Forum Discussion
Starting Wait for ODJ Blob
- The laptop has a connection to Endpoint Manager, gets the enrollment profile and the Intune connector is listening for Hybrid Join events. If needed, it will do an Offline Domain Join by sending the computer account blob to Endpoint Manager which sends it to the client. There is no direct connection between the laptop and Intune Connector needed,
Does the server which runs the Intune Connector have internet access to all the URLs mentioned in the deployment guide?
Do you have the Hybrid Azure AD Join profile assigned to the same group in which you assign a Domain Join Profile?
I think here is the problem. I see error Event ID 304 and 204 on user device registration event logs. Based on this it says that the device has to be on the internal network or on a VPN. These devices are not internal or in VPN, they are on independent users wireless network.
So, I am wondering whether there is a rule that should be in place for these devices to communicate to the domain controller? I see all the other things happening fine and the device is domain joined.
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
Step 4: Check for possible causes and resolutions
Pre-check phase
Possible reasons for failure:
The device has no line of sight to the domain controller.
The device must be on the organization's internal network or on a virtual private network with a network line of sight to an on-premises Active Directory domain controller.
- That's the purpose, but your client needs to complete the domain join on the machine using the blob file. And it can only do so when in line of sight of the Domain Controllers of your domain.
- Isn't the purpose of Intune Connector for Offline Domain Join to make sure that it can get the domain information and join the domain? Isn't it the reason why this Blob is being send to the device? I am kinda confused on this.
- I guess firewalling issues, but you did change a few things now for your deployment. You could try the office again? And those legacy applications... Are the client/server based? Can you create remote apps from them using RDS? Where is the fileserver data, are you moving to Teams? So many questions making Azure AD or Hybrid Azure AD join the option to choose...
- We earlier tried another laptop from our office network being inside the office, even that did not go through. So, I am going to try one more time. Well the reason being that there are legacy applications and they want to have it Hybrid AD till we decide to move to Azure AD. How that solves am not sure, I have never done Hybrid AAD, I have come from an AAD environment which was totally managed by Intune.
- Then this is not something that is going to work out for remote users. You will have to either stage them at work or don't use hybrid join.
I think I asked you that question many topics and replies ago, why do you what to hybrid join them? You can access fileservers for example with key trust and kerberos tickets from there on out - I am testing from my home not in office network. These are machines that are going to be shipped to users locations and they just take it out of the box and join.
- You can only deploy hybrid azure ad machines if they are a network on an office location with direct connection to your Domain Controller, you can't deploy machines at home. There's an exception to that rule, if you have a supported VPN client which can automatically connect to your network.. Then it also works, but the list of VPN suppliers that are supported isn't that big.
So... Can you deploy a windows 10/11 VM in your server network and try that just to see if that works? (Or a desktop/laptop at the office) Where are you testing now?