Share via

Manually Hybrid Join Devices

Aaron Krytus 1 Reputation point
2024-04-11T13:44:17.71+00:00

Goal:

  • Automate Intune enrollment silently on all devices

Scenario:

  • All devices joined to a local domain.
  • Half of the devices are Microsoft Entra registered. These devices are remote devices, with no VPN or direct line of sight to DC.
  • Half of the devices are Microsoft Entra hybrid joined. These devices are either local devices or the users consistently use VPN for direct line of sight to DC.

Solution:

  • I created a script that runs as the user and configures the enrollment URLs and manually registers the device.
  • This method requires the devices to be Microsoft Entra hybrid joined.
  • The script works perfect for those devices, even if they are not on the network and cannot see the DC.

Issue:

Not all the devices are hybrid joined because they are failing pre-check since they cannot contact the DC. When I look at the event viewer I get:

  • Source: User Device Registration
  • Event ID: 334
  • Details: Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located.

Question:

  • Since they are already domain joined, do the devices really need to see the DC to hybrid join?
  • Can I bypass the pre-check for domain connectivity somehow?
  • Is there a solution I can implement that does not require VPN for direct line of sight of the DC.

Thank you for your assistance.

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,270 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 17,021 Reputation points MVP
    2024-04-11T20:59:34.01+00:00

    Hello,

    I see that you did a lot of research and work, congratulations on that. I don't have good news:

    You require to have access to the AD DS to accomplish the hybrid Joined status. You cannot bypass the pre-check :-(

    Unfortunately, you require to connect to the AD DS, the best way is via VPN or the device will be on your premises for the process.

    Also, you can create a GPO on your AD DS to run the script automatically.

    Hope this helps.

    Please accept the answer if it helps.

    0 comments