, hybrid azure active directory, hybrid azure ad, hybrid azure ad join, windows server 2016, windows server 2019

La communauté aOS (Azure Office 365 SharePoint) et le Monaco Microsoft User Group (MMUG) vous invitent à la 1ère édition de la journée aOS Monaco le 26 Septembre 2019.

Pendant une journée entière, vous pouvez rencontrer et échanger avec des experts des technologies Office 365 et Azure. Différentes sessions vous seront proposées où nous vous apporteront des retours terrain. Il vous sera ainsi possible de découvrir ou approfondir vos connaissances sur :

Azure
Office 365
Microsoft Teams, SharePoint
Power Platform : Power BI, PowerApps, Microsoft Flow

Ce sera aussi l’occasion de partager et échanger entre utilisateurs et professionnels, locaux, nationaux et internationaux, de l’offre Cloud Microsoft.

J'animerai un atelier deep-dive "Sécurisez votre SI et vos services Office 365", alors n'hésitez pas à réserver vos agendas 🙂

Tags: cloud app security, ems, enterprise mobility + security, microsoft 365, office 365, sécurité office 365, security

L'association Le Numérique Pour Tous organise plusieurs conférences sur le digital, de Février à Mai 2019.

Ces conférences gratuites se dérouleront à la Bibliothèque municipale Kateb Yacine du centre commercial Grand' Place, à Grenoble :

7.02.2019 : S'équiper en appareils numériques
7.03.2019 : Sécuriser et entretenir son environnement numérique
4.04.2019 : Réseaux sociaux et communication
2.05.2019 : Quels outils alternatifs libres ou gratuits ?

N'hésitez pas à y assister !

Tags: conférence, grenoble

Petite note car je vois pas mal de soucis chez nos clients.

Microsoft a changé le fonctionnement de l’authentification RDP entre clients / serveurs.

Phase 1 : Microsoft a sorti une modification pour les serveurs en Mars 2018
- Bulletin de sécurité Mars 2018
- Windows Server 2012 : KB4088880
- Windows Server 2012 R2 : KB4088876
- Windows Server 2016 : KB4088787

Phase 2 : Microsoft a sortie une modification pour les clients en Mai 2018
- Windows 7 SP1 : KB4103718
- Windows 8.1 : KB4103725
- Windows 10 v1607 : KB4103723
- Windows 10 v1703 : KB4103731
- Windows 10 v1709 : KB4103727
- Windows 10 v1803 : KB4103721

Le but de ce décalage de 2 mois était de patcher d’abord les serveurs (Mars), puis les clients (Mai) pour que ces derniers puissent s’y connecter 2 mois après.

Suite à ces modifications, la connexion RDP à des serveurs non-patchés depuis des clients patchés peut échouer (erreur CredSSP).

An authentication error has occured.
The function requested is not supported
This could be due to CredSSP encryption oracle remediation

Voici les scénarios possibles :

Ne fonctionne pas

Serveur non patché depuis Mars / client patché depuis Mai

Fonctionne

Serveur non patché depuis Mars / client non-patché
Serveur patché depuis Mars / client non-patché
Serveur patché depuis Mars / client patché depuis Mai

Workaround (fortement déconseillé)

Si un client a été patché alors que le serveur n’est pas à jour, il est possible de désactiver le Network Level Authentication côté serveur de manière temporaire pour s’y connecter.

Il est aussi possible de désactiver la fonctionnalité "Encryption Oracle Remediation" par GPO sur les serveurs non-patchés :

Si pas encore fait, installez les ADMX pour Windows 10 build 1803 (ou supérieur)
Allez dans Computer Configuration -> Administrative Templates -> System -> Credentials Delegation
Modifiez le paramètre Encryption Oracle Remediation en Enabled / Vulnerable

Note : La recommandation officielle reste toutefois de patcher serveurs et clients.

Tags: an authentication error has occured, credssp, credssp encryption oracle remediation, encryption oracle remediation, error remote desktop, KB4103718, KB4103718 credssp, KB4103718 error rdp, network level authentication, nla, remote desktop, remote desktop error, remote desktop services, the function requested in not supported

Manually re-enroll a Hybrid Azure AD Join Windows 10 / Windows 11 device to Microsoft Endpoint Manager without loosing the current configuration

Manually

Automatically

Prerequisites: check Hybrid Azure AD Join status

Method 1: With data and configuration loss

Method 2: Without data or configuration loss

Step 1: Delete stale scheduled tasks

Step 2: delete stale registry keys

Step 3: delete the Intune enrollment certificate

Step 4: Restart the enrollment process

Manually re-register a Windows 10 / Windows 11 or Windows Server machine in Hybrid Azure AD Join

Step 1: Unregister the device from Azure AD

Step 2: Re-register the device as a Hybrid Azure AD Join

aOS Monaco - 26/09/2019 - Sécurisez vos services Office 365 avec la suite Microsoft 365

Le Numérique Pour Tous - Conférences

Mise à jour Mai 2018 Windows et erreur CredSSP Remote Desktop (Encryption Oracle Remediation)

Workaround (fortement déconseillé)