Intune – You Can Now Get Windows 10 Join An Active Directory ...

It has been quite a limitation so far for Windows 10 managed with Intune; it was impossible to get them to join an Active Directory domain using Autopilot, making these devices Azure AD Hybrid joined devices.

Now (currently in preview – so there could be some glitch and may change), you can assign an Intune profile to your Windows 10 devices to join your Active Directory domain.

Off course, to get it working you need to ensure the device will be connected to your corporate network to be able to access your Active Directory to make the join operation.

NOTE this is also currently being rolled out; so if you are missing all or some of these options you will need to wait a little.

Setup Windows 10 Automatic Enrolment

You need to ensure your Mobility option (MDM/MAM) is set to Intune and targeted users are part of the MDM user scope (from the Azure Active Directory\Mobility (MDM and MAM) blade).

Delegate Computer objects creation

Delegate the create and delete actions (using the Create custom task to delegate option) for Computer objects to the OU where the Autopilot, with Full control to the computer hosting the connector.

You need to ensure the Autopilot OU is sync with Azure AD.

Download and install the Intune Connector

Access the Intune\Device enrollment\Windows enrollment\Intune Connector for Active Directory (Preview) blade to download and add a connector.

Once downloaded, run the connector setup

NOTE with the preview ensure you have English US language only

Once installed click on the Configure Now button; this will launch the connector registration process – use either a Global Administrator or an Intune Administrator account

Once your connector has been successfully registered it will display in the Intune Connector for Active Directory blade

You can also check the service Intune ODJConnector Service

A Windows event log – ODJ Connector Service – is also available below the Applications and Services Logs

Just after the setup, you may have quite few errors/warnings while the connector tries to register. Check for the event 10200 which confirms the completion of the registration.

Create an Intune Group

Then you need to create an Intune group which will be used to apply the Autopilot profile

Choose to create a dynamic device group and use the following membership rule

• To include all Autopilot devices: (device.devicePhysicalIDs -any _ -contains “[ZTDId]”)
• To include specific Autopilot devices based on Order or Purchase ID: (device.devicePhysicalIds -any _ -eq “[OrderID]:<your order ID>”) or (device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:<your purchase order ID>”)

Register your devices for Autopilot

You can either use the ‘default’ way to register your devices for Autopilot or use the new option to convert already registered devices to Autopilot (see https://t.co/SWJmYZOuMo)

Configure Autopilot deployment profile

Go to the Device enrollment\Windows enrollment\Deployment profiles to create a User Driven profile using the Hybrid Azure AD Joined option

Once the profile is created, assign it to the device group you have created earlier.

Configure a Domain Join profile

Create a new profile for Windows 10 from the Intune\Device configuration\Profiles configuration blade

Define the required fields (name, platform, profile type and configure)

• Name: name the profile as you want
• Platform: Windows 10 and later
• Profile type: Domain join
• Configure
  • Computer name prefix: define the computer name prefix; keep in mind the name is limited to 15 characters so defined a shorter prefix; remaining characters will be used to uniquely name the computer
  • Domain name: your fully qualified Active Directory domain name (aka mydomain.local)
  • Organization Unit: (optional – if not set, will use the default/standard Computer OU). You need to use the full path (aka the distinguished name – OU=myou,DC=mydomain,DC=local)

Finally assign the profile to the previously created group.

This is it. Remember, the device need to be in your corporate network to access Active Directory when applying the Autopilot profile.