Event banner
Event details
We want to configure Autopilot through Intune. We have a Hybrid Azure AD with local AD without an AD FS. We want that the Autopilot devices also join the local AD. I have set up an OU with the required permissions and set up a Gateway between Intune and local AD. The gateway shows online and Active, but no matter what we tried so far, we can't get the Autopilot device to join the local AD. It fails and we have only the Option to start over.
Are there any special requirements if we don't have an AD FS or what do I need to configure so we can use Autopilot in our Hybrid tenant?
- Jason_Sandys
Microsoft
Hi Levin. Can you expand what you mean by "Gateway"? Are you referring to Azure AD Connect? Have you also set up the Intune Connector for AD? Are you also deploying a VPN client during Autopilot so that the device can connect to your on-prem AD (assuming the device is no on-prem)? Finally, can you also expand on what you mean by "Option to start over"? Also, just to call it out here, we strongly recommend avoiding this approach. Autopilot works best with Entra Joined (aka Azure AD joined) and we strongly recommend not using hybrid join with Autopilot for a variety of reasons. Cloud value is best realized with Entra joined and this aligns with all of our engineering investment and direction while also avoiding the many shortfalls of hybrid join with Autopilot. This recommendation is detailed at https://learn.microsoft.com/en-us/mem/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined#which-option-is-right-for-your-organization- We have set up Azure AD Connect and the Intune Connector for AD on the same Windows Server. The synchronisation between AD and Azure AD works and the Intune Connector shows up in the Intune Endpoint Management Console. It shows as Aktive and working. We have successfully testet an Autopilot profile wit AAD only. But we can't get the Hybrid join working. When the enrolment gets to the point to join the local AD it fails and the only Option it lets us choose is to reset the Device again. As of right now we are highly dependent on local AD management. That`s why we need our devices as hybrid. Also we would like to use Autopilot to simplify the process of resetting old devices and setting up new ones.
- Jason_SandysHave you reviewed the event log for the AD Connector? This should be under Microsoft\Intune\ODJConnectorService in the event viewer? Also, how exactly are you determining that the join is failing? As for being heavily dependent on AD management, what exactly does that mean? Moving Entra joined devices does not mean completely getting rid of your on-prem AD. It does involve transitioning to Entra ID and Intune for some things for sure and it's not an all or nothing proposition for sure, however, this is the best short-term and long-term path that we strongly recommend for all new device provisioning as this avoids a lot of "wasted" work and effort on something that we know is problematic at best and ultimately just prolongs an organization's commitment to a solution that is only meant as an interim step anyway.
