Intune in a hybrid AD environment, joining computers only to cloud.

Question

Currently in the planning and testing phase of deploying intune to our facility. Some quick pertinent facts:

Hybrid AD
manufacturing
300ish users, 20 remote users included
Split win10 and win11
Archaic LOB software that requires hand configuration each time
Getting intune+autopilot ready so we can roll out win11 laptops to office workers as easily as possible.
going full cloud AD is on the roadmap, but not imminent.

I've consulted with some other sys-admins, and they've recommended making sure that the laptops are only entra joined, as there are limits as to what you can do with autopilot for hybrid devices.

I've been reading through the documentation, and have been getting dead links everywhere, as well as no clear path forward. I've gotten some test devices, set up during OOBE by logging in with a domain account, that when prompted with the dsregcmd I get the following results.

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES
DomainName : [DOMAIN NAME]
Device Name : [DEVICE NAME]

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

NgcSet : NO
WorkplaceJoined : YES
WorkAccountCount : 1
WamDefaultSet : NO

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO

+----------------------------------------------------------------------+
| Work Account 1 |
+----------------------------------------------------------------------+

WorkplaceDeviceId : 7d32ce6a-d808-40e1-9b62-364cfe721c4a
WorkplaceThumbprint : D154009D6F6BEF2F1BE65CDCFCC3ACAD1ED9E560
DeviceCertificateValidity : [ 2023-11-09 17:08:45.000 UTC -- 2033-11-09 17:38:45.000 UTC ]
KeyContainerId : ebbd8f5a-ce98-4859-a071-6d46811a17f1
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
WorkplaceIdp : login.windows.net
WorkplaceTenantId : 1bb841c5-79dd-4f6f-8ffa-1c73e03e5ab1
WorkplaceTenantName : ~
WorkplaceMdmUrl :
WorkplaceSettingsUrl :
NgcSet : NO

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

Diagnostics Reference : www.microsoft.com/aadjerrors
User Context : UN-ELEVATED User
Client Time : 2023-11-09 19:00:10.000 UTC
AD Connectivity Test : PASS
AD Configuration Test : FAIL [0x80070002]
DRS Discovery Test : SKIPPED
DRS Connectivity Test : SKIPPED
Token acquisition Test : SKIPPED
Fallback to Sync-Join : ENABLED

Previous Registration : 2023-11-09 18:59:50.000 UTC
Error Phase : discover
Client ErrorCode : 0x801c001d
Executing Account Name : [domain account, domain account]

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

IsDeviceJoined : NO
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors

h3nk13t · Answer

Hi,Looks like a domain joined device instead of azure only.How did you deploy Windows? How is Entra Sync setup for devices?

deleted · Answer

It seems there might be a slight confusion in terminologies. As of my last knowledge update in January 2022, there isn't a specific technology or service called "Entra Sync" directly associated with Microsoft or common IT deployment practices. However, I'll provide guidance on deploying Windows in a typical scenario using Microsoft Endpoint Manager (Intune) and Azure AD.

Deploying Windows with Microsoft Endpoint Manager (Intune) and Azure AD:

Azure AD Hybrid Join:

Ensure that your on-premises Active Directory is synchronized with Azure AD using Azure AD Connect.
Configure Azure AD Hybrid Join to allow devices to be joined to both your on-premises AD and Azure AD.

Intune Enrollment:

Enroll devices in Intune for management. This can be done during the initial device setup or later by pushing the Intune MDM profile to devices.
Devices can be enrolled manually or automatically based on user or device groups.

Autopilot Configuration:

Set up Autopilot profiles in the Microsoft Endpoint Manager admin center.
Define the configuration settings, naming conventions, and deployment mode (user-driven, self-deploying, etc.) in the Autopilot profile.

Deploying Windows 11:

Once devices are enrolled and Autopilot profiles are configured, initiate the deployment of Windows 11 through the Autopilot process.
During the deployment, the Autopilot profile settings will be applied, and the device will be joined to Azure AD.

Configuration Profiles:

Utilize Intune configuration profiles to enforce settings and configurations on the deployed Windows devices.
Configure security settings, compliance policies, application deployments, and other configurations as needed.

Monitoring and Troubleshooting:

Regularly monitor the Intune console for device status, compliance, and any deployment issues.
Use the Intune troubleshooting tools and logs to identify and resolve any issues during the deployment process.

If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like

Appreciate your Kudos! Proud to contribute!

h3nk13t · Answer

https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-syncChatgpt has flaws...

h3nk13t · Answer

But maybe it can help:ChatGPTIt looks like you've provided detailed information about the current state of a test device in your environment. From the information you've shared, the device is currently domain-joined but not Azure AD-joined. Here are some observations and recommendations:AD Configuration Test Failure [0x80070002]: The AD Configuration Test has failed with error code 0x80070002. This error typically indicates that the device couldn't find the required information to complete the Azure AD registration. Make sure that the device can reach the Azure AD endpoints and that there are no network or DNS issues.AzureAdJoined and EnterpriseJoined are both NO: This indicates that the device is not Azure AD-joined or Hybrid Azure AD-joined. For Autopilot and Intune to work seamlessly, you'll want the devices to be Azure AD-joined.WorkplaceJoined is YES: This indicates that the device is Workplace Joined. Workplace Join is a deprecated feature, and Azure AD Join is the recommended approach. If you are planning to move towards a modern management approach with Autopilot and Intune, it's advisable to transition to Azure AD Join.NgcSet is NO: NGC (Next Generation Credentials) set to NO indicates that Windows Hello for Business might not be set up on the device. This could be a consideration if you plan to use features like Windows Hello for Business in your deployment.Diagnostic Data: The AD Configuration Test failure and error code 0x80070002 need to be investigated further. Ensure that the device can communicate with Azure AD, and check for any network or DNS issues that might be preventing a successful Azure AD registration.IE Proxy Config and WinHttp Default Proxy Config: Ensure that proxy configurations are not causing issues with Azure AD communication. In some cases, proxy settings might interfere with the Azure AD registration process.Fallback to Sync-Join is ENABLED: This is configured to allow devices to fall back to traditional AD join if Azure AD join is not successful. While this can be a temporary measure, ideally, you'd want devices to successfully Azure AD join for a modern management approach.Link for Diagnostics Reference: The link provided in the diagnostic data can be visited for more information on specific error codes and troubleshooting steps.In summary, to prepare your environment for Autopilot and Intune in a hybrid AD scenario, focus on resolving the Azure AD Configuration Test failure, transition from Workplace Join to Azure AD Join, and ensure that NGC and other prerequisites are met for a smooth deployment. Investigate the network connectivity and DNS resolution to Azure AD endpoints. Regularly check Microsoft's official documentation for the latest information and best practices in deploying Intune and Autopilot.

Forum Discussion

Intune in a hybrid AD environment, joining computers only to cloud.

Share

Resources