By Jack Poehlman | Service Engineer on the Enterprise Mobility and Customer Experience Team
NOTE - Preview of this feature is now live. Docs on how to use the feature are here: https://docs.mic...
Updated Dec 19, 2023
Version 6.0
Blog Post
UPDATE ON THIS POST: I was having problems with getting this to work because the computer name in the Domain Join profile had %serial%, once I removed that I was able to join a computer to my AD domain over the internet. As a suggestion maybe the MS docs should be update to explicitly say that macro like this are not supported in the domain join profile.
Intune_Support_Team visiting the https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-autopilot-hybrid page and looking at the https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#prerequisites it says:
The device to be enrolled must follow these requirements:
- Use Windows 10 v1809 or greater.
- Have access to the internet https://docs.microsoft.com/en-us/mem/autopilot/networking-requirements.
- Have access to an Active Directory domain controller. The device must be connected to the organization's network so that it can:
- Resolve the DNS records for the AD domain and the AD domain controller.
- Communicate with the domain controller to authenticate the user.
- Successfully ping the domain controller of the domain you're trying to join.
- If using Proxy, WPAD Proxy settings option must be enabled and configured.
- Undergo the out-of-box experience (OOBE).
- Use an authorization type that Azure Active Directory supports in OOBE.
When you go to the https://docs.microsoft.com/en-us/mem/intune/configuration/domain-join-configure to understand creation of the the domain profile for the AD domain join it does not mention a requirement to have line of site to the on prem domain controller.
With these 2 points what are the requirements to establish an offline domain join scenario? As from the above prerequisites for a hybrid Azure AD device it mentions the device requires line of site to the domain controller. I do understand for the user to complete the first login to the device, the domain controller must be reachable because there is no cached profile on the device. But to actually have the hybrid device show up in active directory in the computers OU or one you specify for a Hybrid Azure-AD device do you need to be able to communicate with the domain controller or not? The https://youtu.be/WnuBwwfYu4k?t=1108 from Michael Niehaus its clearly indicated that line of site to the domain controller is not required, so which is it?
Is there a Microsoft docs.microsoft.com link the clearly indicates the offline domain Join requirements for Hybrid Azure-AD device?