Configure Autopilot Hybrid Azure-AD and ADDS Domain Join

Configure Autopilot Hybrid Azure-AD and ADDS Domain Join

Prerequisites

Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization’s network. These addresses must be accessed using the SYSTEM context. If you are using Auto Pilot this will be accessed during the enrollment status part:

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com
  • https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

To verify if the device is able to access the above Microsoft resources under the system account, you can use Test Device Registration Connectivity script.

Review AD DS UPN support for Hybrid Azure AD join

The table below provides details on support for on-premises AD UPNs in Windows 10 Hybrid Azure AD join

Type of on-premises AD UPN Domain type Windows 10 version Description
Routable Federated From 1703 release Generally available
Non-routable Federated From 1803 release Generally available
Routable Managed From 1803 release Generally available, Azure AD SSPR on Windows lockscreen is not supported
Non-routable Managed Not supported

Source: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan 

Auto Pilot Items

With Hybrid and Auto Pilot you will lose some functionality. You will not be able to do dynamic naming, you can only use a prefix and then intune will add a random string to the end of the prefix. Also devices MUST be able to talk to the local domain environment because it will create the device in AD DS first, during the Enrollment process if it cannot hit your DC it will fail every time.

Configure AD Connect

In a hybrid environment you will need to configure AD Sync to sync not only your ADDS users, but also the ADDS devices. These are the users and computers you would see in Active Directory Users and Computers. Download the AD Connect executable from here.

Run the installer and agree to the license terms and privacy notice and then click Continue

Select Use Express Settings

Enter in your Global Administrator credentials to connect to Azure AD

Enter in credentials to connect to AD DS. The account must be a Enterprise Administrator

Select Install

When finished, press Exit

Configure Hybrid Azure AD Join

You will now see an Azure AD Connect icon on your Desktop. Double click the icon as we need to configure Device sync

Click the green Configure button to configure AD Connect

 

Select Configure Device Options and then click Next

Enter in your global administrator credentials to connect to Azure AD and then click Next

Click the Configure Hybrid Azure AD Join and then click Next

Select Windows 10 or later domain-joined devices and then select Next

Select your ADDS forest, authentication service and then provide a enterprise administrator

Once you are ready to configure, select Configure

Set up Intune Hybrid Connector

Prerequisites

  • The server that will run the Intune Hybrid Connector must be at least running Windows Server 2016
  • Must be able to access the internet
  • Able to talk to a local domain controller

Install the Intune Connector

First, download the Intune connector from here or in your Azure portal by going to Device Enrollment > Windows Enrollment > Intune Connect for Active directory

Accept the license terms and conditions and then select Install

Once it has finished select Configure Now

Next, select Sign In

Sign in with an account that has at least a Global Administrator role

Finally, you will see that the Intune Connector for Active Directory is enrolled

Back in our Azure Portal we can now see our Intune Connector

Configure OU Delegate Control

In this step we will need to configure a new Organizational Unit for out hybrid devices, this step is only needed for Auto Pilot since it will be creating devices this OU. If you are just doing Hybrid Azure AD with ADDS you do not need to this step. You do not need a separate OU for your hybrid devices but you will need to configure delegate control. Right click your OU and select Delegate Control

In the Selected users and groups select Add and under Object Types you will want to include computer objects. Add the computer that holds you Intune Hybrid Connector and then Press Next

Select Create a custom task to delegate and then press Next

In the next pane, select Computer Object under Only the following objects in the folder, then select the Create selected objects in this folder and Delete selected objects in this folder checkboxes.

Check General, Property-Specific, Creation/deletion of specific child objects and Full Control

Finally select Finish

Intune Hybrid Domain Join Configuration Profile

Next, we must create a Intune Configuration profile to tell our devices to hybrid domain join.

In Intune go to Device Configuration > Profiles > Device Profiles and then Add Profile. 

Give your profile a name, select the platform as Windows 10 or later and the profile type to Domain Join. Enter a computer name prefix, the domain name and the OU in Distinguished name format.

Next you must assign the policy to users or devices. In my tenant I select all users and devices

Auto Pilot Hybrid Deployment Profile

Now we must create an Auto Pilot Hybrid deployment profile. In Azure go to Intune Device Enrollment Windows Enrollment Deployment Profiles and select Create Profile

Give your new deployment profile a name and description then press Next

Configure your Out of Box exerpeience to your standards. You MUST select join to azure AD as and select Hybris Azure AD Joined

Select your group assignments. Some people may apply it to an Auto Pilot only device group, some may do static groups (have groups for non hybrid and hybrid) In my test tenant I select all devices

When you are finished you can press Create

Disable User ESP

In a Auto pilot Hybrid Domain Join scenario, you may observe an error in enrollment status page (ESP). This error is because of the timeout as mentioned in Michael Niehaus post.

In the Azure Portal go to Intune > Device Configuration > Profiles > Create Profile

Give the profile a Name, select Windows 10 and later for platform and then profile type is Custom

Add the following items:

Name:  SkipUserStatusPage (or whatever you want)
OMA-URI:  ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
Data type:  Boolean
Value:  True

And then under Assignments assign it to devices or users

Results

Once I have all this set up I tested with a new machine and ran it thought auto pilot. In the Azure AD Devices blade I can see my machine is listed as Hybrid Joined

On the client machine you can go to Settings > Accounts > Access Work and School and see both Azure AD connection as well as AD DS

You can also go to the domain controller where you specified your OU above and see your new device.

Additional Resources

Inside Windows Autopilot user-driven Hybrid Azure AD Join

 

3 thoughts on “Configure Autopilot Hybrid Azure-AD and ADDS Domain Join

  1. Hi does a hybrid joined device need to have continuous connectivity to the on-prem domain controller? Or does it just join Azure AD and the user can login as their on-prem AD account synced password?

    1. it does not have to have continuous connectivity – just for the initial domain join process and every 30 days or so so it doesn’t lose trust

Leave a Reply

Your email address will not be published. Required fields are marked *