Applicable to Windows 1809 and later versions, here’s an overview how the Windows Autopilot Hybrid Azure AD join works. Assuming that the device(s) are registered with Windows Autopilot, Hybrid Azure AD Autopilot deployment profile has been created and the Intune Connector for Active Directory is installed, we’re good to go.
1) When a user unboxes and power on his/her new device, the hardware ID is sent to the Windows Autopilot Deployment Service.
2) The Windows Autopilot Deployment Service responses back with the Autopilot profile. this profile tells the device that it needs to join to the hybrid Azure AD instead of Azure AD.
3) Then the device enrolls to intune.
4) Intune uses a connector to talk to the on-prem Domain controller and pre-create a computer object on the on-prem DC. It’s generating what’s known as an office domain join blob.
5) And it’s taking that blob and sending it back to machine and applying it on the device as its going through OOBE and basically the device is now joined to the domain. because the offline domain joined blob is a machine based credential that allows you to join to your domain.
6 & 7) The catch for this scenario is that you’re machine must be on the corporate network to have direct access to the on-prem DC.
- On-premise Active Directory
- Intune Connector software
- Hybrid Azure AD join configured
- Automatic enrollment for Microsoft Intune enabled in Azure AD
- Windows Autopilot enabled devices with a deployment profile assigned
- Domain Join device configuration profile configured in Microsoft Intune
- Device must have access to the internet
- Access to Active Directory – local LAN connection (access through a VPN connection is not supported)
Configure the Intune Connector for AD
First, download the on-premise Intune connector for Active Directory in you Azure Portal, go to Microsoft Intune > Device enrollment – Windows enrollment > Intune Connector for Active Directory and install it to your on-prem server, in my case, I am installing it to my Domain Controller, DC01.
Then go ahead and download the Intune Connector for Active Directory
In your on-prem server, install the Intune Connector for Active Directory
Go through and complete the installation.
In the Sign In, enter the user with a Global Administrator or Intune Administrator role credentials.
Note: The user account must have an assigned Intune license.
Back in the Intune, you’ll be able to see that DC01 is under the Intune Connector for Active Directory.
Preparing your On-premise Active Directory
- In you Active Directory Users and Computers, create an Organization Unit and name it something like Autopilot Devices or Autopilot Domain Join
- Next is to delegate rights to the server that Intune Connector is installed on to have the privilege to created computer objects in AD, again, in this scenario i’m using my Domain Controller, DC01
Create Windows Autopilot Domain Join Profile
Go to Device enrollment – Windows enrollment > Windows Autopilot deployment profiles and create a new profile.
Assign the profile to groups in this case it’s the “All autopilot enabled device”
Create and assign a Domain Join profile
In the Device Configuration – Profiles and create a new profile. Select Windows 10 or later and Domain Join (Preview)
- Enter a Name, like, LABDEMO Windows 10 Domain Join
- Enter a Description
- In the Platform drop down menu select Windows 10 and later
- In the Profile type select Domain Join (preview)
- On the Domain Join (Preview), provide the computer name prefix, domain name, and OU where the computer will be added to in a DN Format.
Then the next time a device goes through the Windows Autopilot setup
it will be prompted to Sign-in to the on-prem domain.
Back in Intune, you can confirm the Join Type device as Hybrid Azure AD joined.