Intune Manual Enrollment Issues - Remote Branch with On-Prem AD

Posted by Ok_Breakfast3879@reddit | sysadmin | View on Reddit | 2 comments

Hey r/sysadmin,

We're running into a weird issue with Intune enrollment in our remote branch. Here's the situation:

On-prem AD with non-routable UPNs.
Azure AD Connect is not an option (no global admin access on HQ side).
Intune is managed by HQ.
Manual enrollment via "Connect a work or school account" and Company Portal app.

The Problem: Some devices enroll just fine, others don't. We've granted local admin rights to our domain users, but it hasn't solved the issue. The devices that fail to enroll simply don't show up in Intune at HQ.

What we've tried:

Verified user licenses.
Checked for any relevant error messages during enrollment.
Ensured devices have internet access.

Any ideas what could be causing this inconsistency? Could it be a firewall issue? DNS problems? Some hidden Intune setting we're missing? Any troubleshooting tips would be greatly appreciated!

Thanks in advance for your help!

[-]

rwdorman@reddit

Any chance you are enrolling some from a guest network (public DNS) and some internal (internal DNS)? You may need the enterprise enrollment CNAMEs internally.

Emotional_Garage_950@reddit

the scenario doesn’t make sense, without AAD/Entra Connect or Entra Join, you are basically doing a “workplace join”, which is for personal devices/byod.

regardless, dsregcmd /status may tell you if the device has already been workplace joined using a different account, in which case what you’re trying to do will fail