Share via

Automated AD Join to Domain Remotely

BmoreOs 136 Reputation points
2023-03-10T15:23:16.1266667+00:00

Hi. Not very familiar with AutoPilot, but learning as I go. I have an urgent need to figure out the best way to complete this. I have several options but want to be sure I am going about this the quickest, most cost effective, and secure way.

We have a Hybrid AD, On Prem DC to Azure AD. We do not have a DC in the cloud. Since we started, we never had the need to ship out laptops. We would purchase bulk laptops, have them shipped directly to us, imaged and added to the domain to be handed out. A new business objective now has us shipping out 100-200 laptops over the next six months. That said, I want to automate and setup the best way to complete this. I am aware of Intune and AutoPilot but keep running into roadblocks that seem to extend the solution out too far. I am also aware of "Direct Access" and "Always On VPN" but they appear a bit complex to setup and may not even be needed. Are they required?

Does our DC need to be publicly accessible for Windows AutoPilot to work? We tested this with a machine and it kept popping up an error and resetting the Surface in a loop. We disabled AutoPilot and no issues after. So it's as if it needs direct communication to our On Prem DC to complete the setup. That seems counter productive since Azure AD is available in the cloud. Or do I need a DC in the cloud too?

Thanks for any help. I want this setup ASAP to start testing on a bunch of machines. If all works well, we will order the laptops to be shipped directly to the end user, saving IT and the company a ton of money. It would be a nightmare though if we ship out 60 laptops and we have 60 users unable to use them. =)

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
421 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,543 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 655 Reputation points Microsoft Employee
    2024-03-13T14:24:12.8066667+00:00

    The likely answer to the question from Automation is::

    Windows AutoPilot can help you to automate the process of joining devices to Azure Active Directory (AD) and enrolling them in Intune. It does not require your domain controller (DC) to be publicly accessible or a DC in the cloud. It's designed to simplify the setup process for new devices and does not require Direct Access or Always On VPN.

    However, if you have a Hybrid Azure AD join scenario, it requires a line of sight to a domain controller, which is where VPN comes in. If the user is remote, the device will need to connect to the corporate network using VPN so that it can communicate with the domain controller to get a Kerberos ticket.

    The device can get the Kerberos ticket either during the Out Of Box Experience (OOBE) phase if you're using VPN clients like Always On VPN, or after the OOBE if you're using a VPN client that requires user interaction.

    Here is the official documentation on Windows Autopilot: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

    And here is a specific guide on Hybrid Azure AD Join: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

    For setting up VPN for Hybrid Azure AD Join, you can check this guide: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven-hybrid

    0 comments