Setup Windows Autopilot with Hybrid Azure AD join – Part 1

Blogs , , , , , 0 Comments

Hi!

Wow… this is awesome! ‘Windows Autopilot with Hybrid Azure AD Join”!

Why (or when) should I use ‘Windows AutoPilot Hybrid Azure AD Join?

Good question! ūüėČ Short version: When you don’t have tools running like WDS, MDT or SCCM in your On-Premise environment.
With Windows AutoPilot Hybrid Join you can completely deploy your Windows 10 devices with Intune (AutoPilot) and Join them to your On-Premise AD Domain.

When you have setup Windows AutoPilot, you will notice that the Devices deployed are ‘Azure AD Joined’. This is of course as expected because there isn’t any interaction between AutoPilot and your On-Premise Active Directory. So, you will end up with a device which is perfectly joined to Azure AD and all Azure/Office 365 resources are working as they should be but you cannot use local resources as you would be with a Domain Joined Device. Now, with Windows AutoPilot Hybrid Join you can enroll your devices with AutoPilot and¬† join them to your On-Premise Active Directory.
Keep in mind that the devices must be connected and have access to your On-Premise Active Directory.

Requirements

To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:

  • A Windows Autopilot profile for user-driven mode must be created and¬†Hybrid Azure AD joined must be specified.
  • If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
  • The device must be running Windows 10, version 1809 or later.
  • The device must be connected to the Internet and have access to an Active Directory domain controller.
  • The Intune Connector for Active Directory must be installed.

Setup/Check pre-requirements:

  • Check Azure AD Mobility setup
  • Increase the computer account limit in the Organizational Unit (in On-Prem AD)
  • Create a device group (Dynamic) in Azure AD
  • Register Autopilot devices that are already enrolled (Convert all targeted devices to Autopilot)
  • Create and assign an Autopilot deployment profile (Assign it to the Device group)
  • Turn on the enrollment status page (optional)
  • Create and assign a Domain Join profile¬†(Assign it to the Device group)

Check if your Azure AD has the Mobility (MDM/MAM)
You will find this settings via Azure Active Directory -> Mobility (MDM and MAM) -> Microsoft Intune

Increase the computer account limit in the Organizational Unit (in On-Prem AD)
The Intune Connector for Active Directory creates Autopilot enrolled computers in the On-Premises Active directory domain. The computer hosting the Intune Connector must have the rights to create the computer objects within the domain. More info on how to do this here

Create a Device Group (Dynamic) with all your Autopilot devices:
In Azure Active Directory create a new Device Group (Dynamic) with Autopilot enrolled devices.  Use a Advanced Rule to dynamically fill the group with devices enrolled via Autopilot.
Example Query for all Autopilot devices: (device.devicePhysicalIds -any _ -contains “[ZTDId]”)

Register Autopilot devices that are already enrolled (Convert all targeted devices to Autopilot)
Enabled ‘Convert all targeted device to Autopilot’ on your existing Deployment Profiles, so devices¬† which are factory-reset/reinstalled will also benefit from the new AutoPilot features.

Create and assign an Autopilot deployment profile (Assign it to the Device group)
Go to the Azure Portal and Select the Intune Blade, and select ‘Device Enrollment’ -> ‘Windows Enrollment’. Select ‘Deployment Profiles’:

Create a Deployment Profile with: Join to Azure AD as: ‘Hybrid Azure AD joined’:

Assign the Dynamic Group (the Windows 10 AutoPilot Device Group) to the Deployment Profile:

Turn on the enrollment status page (optional)
Optional,¬†Go to the Azure Portal and Select the Intune Blade, and select ‘Device Enrollment’ -> ‘Windows Enrollment’. Select ‘Enrollment Status Page’:

Create an Enrollment Status Page:

Create and assign a Domain Join profile (Assign it to the Device group)
Go to the Azure Portal and Select the Intune Blade, and select ‘Device Configuration’-> ‘Profiles’ and create a new Profile (Platform = Windows 10, Profile type =¬†Domain Join

Give your Computers a Prefix name. NOTE: Azure will add a unique 4 character, random sequence to the computer name,
Enter your Active Directory Domain name (FQDN),
Optional: Organizational Unit (OU) if applicable, enter the DN (Distinguished Name):

Assign the Profile to the Windows AutoPilot Dynamic Group:


Install the Intune Connector for Active Directory

Go to the Azure Portal and Select the Intune Blade, and select ‘Device Enrollment’ -> ‘Windows Enrollment’. Select ‘Intune Connector for Active Directory’:

Select the Download link, and save the installer:

Copy the installer to your server (On-Premise) and install it:
NOTE: Run the installation as a Administrator!

Select ‘Configure now’:

Sign-in with a Azure Global admin account:

 

Check your EventLog on the server (Applications and services Logs -> ODJ Connector Service):


Now you are all set to Enroll your device into AutoPilot and join them to your On-Premise domain! But First you will need to Import your devices.
Go to the Azure Portal and Select the Intune Blade, and select ‘Device Enrollment’ -> ‘Windows Enrollment’. Select ‘Devices’ -> ‘Import’:

NOTE: You can create a CSV for existing devices via a Powershell script created by Michael Niehaus here (Read full details here).

In my TestLab I’m using Hyper-V VM’s. I have created a separate VHD(x) file and inserted the AutoPilot Powershell Script, Assigned the VHD(x) to the Windows 10 VM, Hit Shift-F10 on OOBE first screen, and extracted the HardwareID etc. and Uploaded the CSV to Azure/intune:

 

So, that’s it for now. In Part 2 I will show you how things are done on the Windows 10 AutoPilot Deployment.

Regards,

Pieterbas


 

Refs:

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Autopilot-Hybrid-Azure-AD-join-and-automatic/ba-p/286126

https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid

https://blogs.technet.microsoft.com/mniehaus/2017/12/12/gathering-windows-autopilot-hardware-details-from-existing-machines/

https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.3