Hey everyone, I need some help with a setup we have going on. We have a vendor connected via a site-to-site tunnel, and their machines are successfully joined to our traditional Active Directory. However, we're facing issues with these machines getting Hybrid AD joined. This is a problem because our Intune Conditional Access policy requires devices to be Hybrid AD joined to allow VPN access. When I run the dsreg commands on these machines, they come back showing that they are NOT Hybrid AD joined. There's a Group Policy Object (GPO) in place that's supposed to handle the hybrid AD join. Has anyone experienced something like this? I'm considering running a gpupdate /force on the devices to see if that pushes the registration through to Intune. Any insights or suggestions would be greatly appreciated! Oh, and I also got this error code: 0x80090311, which indicates an inability to retrieve the Kerberos ticket.
2 Answers
I really don’t think the site-to-site tunnel is the issue here. The configuration for the GPO should be handling the Hybrid AD join without it being a factor.
Have you made sure that the Entra AD sync tool is installed and configured correctly in your domain? That could be crucial for the synchronization process.
Yeah, it's been in place for a while now. I'm starting to think maybe the sync frequency isn’t sufficient for these laptops to get their Hybrid AD join status updated promptly.