Support Tip: Windows Autopilot domain join profiles reporting bug
Published Nov 07 2018 10:34 AM 22.7K Views

By Jack Poehlman | Service Engineer on the Enterprise Mobility and Customer Experience Team

 

NOTE - Preview of this feature is now live. Docs on how to use the feature are here: https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid.

 

We recently released a new feature in preview: hybrid Azure AD joined devices using Intune and Windows Autopilot – something that we know customers are excited to try! We do want to make you aware of a known issue in reporting. First on the Overview landing page for the device configuration profile, after your users or devices have completed Autopilot, the Profile type -  Domain Join (Preview)  will show as “Not Applicable” for all devices (and users) regardless of the status of the device that completes Autopilot and domain joins via the profile. Here’s an example of what you will likely see on the overview of the new domain join profile after devices successfully complete the Autopilot enrollment process:

 

 JackAutoPilot.png

Second, the other related monitor pages (Devices status, User status, & Per-setting status) will show a similar “Not Applicable” result. We are working to improve this reporting in the future.  For now, we’re releasing this in preview while we continue to finalize the details on reporting. 

A few other things to keep in mind – reminders I learned from my own testing. You will need to assign the Domain Join (Preview) profile type to an Azure AD group containing the Autopilot devices you wish to domain join. You can directly assign Autopilot devices to a group or to a Dynamic Azure AD group with attributes unique to Autopilot devices. Here’s a few dynamic group Autopilot property operator values examples for different grouping scenarios:

  • If you want to create a group that includes all of your Autopilot devices, type (device.devicePhysicalIDs -any _ -contains "[ZTDId]")
  • If you want to create a group that includes all of your Autopilot devices with a specific order ID, type: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
  • If you want to create a group that includes all of your Autopilot devices with a specific Purchase Order ID, type: (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")

 

Remember, too, this feature will only work with the latest release of Windows 10, October 2018 update, Version 1809 and later. You can see preview documentation here: https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid.

 

If you are interested in testing this on a Virtual machine, build the Windows machine and complete OOBE, then use the guidance in Michael Niehaus’s blog to use the WindowsAutoPilotIntune script to collect a hardware hash and upload it to Autopilot via Intune. Once the VM is added to Autopilot and you configure Intune to deploy hybrid Azure AD joined devices using Intune and Windows Autopilot, use the Windows setting on the VM to “Reset this PC” and chose the “Remove Everything” option.  The virtual machine will complete the reset process and enter OOBE and the Autopilot experience.

 

Happy testing! 

14 Comments
Copper Contributor

Is there a work around for the Domain Join Profile showing up as Not Applicable?

Microsoft

Unfortunately, there is not a work around for profile reporting /  monitor showing as "Not Applicable".  This is only a reporting issue, but we are working to correct this while this feature is in Preview.

Brass Contributor

I've been trying to make this work both using the Auto Pilot settings to do hybrid AD, and by doing the domain join policy.  Neither appears to do anything, the test machine is still sitting in a workgroup.  I've done everything except the step to assign the device in the S4B to the Auto Pilot profile.  The rest of the Auto Pilot stuff seems to work with exception of the domain join and the computer doesn't show up in the Intune > Device enrollment - Windows enrollment > Windows Autopilot devices view.  It seems that registering the device when using User-Driven with Hybrid Azure AD joined shouldn't require the use of registering the device, but I'll try it with registering it in S4B and see if that works.

Brass Contributor

When I tried adding the computer to the S4B devices and assigning the User-Driven profile I got an error 0x80004005.  So I don't think lack of registration is the issue.

Microsoft

Hello Bob, Sorry to hear you are having challenges.  For the solution to work, you would need the Windows Autopilot deployment profile created with the join type of "Hybrid Azure AD Joined (Preview)", assigned to Autopilot device group, AND the device configuration profile type "Domain Join (Preview)" also assigned to the Autopilot device group.  All in addition to having the having the "Intune Connector for Active Directory (Preview)" installed and configured.  With everything set, on Windows device, go into settings -> update & Security -> Recovery -> Rest this PC  -> Get started, then chose Remove everything.  The device should go through a full reset of Windows and go through Autopilot setup.

 

This feature will not work on a device that has already completed the Windows Out of the Box setup experience, so registering in S4B will not trigger the domain join.  Hope that helps.  If you need assistance, please open a support case via the Intune Admin portal, Help and support.

 

Jack Poehlman

Brass Contributor

I did all those steps.  When I get back from the holidays I'll contact Intune Admin and see if they can help.

Brass Contributor

@Jack Poehlman  unfortunately with hybrid joined how you mentioned it still results in the same.  Not applicable 

 

2019-02-28_16-09-54.jpg

Copper Contributor

have any of you resolved this issue? I have the same issue and have a ticket with Microsoft support but its been 2 weeks and they are still looking at the issue.

Microsoft

@Wilmatic81 The reporting to this policy has improved in that now we show success at least at the device level which is the key as this is a Device based policy.  In my console I see the "Not Applicable" status listed for users that logged on after the device was enrolled, whoever the enrolling user shows a "Success".  This experience may very on a number of factors, and may take time for the reporting to catch up.... we are continuing to work on better reporting for this feature.  PM me your support case number so I can look into what's going on with in your case.

Copper Contributor

Is this resolve I am Trying to get this to work still not working

Hi @ritesh_jha, improvements to this feature has been made since this article was created.

As Jack mentioned above, the experience may vary on a number of factors, and would recommend reviewing our Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot doc to validate the current configuration.

If you continue facing an issue with this not working as expected, please open a support case via the Intune Admin console's Help and Support or any of the methods here, as this will help the team capture all the information needed to resolve the issue. Feel free to private message us with your support case number for follow up.

Copper Contributor

So it only applies at OOBE, which does infer AutoPilot is required in order to configure a Hybrid AD setup as well as prepopulate the AAD device object.

This would have been fine if I were not in an acquisition.  Since I cannot delete AutoPilot devices until their AAD and Intune device objects are first deleted, the idea of issuing a Reset while also working on the new tenant to import the hashes and configure any assigned groups as needed, rather moot.

This will not work in a cross-tenant migration scenario.  I'm glad I'm just looking at the option now, versus the pain of mass-dismantling things in order to sanely migrate machines to the new tenant.. in the middle of a pandemic when direct contact is not possible, and the company is national.

Copper Contributor

@Jack Poehlman , @Intune_Support_Team 

Have been going through documentation, blogs and other discussion boards but there is not enough clarity on this topic.
I tried Domain Joining previously enrolled devices, that didn't work. I then setup a autopilot profile and group and initiated an autopilot process on an enrolled device. Based on your comments here, I thought the Domain Join process only took place at the OOBE (autopilot) process.

But that didn't work either. 

On the other hand, the MS documentation actually hints that it should be possible to use previously enrolled devices and have the domain joined
https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#register-your-autopilot-devi...

 

Would be good to have either better documentation or clarification on this topic.

Iron Contributor

UPDATE ON THIS POST:  I was having problems with getting this to work because the computer name in the Domain Join profile had %serial%, once I removed that I was able to join a computer to my AD domain over the internet.  As a suggestion maybe the MS docs should be update to explicitly say that macro like this are not supported in the domain join profile.

 

@Intune_Support_Team visiting the  Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot  page and looking at the prerequisites it says:

 

The device to be enrolled must follow these requirements:

  • Use Windows 10 v1809 or greater.
  • Have access to the internet following Windows Autopilot network requirements.
  • Have access to an Active Directory domain controller. The device must be connected to the organization's network so that it can:
    • Resolve the DNS records for the AD domain and the AD domain controller.
    • Communicate with the domain controller to authenticate the user.
  • Successfully ping the domain controller of the domain you're trying to join.
  • If using Proxy, WPAD Proxy settings option must be enabled and configured.
  • Undergo the out-of-box experience (OOBE).
  • Use an authorization type that Azure Active Directory supports in OOBE.

When you go to the Configuration Domain Join settings for hybrid Azure AD joined devices in Microsoft Intune to understand creation of the the domain profile for the AD domain join it does not mention a requirement to have line of site to the on prem domain controller.

 

With these 2 points what are the requirements to establish an offline domain join scenario?  As from the above prerequisites for a hybrid Azure AD device it mentions the device requires line of site to the domain controller.  I do understand for the user to complete the first login to the device, the domain controller must be reachable because there is no cached profile on the device.  But to actually have the hybrid device show up in active directory in the computers OU or one you specify for a Hybrid Azure-AD device do you need to be able to communicate with the domain controller or not?  The youtube video from @Michael Niehaus its clearly indicated that line of site to the domain controller is not required, so which is it?

 

Is there a Microsoft docs.microsoft.com link the clearly indicates the offline domain Join requirements for Hybrid Azure-AD device?

Version history
Last update:
‎Dec 19 2023 01:31 PM
Updated by: