question

berket2020 avatar image
0 Votes"
berket2020 asked Jason-MSFT commented

AutoPilot Azure Hybrid Join

Hi

I have a requirement where brand new laptops are automatically joined to the domain using autopilot. My question is around getting the machine joined to local ad without the use of vpn, if the user is outside the company network.

I wanted to confirm my understanding on this.

From what I read, the workstation can join Azure AAD over the internet (without vpn) and then with device writeback, be visible in local ad as a machine. This process can be done using the Intune connector without the use of VPN or network connectivity with the local domain controller

Can someone confirm if my understanding is correct?

If yes, can you then apply GPO to this machine that is written back to AD?

Thanks

mem-intune-generalmem-intune-device-configurationsmem-autopilot
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered Jason-MSFT commented

Kind of on the document: see https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/planning-for-cloud-native-windows-endpoints-and-modern/ba-p/2834249 and https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353. We have some more formal documentation in the final phases of coordination right now.

As for initiating the VPN, there are two ways to do this: an auto-connecting VPN or a user-initiated VPN. Either way, the VPN client must be deployed during the device phase of Autopilot. The second link above discussed this briefly and includes links to the relevant documentation. Exact details for each VPN client though are up to the VPN vendor.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

berket2020 avatar image berket2020 ·

Thanks @Jason-MSFT

By using AADJ this will not effect user login correct? In other words users can still user AD accounts to login to their machines as long as they are sycned to the cloud?

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT berket2020 ·

Kind of. Technically, it is a completely different account, an AAD account. To the end user though, because the account is synced from AD to AAD, it will appear to them as the same account (assuming you've configured AAD Connect to do this of course and have setup pass through auth or password hash sync).

0 Votes 0 ·
Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered berket2020 commented

From what I read, the workstation can join Azure AAD over the internet (without vpn) and then with device writeback, be visible in local ad as a machine. This process can be done using the Intune connector without the use of VPN or network connectivity with the local domain controller

Yes, but this is unrelated to the device writeback functionality of AAD Connect.

Joining the domain is only half the battle though. For the user to log on initially and for any group policies to be applied, line of site to a domain controller is required -- there is no way around this and this is the purpose of the VPN. Thus, without a VPN connection, the scenario does not fully work.

I have a requirement where brand new laptops are automatically joined to the domain using autopilot.

What's driving this requirement? We strongly encourage orgs to AADJ their new Windows endpoints and avoid HAADJ for new endpoints altogether (for a variety of reasons including complexity and reliability).


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

berket2020 avatar image berket2020 ·

HI @Jason-MSFT

Thank you. I am actually planning to convince the client to go AADJ. Is there an article or documentation where it talks about the advantages over HAADJ? Something I can use to convince the client. This would solve our problem.

In the event the client insists on AADJ, how exactly would we get VPN to connect during the Autopilot phase, allowing the machine to join the domain? Is this a custom image or do we need to reach out to the VPN vendor for a solution?

Thanks

0 Votes 0 ·