question

andreasbright-4989 avatar image
0 Votes"
andreasbright-4989 asked NickHogarth-MVP commented

Fails on first attempt to be Azure AD Hybrid joined

Hi,

  • We are testing Azure AD Hybrid.

  • The AD is configured to sync the correct OU

  • We have created a autopilot deployment profile that is hybrid azure ad joined

  • We have a test vm that has direct line to the dc

  • We boot the test vm, use Shift+F10 and use Get-WindowsAutopilotinfo -Online to push the hwid.

  • We can see the hwid in endpoint manager and we assign this to a group that is assigned to the autopilot deployment profile. We also assign the device to a user. We wait until everything is assigned.

  • We reboot the VM and are prompted with the correct user, we enter cred...wait some time, and then we get the login picture and we can see that it is joined to the local domain and its asking for our cred. We login with local ad account.

  • We see the computer object in local ad, but in Azure we see the object as azure ad joined.

  • We check the dsregcmd and see the device is not AzureADJoined with error 0x801c03f3

We google some, and finds info about "make sure the on-premises computer object is synchronized to Azure AD. Run the Delta Azure AD Connect sync"....The OU that the machine is added to is marked for sync, so do we have to wait for Azure AD Sync ?

We did a manual sync, but still same object i Azure Ad.

Then we did a "dsregcmd.exe /debug /join" and it was successfull. When we now check Azure AD we can see two devices objects, one is Azure AD Joined and the other is Hybrid Azure AD joined.

What went wrong here ?
Is we had just waited would the Azure AD Joined device itself "turn into" Hybrid Azure AD joined device ?


One other question, after we logged into the device the first time, the user was NOT administrator even if we had configured it to be under Autopilot profile, but after a reboot the user was added as local admin... is a reboot necessary ?


Thanks for any explanation.

/R
Andy

mem-intune-generalazure-ad-connectmem-intune-enrollmentazure-ad-hybrid-identity
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

NickHogarth-MVP avatar image
1 Vote"
NickHogarth-MVP answered

Its correct that you do end up with 2 objects. Usually you have to wait for Azure AD Connect to sync the device and the hybrid join to complete. It depends on your sync schedule. For a good understanding, see https://oofhours.com/2020/05/23/digging-into-hybrid-azure-ad-join/

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered

@andreasbright-4989, For Windows Autopilot user-driven Hybrid Azure AD Join, we will end up seeing two devices in Azure AD when this process completes. An Azure AD Join device object (which ends up getting enabled and renamed as part of this process) and the synced Hybrid Azure AD Join device object. This is by design. Here are the objects in my lab:

47222-image.png

Also, find a link describe this, we can read it for the reference:
https://oofhours.com/2019/07/15/inside-windows-autopilot-user-driven-hybrid-azure-ad-join/
Note: Non-Microsoft link, just for the reference.

For the situation about adding into the local administrator group, based on the phenomenon we get, it seems the reboot is needed.

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (23.9 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

andreasbright-4989 avatar image
0 Votes"
andreasbright-4989 answered NickHogarth-MVP commented

Hi,

Thanks for great feedback from both of you.
Just to make things clear, If I had dropped running the "dsregcmd.exe /debug /join" it would after awhile have been joined correctly after all ? What is the max waiting time for this ?

/R
Andy

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NickHogarth-MVP avatar image NickHogarth-MVP ·

Yes. You don't need to run it. It can take an hour or so for the Hybrid Azure AD Join to complete depending on if you are using password hash sync or ADFS with Azure AD Connect and on your sync cycle. Its covered in the link I posted above.

1 Vote 1 ·