Autopilot Hybrid domain Join computer name

To this day a hybrid environment (connecting your on-premises AD with Azure AD) is considered the gold standard by many and is widely used by a lot companies and organizations.

There’s a reason for it. You’re getting the best of both worlds: high scalability and flexibility without making your security suffer, great device management both on-prem and in the cloud, Line of Business application support, and more…

If you’re one of the people who has wisely chosen to use this infrastructure model, then you will definitely benifit from something called Hybrid Azure AD Join.

Now… I know, the word is quite a mouthful, but once you get to know this useful tool you will see how much it can help with managing devices in a hybrid environment.

What is Hybrid Azure AD join

When you ‘Hybrid join’ a device, it means that it is visible in both your on-premises AD and in Azure AD. Now you can

Furthermore, by enrolling them in Intune, you will be able to manage the devices even more and give them some extra cloud capabilities.

Setting up Hybrid Azure AD join

Let’s start looking into how we will set up Hybrid Azure AD join. First we’ll look into the requirements for this particular demo and then we’ll look at how to get it to work. In Part two we will cover how to automatically enroll devices in Intune and how to then test them.

Requirements

Our test-environment will consist of:

• A Windows Server 2016
  • Set up as a Domain Controller
  • Synced with an Azure AD (with AD Connect)
  • Have proper UPN suffix defined with a matching custom domain in Azure
• A Windows 10 device
  • Domain joined (NOT to Azure AD, only to on-prem)

You also want to make sure you have access to both an on-prem Administrator and an Azure AD Global Administrator.

If you want to further test your Hybrid Azure AD joined device of its capabilities after setup, an Intune license is needed.

Configure Azure AD Connect

First step is to open up your Azure AD Connect:

After that you will see a whole list of options you can configure, the one we’re looking for is: Configure device options.

After that, click Next on the Overview page.

You will now be prompted to enter your Azure AD Global Administrator credentials, fill those in.

Now, you guessed it, select Configure Hybrid Azure AD join.

After that, select the forests you want to configure in the SCP configuration screen:
Choose Azure Active Directory as Authentication Service. Click Add to add your on-prem administrator (you will be prompted to log in as an Enterprise Admin).

Finally click Configure and, after a little wait, you’ll be greeted with this beautiful sight:

Checking our configuration

Now we have to make sure that our configuration of Hybrid Azure AD join was succesful. Since Windows 10 devices are hybrid joined automatically, the most valuable tool we have is our patience. Speaking from experience, this could take quite some time (at least 5 minutes or more). Reboot your device and go ahead and get yourself a nice cup of coffee, you earned it!

Seriously though, there are multiple ways we can check if our device is hybrid joined.
First up: cmd.

Open the command prompt and enter: dsregcmd /status

If it says AzureAdJoined : YES, then you’re halfway there! If it still says NO after rebooting and waiting 10 more minutes, try following this troubleshooting guide.

Key here is to check Event Viewer logs for errors and figure out what went wrong (Hybrid Join logs are located under Applications and Services Log > Microsoft > Windows > User Device Registration).
For example, error 0x801c03f2 means that the devices you are trying to Hybrid Join aren’t in scope of your AD Sync. So go ahead and change the Domain/OU filtering in Azure AD connect and include them.

Now to check in the Azure AD device list.
Go to your Synced Azure AD and click Devices. There you should be able to see your device as Hybrid Azure AD joined BUT they have to be registered as well! If they aren’t registered, you will still have to wait a few minutes longer.

Try rebooting and log in/out a few times to give this process a little push.

Once the device is registered, you’re done! You can now manage your device in both your on-prem AD and your Azure AD.

If you want to know how to auto-enroll devices through a GPO and then manage them in Intune, be sure to check out Part two.

In our previous post, we covered how to set up computers using Windows Autopilot. While the main scenario is to join computers to Azure AD, leaving the on-prem domain aside is for sure not realist in many cases. Microsoft has added the ability to join the On-prem domain as part of the Autopilot setup. This feature is still currently in Preview, but worth testing and checking it out. In this post, we will detail the requirements and how to configure Azure and on-prem AD to allow Hybrid AD to join computers. Intune Autopilot Hybrid AD joined computers allows seamless integration.

This post is part of a series on Windows Autopilot that will be published in the following weeks. In the next posts, we will cover the following subjects :

Intune Autopilot Hybrid AD joined Requirements

• Hybrid AD join requirements are completed
  • See Microsoft docs for details
• Windows 10 1809 or higher
• Internet Access
• On-prem(domain connected) network access.
  • VPN connection is not supported
• Intune automatic enrollment enabled
  • See our previous post about Autopilot for this requirement
• A server running Windows Server 2016

High-level steps

• Delegate AD rights to the server that will have the Intune connector installed on
• Install and configure the Intune connector
• Modification to the Autopilot Deployment Profile
• Create Domain join configuration profile

Delegate Active Directory rights

Before we move on to set up the AD delegation, the server that will be used to host the Intune Connector needs to be chosen. This server requires to run Windows Server 2016.

Because will be delegating rights on an OU, we created a new one. This is not mandatory to have a dedicated OU.

• Right-click on the OU and select Delegate control

• On the Users or group, find and add the computer account for the server.

• Select Create a custom task to delegate

• Select Only the following objects in the folder and check Computer Object and also check Create selected object in this folder and Delete selected object in this folder

• Check General, Property-Specific, Creation/deletion and Full Control

Install and configure the Intune Connector

The server that will have the Intune connector must be running Windows Server 2016, have internet access and can talk to the Active Directory

• Connect on the server to host the Intune Connector
• Browse to Azure Portal/Intune/Device Enrollment/Windows Enrollment/Intune Connect for Active directory(Preview)

• Click on Add and select Download the on-premise Intune Connector for AD

• Run the ODJConnectorBootstapper.exe, check the I agree… and click Install
  • The install path can be changed under options if needed

• Click on Sign in and provide credentials of a Global administrator or Intune Service Administrator

• Intune Connector for AD successfully enrolled!

• Looking back in Azure Portal/Intune/Device Enrollment/Windows Enrollment/Intune Connect for Active directory(Preview), the server name now shows up.

Configure Autopilot profile for Intune Hybrid AD joined

If you currently have an Autopilot profile to Azure AD join, it will not be possible to modify it. So we’ll create a new one.

• Go to Intune/Device enrollment – Windows Enrollment/Windows Autopilot deployment profile and Create a new profile

• Make sure you assign this deployment profile to your All autopilot group

Create Domain Join configuration profile

Once the Autopilot configuration is completed, we need to create a Device configuration profile with the domain specific informations.

• Browse to Intune/Device Configuration – Profiles and create a new profile. Select Windows 10 or later and Domain Join (Preview)

• On the right side, provide the computer name prefix, domain name, and OU to add to a computer to, in DN Format.

• Make sure you assign this Device configuration profile to your All autopilot group. Also, make sure that only one profile is available to your device.

Testing the Intune Hybrid AD joined

As mentioned earlier, the computer must be connected to the on-prem network and can access the domain before we initiate a reset.

After completing the OOBE section, we can see under Intune/Devices that this specific device as the Device Configuration – Domain join with a state of Succeeded!

Under Azure AD/Devices our new computer is now Hybrid Azure AD joined instead of simply Azure AD joined!

Because SCCM is also on our domain, it automatically push out the SCCM agent. This means that the Co-Management must be up and running in order to fully complete the process from Intune, for example, to push default applications.

Bottom line notes

Here’s a few observations while testing the Hybrid AD join.

Double computer with the same name

While we haven’t found a clear statement on this, it seems normal that 2 computers with the same name are store in Azure AD.

BitLocker recovery keys

In our previous post, we stated that the recovery keys are stored under the Intune device/ Monitor/Recovery Keys.

When doing the Hybrid AD join, this isn’t the case. The BitLocker recovery key will be stored on the on-prem AD object. Is this a feature? a bug? We don’t know…

For more details about Hybrid AD with Autopilot, see Microsoft docs