Forum Discussion
Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment
Shehan,
Thank you for you're response.
Your Response
1. For Autopilot to complete, you don't need to enable Hybrid AAD Join (HAAJ) mode. You only need HAADJ if you have an On-Premises AD which you need your Autopilot'ed machines to be joined afterwards. If not, they will be joined as AAD Joined to Azure AD. If you need to add devices to On-prem and join as HAADJ to Azure AD, then create the Domain Join profile and make sure you assign the Autopilot'ing device group to it and install the Intune Connector in an On-prem server.
My Response - They are joining as AAD but I do not see them in Active Directory OU where we specifically have mentioned that these machines should be added with the delegation of permissions to both Intune Connectors as per this article.
https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid
We have setup the Intune Connectors and delegated permissions. But, I dot see the objects in AD. Also, the machine keeps spinning and we got the following error "Something went wrong" and error code 80070774.
Based on this error I went and checked, I checked this and we have both the Intune servers that are ACTIVE. But, one thing I noticed is that when we delegated permissions and gave full control as per the document above, I manually went and checked each server permissions and it had only special permissions and not full permissions as shown in this diagram. I just enabled full permissions here to see that would help when we rejoin.
Question 2
The device is not joining the domain but I see the device in Azure even though I have specified in the configuration profile Hybrid Azure AD.
The object should be seen in the OU where we have delegated that these Autopiloted devices should be joining. I am not seeing the Object, so I wondered whether it could be due to the permissions which I have mentioned in my Question 1 response.
Question 3
3. If Hybrid Azure AD configuration needs to be enabled in Azure AD Connect server, then will this affect any devices OnPrem? I do not want thousand of machines moving to Azure AD.
It depends on how you want to enable. How's your AD OUs syncing with Azure AD, sync scope that is?
a - Do you have a set of OUs that's syncing only or
b - Do you have your whole AD syncing with all the OUs?
Answer below:
I am having only one OU where we have the Intune Connectors delegated.
COMPUTERS
AID
BEC
AutoPilot Domain Join ---- so only this OU under Computers OU that is getting synced.
I tried doing the same process again and I see only this under devices but it is not showing up in AD OU where the object should go. And getting the same error message "Something went wrong" and error code 80070774. Based on one article, I was told to unassign the user from the device and try and it should work, but I tried unassigning the user and it did not do nothing nor it added to Endpoint.
Hi oryxway
1. Have you created the Device Profile called "Domain Join"? This is where you specify the domain information.
About the Intune Connector - My advice is to go through the Microsoft Official document and configure the permissions.
2. Looks like you have the selected OU which has been set up for Autopilot, which is the controlled method.
Hope you have seen this already http://stevehardie.com/2021/04/windows-autopilot-error-code-80070774/
Few things you can check -
* Run dsregcmd /status on the users computer to understand the join mode https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
* User who is enrolling the device needs to have proper licensing that covers Intune
* MDM user scope should be Some or All and that should capture the end user who is enrolling the device
* No proxy or firewall blocks https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints
Shehan.
shehanjp Thank you.
Yes, I am following the MS document for Autopilot. I have the Domain Join profile configured as per the requirements. Also, I have looked at that document. I ran the PS script from oofhours.com to see what is going on. Looks like it is the ODJConnector blob that is not being downloaded.
So, there is connectivity issue. We have opened all the network requirements as per the Microsoft suggestions and URL.
- The machines ere not showing up in OU cause of the OU path that was not specified correctly, but now the machines are showing up but it is not completing the process of enrolling the device fully and starting up. It errors out with "SOMETHING WENT WRONG" and Error code 8000 4005.
Any suggestions?
