question

SebamedoX avatar image
0 Votes"
SebamedoX asked Crystal-MSFT commented

Joining existing device to azure ad

Which ways would be possible to get an existing device with Windows 10 1809 LTSC (Member of an Active Directory) managed via intune - and how can the user then log in with their azure ad credentials?

I already figured out that executing a provisioning package isnt a solution: I always get the error "0x8007000D". Found out it has sth to do with the LTSC-Version which isnt able to execute those Provisioning Packages.

In my opinion the only way is to "Enroll only in device management" (screenshot). But in order to do that I have to type in the Administrator Account of the AD-Domain. The AD Domain will be turned off in the future, so we dont want to do hybrid join, and no enrollment via GPO.

The next question I have is: When enrolling that device with "Enroll only in device management" my device has a connection to AD and MDM. Is that a problem? Should I delete the connection to the on premise world first?

Last Question: What do I need to do in order to enable a user then to log in with their azure credentials?



67052-enrollmdm.jpg
67071-enrollmdm2.jpg


mem-intune-enrollment
enrollmdm.jpg (50.2 KiB)
enrollmdm2.jpg (20.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

NickHogarth-MVP avatar image
0 Votes"
NickHogarth-MVP answered Crystal-MSFT commented

A device can't be joined to both on-prem AD and Azure AD. It would need to be unjoined from the on-prem domain first, then joined to Azure AD (make sure there is a local user admin account and be careful of data loss for profiles etc) "Enroll only in device management" will enrol the device Intune (and register it in Azure AD but not join Azure AD)

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SebamedoX avatar image SebamedoX ·

Thanks For your support and for your Information

0 Votes 0 ·
SebamedoX avatar image SebamedoX ·

I deleted that devices membership to the domain and after a restart the device now is Resetting like in the screenshot.
reset-this-pc-removal-process-windows-10-56a6fadc3df78cf772913fda.png

Is it because the device is in a group in Azure AD that has an autopilot profile assigned? Or could that be a Policy that comes from the Active Directory, that tells leaving devices to reset?


0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT SebamedoX ·

@SebamedoX, Could you confirm if the action "delete the device membership" means dis-join the device from on premise AD. For the reset, maybe this can be related with provision package. Could you dis-join another on-premise domain joined computer and see if it is working as expected.

0 Votes 0 ·
PaD-7009 avatar image
0 Votes"
PaD-7009 answered SebamedoX edited

1) Use script to collect hardware hash.
2) Add them into Autopilot.
3) Do a reset of the device, and go through Autopilot OOBE scenario.

Since you are moving away from AD, use Autopilot with Azure AD Join.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SebamedoX avatar image SebamedoX ·

Usually i woud agree With you. Especially with those LTSC Versions which we really want To get rid of. With your solution we could easily reinstall That device With a win10 Enterprise and do autopilot. But the location is far away im Not Able To Support locally and there are only 5 devices. So if i do it like in the comment above from NickHogarth I would have To log in With a local User Account and would be only registered. Seems To be ok for now.

There is another location, they do have win10 pro and no AD. At That Department i Would try out joining With provisioning package do you agree With me ?

0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@SebamedoX, From your description, it seems you want to migrate from on-premise AD to Azure AD. If there's any misunderstanding, feel free to let us know.

Based on my research, I find an article for the reference:
https://o365hq.com/services/on-premises-active-directory-to-azure-active-directory-transition
Note: Non-Microsoft link, just for the reference.

If you want to know more about the migration, please contact Azure AD support with tag "azure-active-directory":
https://docs.microsoft.com/en-us/answers/topics/azure-active-directory.html

For Intune enrollment, there are many methods, we can choose one in our environment:
67194-image.png
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (34.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.