Windows Intune

Auto MDM Enroll: Failed (The system tried to delete the JOIN of a drive that is not joined.)

Posted on Updated on

When setting up hybrid Azure AD join with on-premises Windows 10 environments, if you encounter the an error that “The system tried to delete the JOIN of a drive that is not joined.“, then there is a good chance that the device has not yet synchronized into Azure AD.


A few tips to help you isolate the cause and get past this issue:

  1. First, confirm the device exists in Azure Active Directory (or not).  In the Azure portal, navigate to Azure Active Directory > Devices > All devices.
  2. Review the steps in Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices.  Note that this article points back to another article on How to configure hybrid Azure Active Directory joined devices, which presently contains way more helpful information to help you troubleshoot.
  3. In the most current Azure AD Connect releases, use the built-in Troubleshooter.  Then in the PowerShell windows which launches, use both options to troubleshooting options for Object Sync and Password Hash Sync.

In my case, the troubleshooting guides were useful to confirm that I had configured everything correctly.  Then the Azure AD Connect troubleshooter reported an error that “Password Hash Synchronization cloud configuration is disabled”.  Searching that issue on the Internet led me to discover that the cause was likely due to mismatched passwords between the Azure AD account “On-Premises Directory Synchronization Service Account” with the password currently set in the local synchronization service.

To fix that, first set a new password for the “On-Premises Directory Synchronization Service Account”.  To do that, try setting it in Azure directly.  However, given that it’s a special account, it may be necessary to reset the password through PowerShell with the MSOL cmdlets.  While I’m not getting into the full end-to-end setup and use of those add-on Azure PowerShell cmdlets, the command could be as simple as:

Set-AzureADUserPassword -ObjectId abc123def456xyz980 -Password MyP@ssw0rd! -ForceChangePasswordNextLogin $false

Next, start program Synchronization Service Manager, then click on Connectors.  Locate the Windows Azure Active Directory Account and click Properties.


Finally, set the password.  Voila, devices will now sync to Azure AD on the next synchronization!


References that AADP will not impact O365

Posted on Updated on

I was recently asked by a customer to provide proof that registering for Azure Active Directory Premium would not cause a production change to their existing O365 implementation. Unfortunately, this is not specifically stated anywhere in Microsoft documentation.  But the references below are what I found which imply that there would not be an impact to the business.

    1. “Every Azure subscription has a trust relationship with an Azure AD instance. This means that it trusts that directory to authenticate users, services, and devices. Multiple subscriptions can trust the same directory, but a subscription trusts only one directory. You can see which directory is trusted by your subscription under the Settings tab. You can edit the subscription settings to change which directory it trusts.”
    2. “This trust relationship that a subscription has with a directory is unlike the relationship that a subscription has with all other resources in Azure (websites, databases, and so on), which are more like child resources of a subscription. If a subscription expires, then access to those other resources associated with the subscription also stops. But the directory remains in Azure, and you can associate another subscription with that directory and continue to manage the directory users.”
    3. The key evidence is that the directory remains in Azure and will work with other subscriptions (e.g. O365)
    1. “There are no costs for using Azure AD. The directory is a free resource. There is an additional Azure Active Directory Premium tier that is licensed separately and provides additional features such as company branding and self-service password reset.”
    2. The key evidence is that AADP is an additional “tier” to Azure AD
    1. “Trials live in the following phases: 30 days active, 30 days in grace period, 30 days disabled.  Subscription is then deprovisioned”
    2. “Once the final subscription (of any service like Office365 or Intune) is deprovisioned from a tenant, then the countdown starts to where that tenant is then deleted from Windows Azure Active Directory (WAAD).”
    3. The key evidence is that AADP is a subscription (though not directly named in this article dated in 2013)
    1. Azure AD Premium can be considered as the paid add-ons for Azure AD free edition
    2. Based on article Azure Active Directory Editions, any common features provided by Azure AD free edition will not be changed even if we upgrade free edition to premium edition:
      1. Directory as a service,
      2. User and group,
      3. management using UI or Windows PowerShell cmdlets,
      4. Access Panel portal for SSO-based user access to SaaS and custom applications
      5. User-based application access management and provisioning
      6. Self-service password change for cloud users
      7. Directory synchronization tool – For syncing between on-premises Active Directory and Azure Active Directory
      8. Standard security reports

Deploying Android Apps with Windows Intune

Posted on Updated on

Using Windows Intune standalone?  You can quickly deploy apps using the following process!  This example utilizes an Android emulator being managed through Intune.  For more information on how to set that up for testing, see

Upload Android APK App

To begin, be sure to obtain a safe APK that you can deploy (e.g. don’t download an infected app!)

Click button to Add Software


Select the Android app installer type


Enter the desired app properties


Specify the Android OS version that the app can be installed upon


Finish the wizard


Deploy App to Device Group

Click button to Manage Deployment


Select the target group (this example just uses a static membership with my Intune user account)


Ensure the approval is set to be Available


Install App on Android Device

On your Android device (an emulator in this example), go to and sign in


Select the app category


Select the app


Click “Get app”


When the app has been download, click the “drop arrow” that appears in the upper-left corner


Select the app


Select to Install (lower-right)


And voila…you’re app is installed!!


Understanding Costs to Manage Windows 8 Devices with Intune

Posted on Updated on

Side-loading keys (100 pack for $2500?) are different from the mobile device cert ($299/yr) and the Dev Center account ($99/yr) – and they are all unique to each tenant.

  • Side-loading keys are way to bypass publishing apps through the public Windows Store and deploy apps to the Windows devices
  • Mobile device certs are used to authentically sign the apps
  • Windows Dev Center account is specifically used to create a company portal for any apps and for device enrollment

So initially it would be $400 for each tenant.  If it’s ever needed to deploy apps through Intune to those Windows devices, then the side-loading keys are necessary.

For ‘how’ the Intune client generally gets installed on a WP8/RT device:

  1. Get a mobile device signing cert
  2. Get a Windows Dev Center account and obtain that the “Windows 8 Company Portal App”
  3. Sign that app with the mobile cert and publish via Intune
  4. Users (with the Intune account) can then utilize the “Company Apps” built-in function enroll their device and thereby get managed through Intune

Setting up Windows Intune to Manage Android

Posted on Updated on

Android with Windows Intune

Use this guide to help you get started testing management of Android devices with Windows Intune (Wave D) standalone.  This guide assumes Office 365 has been completely set up, configured, and operational for your organization.

Create the emulator

First and foremost, create an Android emulator.  One of the best guides that I have found for doing this is at (just make sure you’ve installed the latest version of Java first!).  Below are the settings that I used for my emulator.


O365 Mailbox enabled for ActiveSync

Next, ensure that the user account(s) which will be used for testing the Android devices are enabled for ActiveSync.


Enable ActiveSync

Launch the Email app


Enter your and password


Select Exchange


Set the domain/username and server as


Accept the cert


Configure settings as desired


You’re ready to go!


Activate the device


Once the sync has completed, then you’re connected


Exchange Connector (even for O365)

Download the Exchange Connector from Intune (as this has an additional cert included):

Administration > Mobile Device Management > Microsoft Exchange > Exchange Connector






Managing Device Information

Confirm device



Create Android Device Group






Create Android User Group





Create Policy

“Create and Deploy a Custom Policy”



Set a policy name and require a password changed to require a password


Deploy the policy