When setting up hybrid Azure AD join with on-premises Windows 10 environments, if you encounter the an error that “The system tried to delete the JOIN of a drive that is not joined.“, then there is a good chance that the device has not yet synchronized into Azure AD.
A few tips to help you isolate the cause and get past this issue:
- First, confirm the device exists in Azure Active Directory (or not). In the Azure portal, navigate to Azure Active Directory > Devices > All devices.
- Review the steps in Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices. Note that this article points back to another article on How to configure hybrid Azure Active Directory joined devices, which presently contains way more helpful information to help you troubleshoot.
- In the most current Azure AD Connect releases, use the built-in Troubleshooter. Then in the PowerShell windows which launches, use both options to troubleshooting options for Object Sync and Password Hash Sync.
In my case, the troubleshooting guides were useful to confirm that I had configured everything correctly. Then the Azure AD Connect troubleshooter reported an error that “Password Hash Synchronization cloud configuration is disabled”. Searching that issue on the Internet led me to discover that the cause was likely due to mismatched passwords between the Azure AD account “On-Premises Directory Synchronization Service Account” with the password currently set in the local synchronization service.
To fix that, first set a new password for the “On-Premises Directory Synchronization Service Account”. To do that, try setting it in Azure directly. However, given that it’s a special account, it may be necessary to reset the password through PowerShell with the MSOL cmdlets. While I’m not getting into the full end-to-end setup and use of those add-on Azure PowerShell cmdlets, the command could be as simple as:
Connect-AzureAD Set-AzureADUserPassword -ObjectId abc123def456xyz980 -Password MyP@ssw0rd! -ForceChangePasswordNextLogin $false
Next, start program Synchronization Service Manager, then click on Connectors. Locate the Windows Azure Active Directory Account and click Properties.
Finally, set the password. Voila, devices will now sync to Azure AD on the next synchronization!
Using Windows Intune standalone? You can quickly deploy apps using the following process! This example utilizes an Android emulator being managed through Intune. For more information on how to set that up for testing, see https://t3chn1ck.wordpress.com/2013/05/01/setting-up-windows-intune-to-manage-android/.
Upload Android APK App
To begin, be sure to obtain a safe APK that you can deploy (e.g. don’t download an infected app!)
Click button to Add Software
Select the Android app installer type
Enter the desired app properties
Specify the Android OS version that the app can be installed upon
Finish the wizard
Deploy App to Device Group
Click button to Manage Deployment
Select the target group (this example just uses a static membership with my Intune user account)
Ensure the approval is set to be Available
Install App on Android Device
On your Android device (an emulator in this example), go to https://m.manage.microsoft.com and sign in
Select the app category
Select the app
Click “Get app”
When the app has been download, click the “drop arrow” that appears in the upper-left corner
Select the app
Select to Install (lower-right)
And voila…you’re app is installed!!
Side-loading keys (100 pack for $2500?) are different from the mobile device cert ($299/yr) and the Dev Center account ($99/yr) – and they are all unique to each tenant.
- Side-loading keys are way to bypass publishing apps through the public Windows Store and deploy apps to the Windows devices
- Mobile device certs are used to authentically sign the apps
- Windows Dev Center account is specifically used to create a company portal for any apps and for device enrollment
So initially it would be $400 for each tenant. If it’s ever needed to deploy apps through Intune to those Windows devices, then the side-loading keys are necessary.
For ‘how’ the Intune client generally gets installed on a WP8/RT device:
- Get a mobile device signing cert
- Get a Windows Dev Center account and obtain that the “Windows 8 Company Portal App”
- Sign that app with the mobile cert and publish via Intune
- Users (with the Intune account) can then utilize the “Company Apps” built-in function enroll their device and thereby get managed through Intune
Android with Windows Intune
Use this guide to help you get started testing management of Android devices with Windows Intune (Wave D) standalone. This guide assumes Office 365 has been completely set up, configured, and operational for your organization.
Create the emulator
First and foremost, create an Android emulator. One of the best guides that I have found for doing this is at http://www.javaexperience.com/10-easy-steps-to-install-android-emulator-in-windows/ (just make sure you’ve installed the latest version of Java first!). Below are the settings that I used for my emulator.
O365 Mailbox enabled for ActiveSync
Next, ensure that the user account(s) which will be used for testing the Android devices are enabled for ActiveSync.
Launch the Email app
Enter your firstname.lastname@example.org and password
Set the domain/username and server as m.outlook.com
Accept the cert
Configure settings as desired
You’re ready to go!
Activate the device
Once the sync has completed, then you’re connected
Exchange Connector (even for O365)
Download the Exchange Connector from Intune (as this has an additional cert included):
Administration > Mobile Device Management > Microsoft Exchange > Exchange Connector
Managing Device Information
Create Android Device Group
Create Android User Group
“Create and Deploy a Custom Policy”
Set a policy name and require a password changed to require a password
Deploy the policy