Blog Post

Core Infrastructure and Security Blog
6 MIN READ

To AAD Join or Not … That is the Question

MichaelHildebrand's avatar
MichaelHildebrand
Icon for Microsoft rankMicrosoft
May 27, 2022
As we all know, the cloud paradigm shifts in IT continue.  When I worked in corporate IT - heck, when I started blogging out here - on-prem was really all there was.  Active Directory, GPOs and WINS ...
Updated May 27, 2022
Version 5.0
Michael Hildebrand
Ryan Pertusio's avatar
Ryan Pertusio
Brass Contributor
May 27, 2022

Thanks Michael for a great post!

 

We've ripped off the band-aid and we'll go full AADJ.  We'll see how that works for us.

 

Remaining gaps:

  • Large gap: Machine-based kerberos auth: This issue you mentioned above is critical to the Microsoft Network Policy server (RADIUS) servers that provide our users connectivity to Corp Wifi.  There is no Microsoft solution to make this work, just 3rd party PowerShell scripts to artificially sync 'stubs' back on-premise
  • Reg settings (1st party or 3rd party) that aren't in Intune yet: Right now, ADMX ingestion is ugly, so I instead set them with a recurring PowerShell (remediation script in Intune: New-ItemProperty). (How does MS determine what settings people use or not? Are you keeping metrics of what settings people ingest?)
  • Logon scripts: There are still needs for 'mapped drives'. We'll retire on-prem file shares in the next 5-10 years. But, in the meantime, we had to write custom PowerShell scripts to read AD and grab the homeDirectory value for each user. (Yes, we use OneDrive with KFM/Teams/SharePoint)
  • GPOs using item level Preference 'targeting': There is a lot of power in targeting specific attributes of a user, their AD group, AD site (from subnet), such as targeting site printers to auto-install if a user is at a specific location.  I have no easy workaround, other than telling people to hunt for printers manually to install
  • File-based copies from NetLogon/SYSVOL: I realize the alternative is Azure blob storage.  I instead used PowerShell (remediation scripts) in Intune to ensure a set of local files is always kept up to date  ("Teams Backgrounds", "safesenders" for Outlook, 3rd party GPO 'xml' file).

 

AutoPilot:

  • Troubleshooting ESP failures is very difficult. Logs and Event viewer are cryptic at best. (Example: Tell me the display name of the app that failed to install on the ESP, or even in an eventlog would be nice.)
  • Since Microsoft Endpoint Manager is the 'same brand', as a customer I'd expect both MECM agent + Intune to work nicely together.  Having a single recommended and supported way to install MECM agent during AutoPilot (AADJ or HAADJ) would be nice.

 

====

Yes, we plan to continue using AutoPilot.

 

But, if you asked me "what would have saved us 75% of our adoption timeline?" or "what made you almost give up on AAD and AutoPilot?", it would be the items/limitations above.

 

Thanks for the informative post!