We setup ADConnect to begin syncing devices. This setup a SCP record in AD. We are testing the setup, so following the controlled validation setup, we cleared the SCP record property, and used a GPO. We also use ADFS.
Can someone please provide insight into whether what we are seeing is normal/expected, or abnormal.
On-premise devices with the GPO link to the device OU and ADFS server, will perform an autoenrollment in Azure and appear as hybrid device joined. ADConnect does not initially sync any computer objects to Azure. If I create a computer object in an OU which is synced, AD Connect will not add the device to Azure. It appears that device must perform the enrollment action to be added to Azure. This occurs via the scheduled task \Microsoft\Windows\Workplace Join\Automatic-Device-Join and is only triggered at logon. Only after the devices self-enrolls will ADConnect begin managing it.
While this is great and seamless to any on-premise clients, this isn't working for off-premise hosts. If i VPN connect in i can pick up the GPO configuration bits, my client is ready to go but the task doesn't trigger unless I login. If i reboot and am disconnected from the VPN, the schedule task runs but does NOT enroll, as it seems to need a line of sight to AD.
On my test client i perform the "Access Work or School" connection, but the device now only appears as registered not hybrid even after any adconnect sync job ran.
- Should AD Connect be syncing computer objects regardless of the clients self-enrollment? (maybe our admin did something wrong)
- Should off-premise clients be able to auto-enroll seamlessly like on-prem clients? (the gpo has the settings that would normal only be in AD, what else is at play?)
- Are there other methods for off-prem clients to complete the hybrid join setup?
These existing clients are sccm managed, we are looking to setup hybrid so that they can begin to leverage intune to pick up windows updates. While registered devices can potentially do this, I feel like this is the wrong approach and may present future issues in which we can't do windows hello or take advantage of other services/features.