I think this is a really interesting case and although Hybrid Azure AD Join is something I am not recommending over Azure AD Join, sometimes there are circumstances that leads to no other choice but to adjust and make the best out of the situation and plan for a better solution more long-term.
Current situation and scenario goal
The mission is to enroll all Windows devices (shared and Hybrid Azure AD Joined) to Intune and the specifications are as below:
Windows 10 and 11 Enterprise 21H2 (or 22H2) computers which are Hybrid Azure AD Joined.
The devices are used as shared computers, so there are no primary users of these devices.
Intune licenses are device based, not user based which is the typical and most common scenario.
Microsoft Endpoint Manager Configuration Manager is NOT used.
The million-dollar question is how these shared computers can be enrolled into Intune automatically? The scenario must cover both enrolling newly deployed computers as well as existing computers. The solution must be fully automated i.e., no manual steps must exist in the process.
Note: The typical GPO to enable MDM automatic enrollment via user credential cannot be used as the users do not have Intune licenses.
My thoughts on how to come to a solution came pretty much in this order, and turns out to be a real challenge
1. Use “Device Credential” in the GPO “Enable automatic MDM enrollment…”
The GPO “Enable automatic MDM enrollment using default Azure AD credentials” got a new option some years ago and can be set to “device credential” instead of the default “user credential”. Sounds like the perfect solution!
Problem: Error code 0x80180001 in the event logs “Device based token is not supported to enrollment type OnPremiseGroup PolicyCoManaged”. It turns out that this setting is only supported using MEMCM/SCCM or Azure Virtual Desktop, and obviously blocked or not meeting the technical requirements on other machines.
2. Autopilot self-deploying mode profile
That was a good idea although self-deploying profiles cannot be used as it supports only Azure AD Join and not Hybrid Azure AD Join.
3. Provisioning package – Only enrollment
Using a provisioning package (PPKG) you could potentially enroll into an MDM solution (such as Intune) using Workplace/Enrollment settings as noted in Bulk enrollment – Windows Client Management | Microsoft Docs. However, “username and password security type not supported”. However, this enrollment seems to primarily be targeted and intended for third party MDM solutions or the now long gong feature to enroll into on-premises MDM in Configuration Manager, not Intune. Or did anyone succeed in enrolling into Intune this way? If so, please ping me!
4. Provisioning package – Using bulk enrollment token
Although this way is typically used for performing Azure AD Join + automatic Intune enrollment using a Device Enrollment Manager (DEM) account, I thought I’d try it out to see what happens as I never tried this on a Hybrid Azure AD Joined computer.
Well after obtaining the bulk enrollment token through the simple wizard in Windows Imaging and Configuration Designer, I switched to advanced mode and got rid of everything from the provisioning package apart from the Azure/bulk enrollment token parts.
I then ran the provisioning package on my target test machine and the enrollment seem to have worked. Although, it resulted in another device object in Azure AD, and it successfully enrolled into Intune.
Well, automating the application of PPKG from step 4 above as part of the deployment process is easy, it needs some additional checks though as the provisioning package must only be run after the successful Hybrid Azure AD Join has taken place, otherwise I see this will fail. Not optimal and requires more testing, and even if this would work the scenario is a true corner-case!
Going back to Autopilot self-deploying mode seems a lot easier, so let’s evaluate what needs to be in place for this to become reality, overcoming the hurdles!
By connecting your Windows devices solely to Azure AD and Intune you will improve the work lives of for your users and make it easier for you in IT to manage the platform during the device lifecycle.
Windows devices in the future are no longer connected to a traditional Active Directory, and they are not managed by Configuration Manager or other on-premises management tools, and not with Group Policies. The Windows devices of the future are independent of your datacenter which means IT can focus on improving availability of the resources the end users are dependent on in their daily work, which are applications, tools, and information.
End user experience and challenges today
Are you and your end users sick and tired of the fact that starting and logging into Windows takes several minutes? One common cause for this is a legacy of many years of GPOs and scripts that are executed at start and logon.
Do your end users still need to come into the office network to get all updates, configuration or changing password? This is something that becomes a non-issue in the cloud-only world. Even though these types of needs have decreased because of the pandemic I still see and hear about this too often.
Improving end user experience and simplifying are the keywords
The reasons of going cloud-only on your Windows devices are very much about significantly improving your end user experience, and at the same time making it easier to manage for you in IT. To continue doing what many organizations are doing today, i.e., managing Windows with existing on-premises AD and GPOs, running devices in Hybrid Azure AD Join state plus adding co-management and Intune just makes your life in IT more complex and harder, and give your end-users very few benefits to be honest. Everyone would gain from letting go of on-prem AD and traditional managing software such as Configuration Manager.
Microsoft recommends going cloud-only and not staying in hybrid mode
The fact is that Microsoft is recommending the hybrid scenario only as an interim solution for existing devices. For new devices Microsoft are very clear that they recommend cloud-only devices.
Keep in mind that while Microsoft fully supports hybrid Azure AD join, we designed this capability as an interim solution for existing endpoints. We strongly encourage customers to begin their planning and implementation of full Azure AD-joined systems as soon as possible.
The most common myth killed once and for all – access to on-premises resources
The fact is that most organizations still have, and will have for many years to come, user resources in their datacenter on-premises. How do users get access to file share, printers, and applications on-premises when the Windows device is only in the cloud? With Windows Hello for Business Cloud Trust or FIDO2 security keys, this has never been easier to setup and enable!
Pros for cloud-only Windows devices
Performance and user experience. Microsoft’s former corporate vice president for Microsoft 365, Brad Anderson, compared his iPhone to a cloud-only Windows device s few years ago. The Windows device started and became usable faster than an iPhone. That is a notable example that still is valid. Mobility, speed, and battery life is something the users really appreciate.
Reduced complexity. What I see is that customers that are running in the hybrid scenario has a complex day-to-day life in IT, in terms of managing and troubleshooting. You have two environments to take into consideration all the time which makes things sometimes twice as hard or take more time than it should to achieve the goal at hand.
More time for valuable work. How much time do IT spend on keeping the basic infrastructure working? By that I mean specially Configuration Manager which always have had problems with agents, driver packages becoming corrupt after working for years etc. I have through my years spent too much time on just keeping things at a working level, it is time to bury Configuration Manager and spend this time on more valuable work such as follow-up and proactiveness.
Get rid of your legacy. Most organizations have over the years migrated to a number of Windows client platforms, from Windows 2000, XP, Windows 7, to Windows 10 and soon Windows 11. What most organizations have in common is that the same GPOs and scripts are still being applied although first configured 15 years ago, even though some policies have been cleaned out through all migrations. Switching to cloud-only is the perfect fresh start of getting rid of all your legacy stuff and start building on something new!
Cons for cloud-only Windows devices
Not for everyone. Being able to utilize Microsoft cloud services is a pre-req of course. To be honest, there are more challenges that could block an organization from going cloud-only. Things such as 802.1x can be a challenge and specific requirements around security another. The point is, if you do not even try you will not know what to solve or what Microsoft will eventually deliver in their product and services to solve your blocker. Adding cloud-only Windows devices to your roadmap and work on dependencies is essential in making progress.
How to get started?
So how do you get started? In its simplest form, start with Autopiloting (Azure AD Join + Intune) the device and then perform all your day-to-day work on a cloud-only Windows PC. After that start solving the challenges that you face, creating a configuration baseline and deploying applications that you need. Some challenges will be harder to pass than others, and some might be blockers. The point is, without starting your journey toward a future cloud-only future Windows device you will not know what to fix and what to talk to for instance the network team about.
To summarize, the future is to have your Windows devices connected cloud-only Azure AD and Intune. That has great advantages for end-users as well as IT. The fact that Microsoft themselves are living by this already, and the fact that they point customers towards this direction and in combination with all benefits should make this decision easy.
This is a high-level summary of the specific needs, business impact and listing of current profile management options for your physical and virtual Windows 10 and 11 devices. The focus is how to get back to a state which can make you productive as soon as possible after a device reinstall or reset. This scenario of course also covers when you get a new device that replaces an older one.
Most organizations have a policy that “we will troubleshoot a problem on a Windows device for X number of minutes, if we can’t solve it, let’s do a reinstall or reset”.
This might seem like a great policy that saves time for the service desk. But the numbers the management do not see is how much time have service desk have to spend on helping the user get back on track after the reinstall or reset? The same goes when user needs help transferring from one device to another as part of regular renewal of device. The potential time-saver here is enormous. If the user can get to a state that has everything the user needs available instantly, the user can become productive much quicker.
A consequence of having everything brought back quickly is that not only can the user be productive quicker, but the user will much more likely agree to a reinstall or reset when knowing the user can start working without hazzle again. It might also mean that you can reduce troubleshooting time from say 60 minutes down to 15 before you do a reinstall or reset. Overall a real time-saver and money-saver!
Needs and goals
Getting back to a state where a user can start working as soon as possible after re-install or reset of the device, or even when switching device as part of hardware renewal.
“Everything back as it was” (more details on this below). I.e., the time the user needs to spend on getting back to a state that just works as before needs to be minimized.
Expanded description of goals:
All files and documents back as they were and accessible by user.
All required applications back as they were. (This is out of scope for this blog post as most organizations use ConfigMgr, Intune or a third-party software to deploy applications).
All relevant settings back:
Specific settings for line of business applications.
Outlook signatures and calendar settings etc.
Printers and printer settings.
Browser related settings, favorites, and history, including saved passwords.
Mapped SharePoint sites (Teams files) in File Explorer.
Settings for apps.
Let’s have a look at what Microsoft technologies are available to solve the needs.
Personal files and documents
OneDrive for Business with Known Folder Move. If you have the possibility to use OneDrive for Business this is the best solution out there. Make sure to set the GPO or MDM setting to silently configure OneDrive to automatically have your OneDrive folder available after re-install or reset. Also set the policy setting “Enable Known Folder Move” to make sure that Desktop, Documents and Pictures folders are redirected to your OneDrive Folder. Reality check, do you know anyone who do NOT save stuff they need on the desktop? :)
Work Folders (which I typically call the internal OneDrive). Setting up Work Folders is easy, the role has existed in Windows Server since 2012 R2, thus requires a Windows File Server to setup and enable. Once you’ve setup Work Folders, use good old redirection of Documents and Desktop folders (and maybe Pictures as well) pointing to the local Work Folders directory just like it is done with Known Folder Move for OneDrive for Business.
Folder Redirection + offline files. Only two words: Stay away! (And migrate as soon as possible to OneDrive for Business or Work Folders if you are already using it). For some organizations I have worked with I have made it opt-in to use offline files, clearly stating the potential risks when opting in. Offline files cause user problems and have very high risk of user data loss.
Common or shared files and documents
SharePoint Sites (Teams files directories). Many users prefer to work with SharePoint sites and Teams files by syncing them to work with the files in File Explorer. There is no official way of having these remapped automatically after a reinstall or reset of a Windows device.
User Experience Virtualization (UE-V). I have many times referred to UE-V as the best thing since sliced bread. It is a technology that was released for about 10 years ago, with the intent to provide roaming of settings for Windows and applications (both Microsoft and any third party), using on-premises file shares. It also roams printers if you are not deploying those through other means.
Since Windows 10 version 1607 UE-V is integrated in the operating system. I’ve used UE-V quite a lot and this is a really good technology to get many settings back after a reinstall. In one case I could do a F12 reinstall of a Windows 10 device before going to lunch and after lunch I logged in and started working instantly, with all settings back. Those were the days!
Over time as applications are moving to the app’s world, UE-V has basically become less effective in its job. Also, after adding UE-V to Windows version 1607, UE-V has not gotten much love from Microsoft and as no development has been made for almost six years this is still something that most will benefit from, but sad to see that Microsoft do not care for this.
Enterprise State Roaming. About the same time that UE-V was integrated into Windows 10 we also saw the introduction of Enterprise State Roaming. This is a technology that use the cloud (a private protected and untouchable area) in Azure to store profile settings that roams with the user. For instance, background image, Windows theme settings and some other stuff is being roamed when enabling this through Azure AD. Sad to say, this feature is facing the same destiny as UE-V, with no new features or changes for the last six years or so.
Actually with Windows 11 the number of settings that roam using Enterprise State Roaming have decreased, now only roaming passwords, some Windows settings, and language preferences.
FSLogix profiles. Microsoft bought FSLogix and with that obtained their profile technology. This is a container-based profile solution used primarily in remote Windows solutions, such as Azure Virtual Desktop. Although the technology should be possible to use on physical machines as well, I haven’t many details regarding this and haven’t tried it our myself. One reason for this is that FSLogix profiles requires an Active Directory and is not yet (per January 2022) supported for Azure Active Directory, although this is announced in the future.
Outlook settings roaming. Finally you can roam your email signature and a bunch of other settings to the cloud – without doing anything other than making sure this option is enabled. Take a look at Outlook roaming options to get more information about this one.
Note1: Roaming profiles take care of both files and settings but like with folder redirection and offline files: Stay away from roaming profiles to make your life happier.
Note 2: As apps in Windows always store their configuration and user specific data in a standardized location. That is C:\Users\%username%\AppData\Local\Packages\%AppName%\ which means Microsoft should be able to provide a supported way of roaming these settings.
What settings can you use?
Depending on how your Windows devices are managed you can use some or all these technologies. This is applicable for Windows 10, Windows 11, Windows 365 as well as Azure Virtual Desktop. Note: All technologies below are not necessarily supported for all physical and virtual use cases.
Active Directory Joined
Hybrid Azure AD Joined
Azure AD Joined
User Experience Virtualization (UE-V)
Yes, pointing to file share
Yes, pointing to file share
Yes, pointing to OneDrive for Business local folder*
Enterprise State Roaming
No (not supported yet)
Edge profile sync
Outlook settings roaming
Summary of what profile technologies are available for various Windows device join types.
Summary of what profile technologies are supported officially by Microsoft.
* Technically it will work, but likely not supported by Microsoft for Windows 365 nor Azure Virtual Desktop. ** Supported only for personal pools – not multi-session Windows 10 or 11, nor Windows Server. *** For Azure Virtual Desktop, currently there is no support for Azure AD Joined devices.
With the existing Microsoft tools and technologies, you can reach a state where most of the stuff you want back actually is configured and brought back automatically. Getting the files and documents back is easy. Edge profile sync and Outlook settings roaming are a no-brainer and should be used by everyone.
UE-V and Enterprise State Roaming are not developed anymore but they still fill a purpose and can be very useful to save time, starting today, as they are very easy to get started with and has a very low implementation cost. FSLogix profiles are primarily intended for datacenter hosted solutions.
With those facts, there is a strong need for Microsoft to strengthen profile management to make it the true time-saver it can be. IT management would very much appreciate it I can assure. But the ones that would appreciate this the most are the end users!
I have been working with about 30 customers around Windows 10 since the launch of Windows 10 almost six years ago. I am the strongest of cloud advocates and for Windows as a service, but I must as a professional adjust and look at customer needs and conditions as well as cost efficiency. Among all deployment projects and customers I have worked with, only in two of those cases did we have to go with LTSC edition of Windows 10, after very careful and thorough evaluation of cloud and Windows as a Service being the natural top choices.
The reason for choosing LTSC with these two customers are simple and has been the same in both cases; they are ideal for devices that typically do not have any dedicated users and serve one purpose only, and that is to display information or let users interact with it through a single application as a kiosk. Often the hardware is not easily accessible. These devices must in many cases also be up and running 24/7 with no interruptions.
Another aspect to take into consideration is that the business does not care if it is Windows 10 version X or whatever version of anything if the monitor is displaying the information or performing what the business needs are.
Currently with 10 years support – Fire and forget
Windows 10 LTSC version 2019: Deploy to a computer purchased and it can run theoretically to January 2029. Typically, with 10 years support, if you deploy new hardware with the latest Windows 10 LTSC version you are good for up to 7-9 years. You will not have to touch the device until it is time to replace the computer after X number of years.
After Microsoft changing to 5 years support – Additional work and costs with no business value
Windows 10 LTSC 2022 (I guess 2022 will be the name as that applies to Windows Server 2022 which is based on the same bits and bytes) it will be supported to say fall 2025. If a new computer is installed in 2023 with Windows 10 LTSC 2022, it will have support for an additional 2 years, and at some point, before reaching the of support, it will have to be upgraded to a new version to remain supported for additionally five years.
The huge problem here is that this bring not only doubled license cost (or even more), but also mean that more work by IT will be required to upgrade the machines. This requires development of upgrade process and a lot of testing. The manhours required are at least three figures and will also involve and impact the business, with once again, no added business value whatsoever.
As this is often special hardware it is often placed in physical locations where the computers are not easily accessible, and the lifetime will likely exceed the typical lifetime of a device. And the fact that the hardware is placed in physical tight areas are also driving additional costs to exchange as there often needs to be special glass or metal work included.
Microsoft must reconsider to keep the support lifecycle for Windows 10 Enterprise LTSC at 10 years. Switching to Windows 10 IoT is not an option as that it not doable in terms of licensing as IoT is not available on enterprise agreements or through volume licensing, limited number of OEMs and re-imaging!
This is one of the most mysterious problems I’ve encountered! Anyone who can provide input is more than welcome to ping me on Twitter or Teams, or help by entering some basic information in this form.
UPDATE September 6, 2022: Update the problem description as the Web sign-in setting is also causing problems using Cloud PC (Windows 365): “Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?”. See more below under “Problem #2”.
UPDATE July 6, 2022: A response from Microsoft leads to the root cause being Web sign-in being enabled, which is in preview (and has been for quite a few years) and is also unsupported. Still does not explain the extreme intermittent occurrence of the problem but at least a great indicator and something to validate.
UPDATE July 5, 2022: Added this form to gather and hopefully be able to get to the root cause. Also, I’ve gotten indications on a potential causes leading to the New user state, more below.
You restart your Windows 10 or Windows 11 device (Azure AD Joined + MEM/Intune enrolled) and after the restart, instead of displaying the last logged on user, the only account on the sign-in screen is an account named “New User”.
This happens extremely rarely, but I’ve seen it a few times. The “New User” comes from nowhere and if you click Switch user it just returns to the same view as below.
I have seen the problem a few times for multiple Windows 10 versions back to at least Windows 10 v1909, and on multiple devices from multiple vendors. Unfortunately I’ve seen it once on a Windows 11 device as well. The other day this problem hit a colleague of mine as well so it’s not just me :) .
Cloud PCs established as part of Windows 365, in Azure AD Joined mode, experience the sign-in message that Other user is already logged in, every time when logging in (and even after restart):
Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?
I’ve gotten reports (thanks to the community) with a response from Microsoft leads to the root cause being Web sign-in being enabled, which is in preview (and has been for quite a few years) and is also unsupported.
This is also true for the environments where I have seen this problem occur so this is the most likely cause of the “New user” phenomena causing Problem #1!
For Problem #2 this setting is confirmed to be the problem – as that problem was very easy to reproduce!
I’ve seen this problem with a couple of customers now that is using Windows Update for Business, when some machines were not offered Windows 10 20H1 (May 2020 update a.k.a. version 2004) nor Windows 10 20H2 although no policies should block it. Note: This also applies to Windows 11 feature upgrades.
The new Windows 10 feature update is not offered via Windows Update (for Business) even if you do a manual scan for update. And, no feature update deferrals are configured, nor any specific Windows 10 version set using the “set feature update” to use. Still the new Windows 10 version is not offered which is sort of mysterious!
Good old WindowsUpdate.log comes to the rescue! Get-WindowsUpdateLogs generated the log and then the fun began. To be honest it’s been some time since I last went into this log file, and after browsing some hundred lines of logs something interesting popped up:
The interesting parts is in DataExpDateEpoch_20H1=1611187200 and if looking up that UNIX timestamp, it appears as though the installation would be performed on January 21, 2021 at midnight.
The variable for DataExpDateEpoch_20H1 or DataExpDateEpoch_20H2 is indicating that the feature update will not be offered until the date is reached.
The evidence is true for a specific model as all of the specific model are blocked with the same timestamp. The problem is seen with multiple vendors, Dell, and Lenovo at least.
The explanation for this behavior is that Microsoft are blocking upgrades due to model, driver of firmware issues. Instead of downloading the entire package, starting the setup, and then finding out of a compatibility issue is not optimal. What is better is to block the feature update from being offered at all and that is (likely) what is going on here.
This is described and can be followed up in detail by using Update Compliance which now holds the SafeGuard information!
As it turns out, it also seems that if whatever underlying problem is fixed on Microsoft’s end, the feature update can be offered before the expiration date occurs.
I’m adding a new dimension to my community work – combining passion in work with personal interest and believes.
My work which is all about helping organizations build and maintain a secure, mobile, and modern IT workplace. My interests are much about traveling and basically everything that has to do with flying. The last part is something very close to my heart and that is to help reduce impact on the climate and Earth’s limited resources, reaching a sustainable future.
If you combine this, you get Climate Smart IT (https://climatesmartit.com) and how IT can contribute to the organization’s sustainability goals! More can be done for the climate than just enabling double-sided printing :)
Did you for instance know that a typical corporate laptop in its entire lifecycle generates the equivalent amount of CO2 emissions as a 4-hour flight?
I noticed an interesting thing the other day when finalizing the annual MVP renewal stats for submission to Microsoft. One blog post, which I posted in October last year, stood out among all other posts on my blog. After looking into the stats for this specific blog post it turns out the number of views on this specific blog post has exploded in the last couple of weeks!
The blog post which has seen a huge increase in number of views recently is about remote controlling Windows computers and fixing the problem with not being able to elevate as administrator in the remote session. Specifically Fixing UAC elevation when remote controlling via Quick Assist or TeamViewer etc. As a side note, the number of views on my other blog posts remain pretty much the same the last month as before.
My interpretation of the increase for this particular blog post is the following. Many people are in a lockdown mode and working from home due to the coronavirus outbreak. IT personnel then need to support them while working remotely, and they encounter the issue of elevating as admin due to UAC and seek help fixing this problem.
Could it be a coincidence that this blog post has seen a huge increase in number of views the last couple of weeks? I think not. Stay safe and take care!
MSIX has been around for more than a year now and Microsoft is working hard with promoting and developing it. I consider this application packaging format to be the packaging format of the future as it has many benefits compared to traditional MSI packages.
However, in organizations you typically deploy applications using a deployment tool such as Intune or ConfigMgr. This is where the challenge lies today and to be very clear, this is a deployment blocker for starting to package and deploy line of business applications in MSIX format.
You package a line of business application in MSIX format. I use a couple of versions of 7-Zip in my testing.
You deploy the MSIX package via Intune (as a Line of Business app) as a required package to your end users. The app installs fine which is expected.
Now package a new version of the line of business app.
Deploy the package as required to your end users. The app installs fine, but the problem is that it is executed with the flag “ForceAppShutdown” meaning that the application while running is killed without warnings to the end user – This is not acceptable in any organization.
In the Event Viewer it is clear that the running app was shut down:
Microsoft > Windows > AppXDeploymentServer > Operational log Event ID 646 The running app 7-Zip_8b28rabfxvc2a!SevenZFM was shut down for servicing (Priority=0x1).
Note: The problem is the same regardless if the app is targeted as required or available deploy and installed in user or device context.
Since Windows 10 version 2004 there is a new switch to the PowerShell cmdlet Add-AppXPackage that will defer an app upgrade until the app is is closed, after which the update is installed on next start of the app.
The switch is DeferRegistrationWhenPackagesAreInUse which also works as you can expect when running the command manually on a Windows 10 v2004 machine. Source
Microsoft, please make sure that Windows 10 utilize the switch “DeferRegistrationWhenPackagesAreInUse” when deploying custom packaged app updates to MSIX packages via Intune (and likely also ConfigMgr). An option in Intune to control how updates are handled would also be nice and there are probably other solutions as well.