This blog post explains my finding when an Autopilot Trust Relationship Error for Hybrid AD Joined Device. Today I was testing Hybrid Azure AD Join Autopilot provisioning and every machine I tested with had the same issue; they would briefly flash the Enrollment Status Page (ESP) then show the Windows logon screen as if they had completed successfully and even appeared to be AD joined based on the logon page. When attempting to log in, however, the following message was displayed: The security database on the server does not have a computer account for this trust relationship. Generally, this or a similar error shows up when an Active Directory domain-joined device has been deleted from Active Directory or the account has been disabled. In the case of Windows Autopilot, the process for joining a device to Active Directory during Hybrid AD Join uses the Intune Active Directory Connector service to … Read More

If you have an existing on-premises Active Directory infrastructure and plan to use SCCM Co-Management, you will need Azure AD Connect. This post will cover installing Azure AD Connect and configuring Hybrid Azure AD Join and Seamless Single Sign-On using Password Hash Sync. There are many additional options that are covered in the Microsoft Docs. This post assumes you already have an Azure Active Directory tenant and have added your custom domain to Azure AD. Where to Get Azure AD Connect Log into your Azure AD Tenant by going to portal.azure.com. Click Azure Active Directory Select Azure AD Connect Click Download Azure AD Connect Installing Azure AD Connect Review the latest latest prerequisite information from Microsoft Docs, specifically the Azure AD Connect server section to ensure that your server meets the requirements. Launch the AzureADConnect.msi that you downloaded in the previous step. You will be presented with the Microsoft Azure … Read More

Today I upgraded my production SCCM/ConfigMgr environment from 1806 to 1810, but before I did, I took care of some housekeeping that saved me a fair amount of work on the backend. If you’re like me, you try ensure that your collections aren’t being refreshed unnecessarily. For collections where I have direct or include/exclude rules, I always uncheck the incremental and scheduled refresh boxes when setting up the collection. However, there’s one extra step that I haven’t been doing that requires just a bit of consideration before upgrading to 1810. The picture below is the setting in question. The Issue The Release Notes for SCCM 1810 state the following: Previously, when you configured a schedule on a query-based collection, the site would continue to evaluate the query whether or not you enabled the collection setting to Schedule a full update on this collection. To fully disable the schedule, you had … Read More