Hello.
As with many other institutions, we are planning to join our Windows 10 desktops to Azure AD and autoenroll into MS Intune. We have an on Prem AD and would like to Hybrid Join our Workstations. We have a VPN setup for remote access to the office.
The only machines currently joined to AAD are the test devices I have been using so we would like to make the correct decision before joining any more devices. I have tested joining via "Accounts/Access Work or School" but I prefer the on Prem GPO method (with a group of machines in "Security Filtering") because there is less user interaction. We have Azure AD Sync running on our DC that is syncing all our users and groups (and only a test OU of devices). We also setup a user group that is associated to the "Device Restrictions Policy" and our "Compliance Policy" in MS Intune.
We have three types of machines as shown below:
1. Office Desktops that have been moved to employee's homes. These machines are joined to on Prem AD
2. Office Laptops that are being used in employee's homes. These machines are joined to on Prem AD and may also be AAD Registered because the user logged into OFfice365.
3. Brand new laptops that are sent directly to employee's homes. These laptops are being manually joined to on Prem AD. They may also be AAD Registered because the user has logged into OFfice365 or entered their work email during the initial setup of Windows.
Questions/Concerns:
I am trying to setup an environment where users will never have a problem logging into their Hybrid AD Joined Device. As I understand it, when a device is Hybrid AAD Joined, the user must login with their on Prem AD account credentials (as opposed to their AAD User account). This is fine for a user who logs onto a device for the first time with Always on VPN enabled and for a user that has their on Prem AD Account password cached. But as an example, lets say a user's on prem AD account password has expired (and their on prem AD account password is cached locally). A user may feel like "Well I can still login, so I'm not going to change my password".
Over a month passes by where the user was out of the virtual office without using their work device. They come back to the virtual office and as luck would have it, we are having a serious problem with our VPN. At this point the cached password has expired (in addition to the on Prem AD account password) and the user does not have a VPN connection to reach the DC, so login is denied. The only option would be having the user login with a local account. However, we want to try to avoid this type of call (if possible).
Rare case, but sometimes things happen (Murphy's Law). If we go with Hybrid AD Join , what are the chances of a user being in a situation where they cant login to their device?
Other Questions/Concerns:
We have been manually installing our VPN client on our laptops and some desktops (the desktops that were sent to user's homes). I plan to enable the policy for Always On VPN in MS Intune. Will there be any issues if the vpn client is already installed on a specific device when MS Intune goes to push the VPN Client?
Lets say that we join our on prem Domain Joined Windows 10 devices as AAD Joined instead of Hybrid AAD Joined. In that case a user can login with their AAD user account, correct? (as long as the AAD user object exists and the user account is in the provisioned AD Group, of course)
Is it safe to assume that the user can also login to the same (on Prem Domain Joined) device with their on prem AD account credentials?
If #3 and #4 are true, then will the user have 2 User profiles on the machine, accordingly?
I believe that performing an AAD join requires the user to goto "Accounts/Work or School" and clicking the "+" sign to perform the AAD Join. It also means that we cant use on Prem GPO's to manage our device settings. Are there any other issues that we will experience when we perform an AAD Join on an on Prem Domain Joined AD? Do we have to remove the device from the on Prem Domain before we AAD Join? Or remove all the on Prem GPO settings before we AAD Join?
Any advice is appreciated.