Windows Autopilot Hybrid Domain Join Step By Step Guide 1

Let’s learn more about theWindows Autopilot Hybrid Domain Join Step-by-Step Implementation guide. This post will learn details about the Windows Autopilot Hybrid Domain Join scenario.

In most Windows Autopilot deployments, a Windows 10 or Windows 11 machine is joined to Azure AD. However, most organizations still rely on On-premise, on-prem Active Directory.

Hybrid Azure AD is domain joined plus Azure AD registered devices. So you will need to have connectivity to the on-prem active directory, and you also will need to have additional components such as Intune Connector for Active Directory.

The following are some of the basic posts related to Windows Autopilot. Hopefully, these posts will help you start the Windows Autopilot journey.

Sign up to get the best of How To Manage Devices straight to your inbox!

Index
Windows Autopilot Hybrid Domain Join
Windows Autopilot Hybrid Domain Join Setup Architecture
Windows Autopilot Workflow – Hybrid Azure AD Join
Prerequisites for Hybrid Autopilot Setup
Server-side Prerequisites
Client-side Prerequisites
Hybrid Autopilot Configuration Steps
On-premise configurations
Intune AD connector (Intune Connector for Active Directory)
How to Configure Intune Connector for Active Directory
Delegate permission for Intune Connector for Active Directory
Intune Cloud Side Configurations
Intune Autopilot Profile Configuration
Intune Configuration Profile – Hybrid Domain Join
Notes from the Field:
CSP to Disable User Setting in ESP
(Optional) Turn on the Enrollment Status Page
Results – Windows Autopilot Hybrid Domain Join

1. Beginners Guide Setup Windows Autopilot Deployment 2. Dynamically Deploy Security Policies and Apps to Windows Autopilot Devices 3. Where is the Autopilot Assign Profile Button in the Intune Portal 4. Windows Autopilot End-to-End Process Guide 5. Repurpose/Reprovision Existing Devices to Windows Autopilot 6. Windows AutoPilot Profile AAD Dynamic Device Groups. 7. Windows Autopilot License Requirements

Windows Autopilot Hybrid Domain Join

Why are we talking about Hybrid Azure AD Join? Hybrid Azure AD Join is the same as Hybrid Domain Join when your on-prem Active Directory is synced with Azure AD using AAD Connect.

There are many dependencies to have on-prem Active Directory or domain join Windows 10 Devices.

NOTE! – In this post, Hybrid Azure AD Join is referred to as Hybrid Domain Join and Domain Join.

Dependencies are mainly for Group policy and Application authentication (Legacy – mainly NTLM). Many organizations want to adopt a new deployment using Autopilot. But at the same time, they also wish Windows 10 to be part of Active Directory.

Microsoft introduced the “Hybrid Azure AD or Hybrid Domain Join” deployment to meet the above criteria. You can deploy a Hybrid Autopilot profile from Intune. With this solution, we can provision Windows 10 using Intune, and the computer will be joined to the On-premise Active directory as well.

This is a series of posts, as listed below.

• Hybrid Azure AD join Architecture and How to set Windows Autopilot from Intune Portal (This Post)
• Hybrid Azure AD join Autopilot – Troubleshooting Tips

Windows Autopilot Hybrid Domain Join Setup Architecture

Following the high-level architecture flow of Windows, Autopilot Hybrid Domain Join setup architecture.

Windows Autopilot Workflow – Hybrid Azure AD Join

This section contains an easy-to-follow, 12-step workflow for the Windows Autopilot Hybrid Domain Join scenario. I hope it helps you!

1. The User Receives the Windows 10 Autopilot-enabled computer from OEM or IT.
2. The user switches on the computer. The Computer connects to the Autopilot service and downloads a hybrid Autopilot profile (Windows Autopilot Hybrid Domain Join Profile).
3. The user goes through the Autopilot OOBE and sign-in using the corporate account.
4. The computer is enrolled in Intune. The offline domain join configuration profile is Deployed from Intune. Then, the Computer asks for an Offline domain to join the blob.
5. Intune communicates with the Intune AD connector. Intune AD connector installed in your on-premise server for offline domain join blob.
6. Intune AD connector communicates with AD and creates offline domain join blob.
7. AD connector sent back the offline domain join blob to Intune.
8. Intune sent the offline domain join blob to the device.
9. The Computer applies the offline domain join blob and restarts—the user’s login with an AD credential.
10. Intune deploy policies and apps to computers. (Enrollment status page – Optional).
11. The user is prompted to log in using domain credentials—the Group policies deployed from Active Directory. Intune also pushes policies in the back end.
12. User login and ready to work

Prerequisites for Hybrid Autopilot Setup

The Prerequisites for Windows Autopilot Hybrid Domain Join are divided into server and client-side.

Server-side Prerequisites

• Configured hybrid Azure Active Directory join.
• Windows 10 automatic MDM enrollment enabled
• Windows Server 2016 or above (To Install the Intune AD Connector)
• Internet connectivity on Intune Connector for Active Directory Server.
• If there are any Internet proxies, make sure you go through this article.

Note: It is recommended to configure the Intune AD connector to bypass the on-premises proxy.

Client-side Prerequisites

• Windows 10, version 1809 or later.
• Internet access. In the Windows Autopilot Hybrid Domain Join scenario, the proxy rule should apply to both the client and the server.
• Connectivity to Active Directory and domain controller during deployment.

NOTE! – VPN connection to On-prem AD is not supported. VPN connection to on Prem AD is Supported now.

Hybrid Autopilot Configuration Steps

Let’s check the configurations required for Windows Autopilot Hybrid Domain Join setup into two. In this post, we will go through these configurations in detail.

1. On-premise configurations
2. Cloud configurations (Intune)

1. On-premise configurations

There are two configurations required as part of on-premise configurations.

• Setup Intune AD Connector (Intune Connector for Active Directory)
• Delegate Permissions

Intune AD connector (Intune Connector for Active Directory)

Following are the Intune AD connector requirements. Make sure that you have all the needs in place before the implementation.

• The Intune Connector installation requires Windows Server 2016 or later.
• Intune Connector Server should be able to communicate with Active Directory.
• The Intune Connector Server must have access to the Internet. If you have a proxy in your environment, please follow the proxy recommendations.
• In production, For High availability, Consider multiple servers with connectors
• Consider a connector for each part if you have any Active Directory domains in your environment.
• Intune AD connector server system locale should be set to English US.

How to Configure Intune Connector for Active Directory

The following steps will help you complete the Intune AD connector configuration (Intune Connector for Active Directory) for Windows Autopilot Hybrid Domain Join scenarios.

• Login to Intune Console.
• Select Device enrollment > Windows enrollment > Intune Connector for Active Directory > Add connector > Click on the download Connector setup file.

ODJConnectorBootstrapper.exe will be downloaded.

• Copy the ODJConnectorBootstrapper.exe to the Server designated to host Intune Connector for Active Directory.
• Install the executable ODJConnectorBootstrapper.exe.
• Click Browse if you want to change the default installation path.

Select Configure after a successful Intune AD connector installation

Select Sign In.

NOTE! – Sign in using Global Administrator or Intune Administrator user. Please ensure the admin has Intune license assigned.

Intune Connector for Active Directory gets enrolled. After a few minutes, Intune AD connector server starts communicating with Intune cloud service.

NOTE! – For Intune connector Installation logs, you can navigate to below path. C:\Users\userid\AppData\Local\Temp\Intune_connector_for_Active_Directory_<Year>

You can refer to the log belowfor more details on Installation.

After Signing in, the Intune connector will start communicating with your Azure tenant. It takes less than 5 minutes for the connector to appear in the Intune console. Navigate to the path below to see all the connectors in your environment. You can also verify the latest Intune connector sync timestamp.

Delegate permission for Intune Connector for Active Directory

The Offline Domain Join Connector service is responsible for creating Computer Objects. Offline Domain join Connector acts as a mediator. Offline Domain join Connector service communicates with on-premise Active Directory and Intune cloud.

As shown in the picture below, the Connector service works with the local system account. Hence, the server computer object (SERVERNAME$) must have permission to create computer objects in AD.

By default, all domain accounts have permission to join a maximum of 10 computers to AD. To change this default behavior, you need to delegate permission. Let’s configure the permission.

• Launch Active Directory Users and Computers (DSA.msc).
• Right-click the organizational unit and then select Delegate Control.

Select “Next” to continue.

In the Delegation of Control wizard, add your Intune connector server computer object. Select Create a custom task to delegate > Next.

Select the Computer objects, Create selected objects in this folder, Delete selected objects in this folder checkboxes, and select the Next button to continue.

Under Permissions, select the Full Control check box, as shown below.

You have completed the permission delegation for the Intune AD connector to create an Offline Domain join blob for the Windows Autopilot Hybrid Domain Join Scenario.

Intune Cloud Side Configurations

This section will go through different configurations required within the Intune console for Windows Autopilot Hybrid Azure AD Join (Windows Autopilot Hybrid Domain Join) scenario.

Intune Autopilot Profile Configuration

The following configurations will help you configure the Windows Autopilot hybrid domain join scenario.

• Login to Intune, select Device enrollment > Windows enrollment > Deployment Profiles > Create Profile.
• Type a Name and, optionally, a Description.
• For Deployment mode, select User-driven.
• In the Join to Azure AD box, select Hybrid Azure AD joined
• Select Out-of-box experience (OOBE). Configure the OOBE options as needed and create a profile.

On the profile page, select Assignments. And Select groups.

In the Select Group pane, select your device group. Please make the Autopilot computer hardware ID imported and added to the device group.

Intune Configuration Profile – Hybrid Domain Join

This section will describe three(3) configurations for Windows Autopilot Hybrid Domain Join, which are defined in three(3) settings.

1. Computer naming template
2. Domain name
3. Organization Unit path

• In Intune, select Device Configuration> Profiles > Create Profile.
• Select Windows 10 and later.
• Profile type: Select Domain Join.
• Provide a Computer name prefix, Domain name, and (optional) Organizational unit in DN format.

Notes from the Field:

#1 – Please ensure the Organization unit is in DN format. If there is any typo, your computer will be stuck with the message “Please wait while we set up your device.” I will cover this in my second post. The default computer container is used if you don’t update the Organization unit.

#2 – Hybrid Autopilot supports computer naming using the prefix. You cannot use variables such as %SERIAL%. If you do, you will get the error message “Something went wrong” with code “80180005” or “80070774.“ I will explain this in my second post (Windows Autopilot Hybrid Azure AD Join Troubleshooting Tips).

• Assign the profile to the Autopilot device group.

CSP to Disable User Setting in ESP

You may observe an error in the enrollment status page (ESP) in the Windows Autopilot Hybrid Domain Join profile scenario. This error is because of the timeout mentioned in Michael Niehaus’s post.

Below CSP configuration will prevent this timeout error. Let’s go through the steps to configure this CSP.

./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage

Navigate via Intune blade – Create a profile – Settings – Configure – Custom OMA-URI Settings – Windows 10 and later – Add OMA-URI settings.

Assign the CSP to the Autopilot device group.

(Optional) Turn on the Enrollment Status Page

It is recommended to enable the Enrollment status page. For more details, refer here.

Results – Windows Autopilot Hybrid Domain Join

You will get the login screen below after completing Windows 10 deployment using Hybrid Autopilot. As seen below, you can log in to the computer using an AD Domain user account.

After logging in, you can verify whether your machine is a Hybrid domain join by executing the below command.

dsregcmd /status

In my second post, we will go through events and logs that help troubleshoot.

Resources

• Windows Autopilot Video Starter Kit
• Beginners Guide Setup Windows AutoPilot Deployment
• Dynamically Deploy Security Policies and Apps to Windows AutoPilot Devices
• Where is the AutoPilot Assign Profile Button in the Intune Portal
• Windows AutoPilot End-to-End Process Guide
• Windows Autopilot Deployment Scenarios – On-Prem Hybrid Domain Join

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Vimal Das has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about technologies like SCCM, Windows 10, Microsoft Intune, and MDT.