Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide

10
Windows Autopilot Hybrid Domain Join

In most of the Windows Autopilot deployments, Windows 10 machine is Azure AD joined. But the majority of the organizations still rely upon On-premise on-prem Active directory join. In this post, you will learn details about Windows Autopilot Hybrid Domain Join scenario.

Windows Autopilot Related Posts

Following are some of the basics posts related to Windows Autopilot. Hopefully, these posts will help you to start the Windows Autopilot journey.

1. Beginners Guide Setup Windows Autopilot Deployment 
2. Dynamically Deploy Security Policies and Apps to Windows Autopilot Devices
3. Where is Autopilot Assign Profile Button in Intune Portal
4. Windows Autopilot End to End Process Guide
5. Repurpose/Reprovision Existing Devices to Windows Autopilot
6. Windows AutoPilot Profile AAD Dynamic Device Groups.
7. Windows Autopilot License Requirements

Introduction

Why are we talking about Hybrid Azure AD Join? Hybrid Azure AD Join is same as Hybrid Domain join when your on-prem Active Directory synced with Azure AD using AAD Connect.

There are many dependencies to have on-prem Active Directory or domain join Windows 10 Devices.

NOTE! – In this post, Hybrid Azure AD Join is referred to as Hybrid Domain Join and Domain Join.

Dependencies are mainly for Group policy and Application authentication (Legacy – mainly NTLM). Many organizations want to adopt a new deployment using Autopilot. But at the same time, they also wish to Windows 10 to be part of Active Directory.

To meet the above criteria, Microsoft introduced “Hybrid Azure AD or Hybrid Domain Join” deployment. You can deploy Hybrid Autopilot profile from Intune. With this solution we can provision Windows 10 using Intune and computer will be joined to On-premise Active directory as well.

This is a series of posts as listed below.

  • Hybrid Azure AD join Architecture and How to setup Windows Autopilot from Intune Portal (This Post)
  • Hybrid Azure AD join Autopilot –  Troubleshooting Tips

Windows Autopilot Hybrid Domain Join Setup Architecture

Following the high-level architecture flow of Windows Autopilot Hybrid Domain join setup architecture.

Windows Autopilot Hybrid Domain Join - Pic Credit to Microsoft
Windows Autopilot Hybrid Domain Join – Pic Credit to Microsoft

Windows Autopilot Workflow – Hybrid Azure AD Join

In this section, you will see 12 steps workflow of Windows Autopilot Hybrid Domain Join scenario.

Workflow - Windows Autopilot Hybrid Domain Join
Workflow – Windows Autopilot Hybrid Domain Join
  1. User Receive the Windows 10 Autopilot enabled computer from OEM or IT.
  2. User switch on the computer. The Computer connects Autopilot service and downloads hybrid Autopilot profile (Windows Autopilot Hybrid Domain Join Profile).
  3. The user goes through the Autopilot OOBE and sign-in using the corporate account.
  4. Computer enrolled to Intune. Offline domain join configuration profile Deployed from Intune. Then Computer asks for Offline domain join blob.
  5. Intune communicate with Intune AD connector. Intune AD connector installed in your on-premise server for offline domain join blob.
  6. Intune AD connector communicate with AD and create offline domain join blob.
  7. AD connector sent back the offline domain join blob to Intune.
  8. Intune sent the offline domain join blob to the device.
  9. The Computer applies the offline domain join blob and restarts. User login with AD credential.
  10. Intune deploy policy and apps to computer. (Enrollment status page – Optional).
  11. User prompted to login using domain credential. The Group policies deployed from Active Directory. Intune also push policies in the back-end.
  12. User login and ready to work

Prerequisites for Hybrid Autopilot Setup

The Prerequisites for Windows Autopilot Hybrid Domain Join are divided into two: Server and client side.

Server-side Prerequisites

Note: Its recommended to configure Intune AD connector to bypass the on-premises proxy.

Client-side Prerequisites

  • Windows 10, version 1809 or later.
  • Internet access. The Proxy rule should be applicable for the client side as well as for server side in Windows Autopilot Hybrid Domain Join scenario.
  • Connectivity to Active Directory and domain controller during deployment.

NOTE! – VPN connection to On-prem AD is not supported.

Hybrid Autopilot Configuration Steps

Let’s check the configurations required for Windows Autopilot Hybrid Domain Join setup into two. In this post, we will go through these configurations in detail.

  1. On-premise configurations
  2. Cloud configurations (Intune)

On-premise configurations

There are two configurations required as part of on-premise configurations.

  • Setup Intune AD Connector (Intune Connector for Active Directory)
  • Delegate Permissions

Intune AD connector (Intune Connector for Active Directory)

Following are the Intune AD connector requirement. Make sure that you have all the requirements in place before the implementation.

  • The Intune Connector installation requires Windows Server 2016 or later.
  • Intune Connector Server should be able to communicate with Active Directory.
  • Intune Connector Server must have access to the internet. If you have a proxy in your environment, then please follow the proxy recommendations.
  • In production, For High availability Consider multiple servers with connector.
  • If you have many Active Directory domains in your environment, then consider connector for each domain.
  • Intune AD connector server system locale should be set to English US.

How to Configure Intune Connector for Active Directory

The following steps will help you to complete the configuration of Intune AD connector (Intune Connector for Active Directory) for Windows Autopilot Hybrid Domain Join scenarios.

  • Login to Intune Console.
  • Select Device enrollment > Windows enrollment > Intune Connector for Active Directory > Add connector > Click on the download Connector setup file.
Windows Autopilot Hybrid Domain Join - Intune Connector for Active Directory
Windows Autopilot Hybrid Domain Join – Intune Connector for Active Directory

ODJConnectorBootstrapper.exe will be downloaded.

Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 1
  • Copy the ODJConnectorBootstrapper.exe to Server designated to host Intune Connector for Active Directory.
  • Install the executable ODJConnectorBootstrapper.exe.
  • Click Browse if you want to change the default installation path.
ODJConnectorBootstrapper.exe  Intune Connector for Active Directory

ODJConnectorBootstrapper.exe Intune Connector for Active Directory
  • Select Configure after successful Intune AD connector installation
 Intune Connector for Active Directory Installation
Intune Connector for Active Directory Installation

Select Sign In.

Configure -  Intune Connector for Active Directory
Configure – Intune Connector for Active Directory

NOTE! – Sign in using Global Administrator or Intune Administrator user. Please ensure the admin have Intune license assigned.

  • Intune Connector for Active Directory gets enrolled. After a few minutes, Intune AD connector server start communicating with Intune cloud service.
Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 2
The Intune Connector for Active Directory Successfully Enrolled – Windows Autopilot Hybrid Domain Join Scenario

NOTE! – For Intune connector Installation logs, you can navigate to below path. C:\Users\userid\AppData\Local\Temp\Intune_connector_for_Active_Directory_<Year>

Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 3

You can refer below log more details on Installation.

Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 4

NOTE! – After Sign in, Intune connector will start communicating with your Azure tenant. It takes less than 5 min for the connector to appear in Intune console. Navigate to below path to see all the connectors in your environment. Also, you can verify the latest Intune connector sync time stamp.

Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 5

Delegate permission for Intune Connector for Active Directory

The Offline Domain Join Connector service is responsible for creating Computer Objects. Offline Domain join Connector acts as a mediator. Offline Domain join Connector service communicates with on-premise Active directory and Intune cloud.

As shown in the below picture, the Connector service works with Local system account. Hence the server computer object (SERVERNAME$) must have permission to create the computer objects in AD.

Intune ODJConnector Service - Windows Autopilot Hybrid Domain Join
Intune ODJConnector Service – Windows Autopilot Hybrid Domain Join

NOTE! – By default, all domain accounts have permission to join maximum 10 computer to AD. To change this default behavior, you need to delegate permission. Let’s configure the permission.

  • Launch Active Directory Users and Computers (DSA.msc).
  • Right-click the organizational unit and then select Delegate Control.
Delegate Control for Intune Connector for Active Directory - Windows Autopilot Hybrid Domain Join Scenario
Delegate Control for Intune Connector for Active Directory – Windows Autopilot Hybrid Domain Join Scenario
  • Select “next” to continue.
Windows Autopilot Hybrid Azure AD Join - Intune Connector Delegation
Windows Autopilot Hybrid Azure AD Join – Intune Connector Delegation
  • In the Delegation of Control wizard, add your Intune connector server computer object.
  • Select Create a custom task to delegate > Next.
Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 6
  • Select the Computer objects, Create selected objects in this folder, and Delete selected objects in this folder check boxes.
  • Select Next
Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 7
  • Under Permissions, select the Full Control check box as shown below.
Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 8

You have completed delegation of permission for the Intune AD connector to create Offline Domain join blob for Windows Autopilot Hybrid Domain Join Scenario.

Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 9

Intune cloud Side Configurations

In this section, we will go through different configuration required within the Intune console for Windows Autopilot Hybrid Azure AD Join (Windows Autopilot Hybrid Domain Join) scenario.

Intune Autopilot Profile Configuration

The following configurations will help you to configure the Windows Autopilot hybrid domain join scenario.

  • Login to Intune, select Device enrollment > Windows enrollment > Deployment Profiles > Create Profile.
  • Type a Name and, optionally, a Description.
  • For Deployment mode, select User-driven.
  • In the Join to Azure AD as box, select Hybrid Azure AD joined.
  • Select Out-of-box experience (OOBE). Configure the OOBE options as needed and create a profile.
Intune Windows Autopilot Profile Configuration
Intune Windows Autopilot Profile Configuration
  • In the profile pane, select Assignments. And Select groups.
  • In the Select groups pane, select your device group. Please make Autopilot computer hardware ID is imported and added to the device group.
Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 10

Intune Configuration Profile – Hybrid Domain Join

In this section, we will go through below three(3) configurations for Windows Autopilot Hybrid Domain Join. These configurations define below three(3) settings.

  1. Computer naming template
  2. Domain name
  3. Organization Unit path
  • In Intune, select Device configuration > Profiles > Create Profile.
  • Select Windows 10 and later.
  • Profile type: Select Domain Join.
  • Provide a Computer name prefix, Domain name, and (optional) Organizational unit in DN format.
Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 11
Intune Offline Domain Join – Windows Autopilot Hybrid Azure AD

Notes from the Field:

#1 – Please ensure Organization unit is in DN format. If there is any typo, then your computer will be stuck with the message “Please wait while we set up your device.” I will cover this in my second post. If you don’t update the Organization unit, then the default computer container is used.

#2 – Hybrid autopilot support computer naming using the prefix. You cannot use variables such as %SERIAL%. If you use variables, then you will get the error message “Something went wrong” with code “80180005” or “80070774“. I will explain this in my second post.

  • Assign the profile to the Autopilot device group.
Offline Domain Join Assignment - Windows Autopilot Hybrid Domain Join
Offline Domain Join Assignment – Windows Autopilot Hybrid Domain Join

CSP to Disable User Setting in ESP

In Windows Autopilot Hybrid Domain Join profile scenario, you may observe an error in enrollment status page (ESP). This error is because of the timeout as mentioned in Michael Niehaus post.

Below CSP configuration will prevent this timeout error. In my second post, I will explain about the Windows Autopilot Hybrid Domain Join Troubleshooting Tips. Let’s go through the steps to configure this CSP.

./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage

  • Navigate via Intune blade – Create profileSettingsConfigureCustom OMA-URI Settings – Windows 10 and later – Add OMA-URI settings
Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 12
  • Assign the CSP to Autopilot device group.
Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 13

(Optional) Turn on the Enrollment Status Page

It is recommended to enable Enrollment status page. For more details refer here.

Results – Windows Autopilot Hybrid Domain Join

After completing Windows 10 deployment using Hybrid Autopilot. You will get below Login screen as seen below you can log in to the computer using AD Domain user account.

Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 14

After login, you can verify whether your machine is Hybrid domain join or not by executing below command.

dsregcmd /status

Windows Autopilot Hybrid Domain Join Step by Step Implementation Guide 15

In my second post, we will go through events and logs which help in troubleshooting.

Resources

10 COMMENTS

  1. I keep having errors the whole day, “Please wait while we set up your device” but I have configed everything correctly and it has been working for months until today

  2. I am confused, when i am first set this up for a customer. I have to be onprem with the domain controller? maybe I assumed I could go thourgh the steps and do an offline domain join, reseal the device send it to the customer domain joined with all of their apps needed to run.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.