question

GusMamakos-0632 avatar image
0 Votes"
GusMamakos-0632 asked ·

Hybrid Device join off-premise

We setup ADConnect to begin syncing devices. This setup a SCP record in AD. We are testing the setup, so following the controlled validation setup, we cleared the SCP record property, and used a GPO. We also use ADFS.

Can someone please provide insight into whether what we are seeing is normal/expected, or abnormal.

On-premise devices with the GPO link to the device OU and ADFS server, will perform an autoenrollment in Azure and appear as hybrid device joined. ADConnect does not initially sync any computer objects to Azure. If I create a computer object in an OU which is synced, AD Connect will not add the device to Azure. It appears that device must perform the enrollment action to be added to Azure. This occurs via the scheduled task \Microsoft\Windows\Workplace Join\Automatic-Device-Join and is only triggered at logon. Only after the devices self-enrolls will ADConnect begin managing it.


While this is great and seamless to any on-premise clients, this isn't working for off-premise hosts. If i VPN connect in i can pick up the GPO configuration bits, my client is ready to go but the task doesn't trigger unless I login. If i reboot and am disconnected from the VPN, the schedule task runs but does NOT enroll, as it seems to need a line of sight to AD.

On my test client i perform the "Access Work or School" connection, but the device now only appears as registered not hybrid even after any adconnect sync job ran.

  1. Should AD Connect be syncing computer objects regardless of the clients self-enrollment? (maybe our admin did something wrong)

  2. Should off-premise clients be able to auto-enroll seamlessly like on-prem clients? (the gpo has the settings that would normal only be in AD, what else is at play?)

  3. Are there other methods for off-prem clients to complete the hybrid join setup?


These existing clients are sccm managed, we are looking to setup hybrid so that they can begin to leverage intune to pick up windows updates. While registered devices can potentially do this, I feel like this is the wrong approach and may present future issues in which we can't do windows hello or take advantage of other services/features.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jLight avatar image
0 Votes"
jLight answered ·

We are actually on the same boat... we have implemented Cloud Management Gateway (CMG) and also Windows Autopilot (with Intune management).

We are finding Windows Autopilot will be the answer, but while we are migrating everyone to it, we will use CMG for the current devices.

https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you land on a client enrollment solution? At this point I think the only option is to setup an SCCM config to set the registry keys instead of using GPO, and then have it force run the schedule task to make the client join. I can't seem to find a method for remote clients to join azure as hybrid joined.

0 Votes 0 · ·
jLight avatar image jLight GusMamakos-0632 ·

We haven't done this, but planning to... you can also use AutoPilot for hybrid AD join.

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-autopilot-hybrid

0 Votes 0 · ·
Luis-0970 avatar image
0 Votes"
Luis-0970 answered ·

Hey so I think I'm on a similar situation:
I want hybrid AD join via autopilot but for clients without being on the company network (at home.. covid...).
Is there any way to do hybrid join via autopilot? It seems to be a requirement to be able to contact the domain controller... What about something like this:
Device gets Azure AD autopilot.
User signs in with azure credentials.
Script to automate vpn connect and kick off bind to ad, user signs with local ad credentials etc. - so the Hybrid part is here after the vpn is connected automatically.

I think Microsoft is working on supporting vpn but until they implement it, how can we automate zero touch for hybrid ad needs?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlanReagan-3101 avatar image
0 Votes"
AlanReagan-3101 answered ·

This feature is what's really needed to make AutoPilot viable for organizations still using GPO and on-prem domains. The feature has had a UserVoice entry since February 2019. Please upvote if you need this functionality. https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/36857593-support-vpn-connectivity-for-autopilot-hybrid-enro.

Reset Windows 10 is huge improvement and time saver over OSD with SCCM, but if device has to be unboxed and connected to network with domain controller prior to shipping device to end user, the biggest potential of AutoPilot is lost.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I know that you can have Dell ship a computer preprovisioned for autopilot. We had to trust them within our O365 tenant but the device will be Azure AD Joined not hybrid joined. At this point in time for us this isnt a bad setup as we can ship laptops to people homes ready to boot up and sign in.

Microsoft requires customer consent before allowing Dell to register devices for Autopilot.

https://www.dell.com/en-us/work/shop/help-me-choose/cp/hmc-autopilot

0 Votes 0 · ·