This long awaited feature was introduced by Microsoft in okt. 2018 on Ignite. Now we can deploy a Windows 10 1809 or later via AutoPilot and automalically let that Windows 10 device make a on-prem domain join and then it transforms into a hybrid Azure AD joined device, how cool is that?!
In this scenario we will setup a Intune connector towords our Server 2016 on-Prem Active directory and Intune. Our test client will be a Windows 10 1809.
The Windows 10 devices to be enrolled must also:
- Be running on Windows 10 1809 or later.
- Have access to the internet.
- Have access to an On-prem Active Directory domain controller, so it must be connected to the organization’s network.
- The device must could resolve the DNS records for the AD domain and the AD domain controller, and with the on-prem domain controller to authenticate the user. VPN connection not supported at this time.
- You should be able to ping the domain controller of the domain you are trying to join.
- Make sure that the environment are Hybrid Azure Ad join configured
- Read how to setup a Hybrid AAD join environment here:
Lets start setting up the connector.
- First we need to download the Intune connector from our Intune Tenant.
- Log on to https://devicemanagement.microsoft.com
- Then browse to Device enrollment – Windows Enrollment and then click Intue Connector for Active Directory:
- Click on + Add:
- Click Download the on-premises Intune Connector for Active Directory and save the file on your server 2016:
Note: The file that is downloaded is called “ODJConnectorBootstrapper.exe” and looks like this:
The downloaded Intune connector needs to run on a Windows server 2016 or later and the server needs to have access to the internet and Active directory.
- Now doubleclick on the downloaded Intune connector and then Click Configure Now:
- Click Sign in:
Note: The sign in account must be a Global administrator or Intune Service Administator.
- After the sign in with a administrator with the right privileges the Intune connector is enrolled successfully – Click OK:
- Now go back to the Intune portal and hit refresh then check that the connector is Active:
Now we need to make some steps in our On-prem Active Directory for this to actually work.
- Open Active Directory Users and Computers (DSA.msc)
- Now create an Organizational Unit (OU) that has a desired name like AutoPilot domain join clients and Click OK:
- Right click on the new OU that just has been created and Click Delegate Control and then Click Next:
- Now click and and then click Object Types and mark Computer and then click OK:
- Now find and Add the computer (Server) that has the Intune Connector installed and clikc Next:
- Now click Create a custom task to delegate and click Next:
- Now mark Only the following objects in the folder and then mark Computer objects, Create selected objects in this folder, and Delete selected objects in this folder and click Next:
- Just give it all the possible permissions and click Next:
Note: Now the computer object (Server 2016) has full access to create, delete, modify etc. in the new OU structure and is ready to be used.
Back to the Intune portal for some more configuration.
- Goto Device enrollment – Windows enrollment and then click Deployment profiles:
- Now click Create profile:
- Now give it a name and click Next:
- Now select Deployment mode User-Driven and Join to Azure AD as Hybrid Azure AD joined click Next:
- Now select a group that include the AutoPilot deployed devices that should be a Hybrid AAD joined:
Note: If no group exist for this purpose then create one – Follow the next steps. “We will get back to on how to assign the group later on.“
Create a dynamic device group that AAD Hybrid joines all AutoPilot devices.
- Now go to Azure AD https://aad.portal.azure.com/ to make a new Security group for AutoPilot devices that needs to be Hybrid AAD joined.
- Give the group a Name and click Membership type Dynamic Device:
- Now click edit and add the Dynamic query
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")and click OK:
- Now click Save and after then Create:
Note: To create a group that collect and include all your Autopilot devices, enter
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
- Now check that the group is created:
Now back to assigning the group to the Deployment profile under Windows Enrollment.
- Now select a group that you already has created or the new group that just was created from the steps above:
- Now click Create:
Now we just need to configure a Device configuration profile that domain joins our Windows 10 device.
- Now browse to Device configuration – Profiles and click Create Profile:
- Give the profile a Name, Description, Platform and Profile type.
- Make a Prefix that you choose and also a Domain name and type in the OU structure created earlier (This is here the AutoPilot devices will be created):
Note: You must use Fully Qualified Domain Name and the Name prefix must be like PC- etc. Organization Unit path must be in DN format.
Read more about DN format here -> https://docs.microsoft.com/da-dk/windows/win32/ad/object-names-and-identities#distinguished-name
- Click then Create:
- Now that last thing we need to do is to assign the profile to a group (We use the dynamic group created earlier that includes our “upcomming AutoPilot units”) :
Note: All new AutoPilot devices deployed will now be domain joined on your on-prem because they automatically becomes member of the group “AutoPilot ADD Hybird Joined Devices”
- Now try to make a AutoPilot deployment and check that “OOBE” experience and enrollment status page (ESP) beeing presented:
Note: You can hit Shift +F10 to get a command prompt and try to see if you can ping the domain controller of the domain you whould like to join. If you cannot ping the DC the “Setting up the device screen will timeout with a “error 80070774” after a while.
- The Windows 10 device will also be located in the newly created AutoPilot OU in our on-prem Active directory:
- Now we can login to our domain joined AutoPilot deployed Windows 10 device: