Intune - Hybrid Active Directory with Autopilot

Copper Contributor

Hi,

 

I'm started to make some tests on Intune, but I had some struggles to register machines and also to understand some what the system does in background.

 

I follow the steps from Microsoft page (Link) and I think there is everything setup correctly. I choose this method because we have Active Directory on-premise that is synchronize with Azure AD, so this is an Hybrid Active Directory.

Also I setup Intune connector to synchronize all machines that we had register on our Active Directory (on-premise) and after that I was able to see all my machines.

My first doubt is something related with this (probably). Once we've our machines register in our Active Directory (on-premise) and they are synchronized with Azure AD, why do I need to create a Organization Unit (OU) in our Active Directory (on-premise) with Delegation Control?

 

Another question that I have is about Autopilot Deployment. I run the script "Get-WindowsAutoPilotInfo" on my machine to import it on Intune AutoPilot (that was imported successfully) after the import I check the Azure devices and my machine was duplicated, as you can see on the screenshoot:

Screenshoot1.jpg

The differences on the screenshoot is the "Hybrid Azure AD Joined" that is the synchronization from Intune connector and the "Azure AD Joined" is from AutoPilot import. I supose that second register is because I created a Device Configuration Profile (like as said on the link that I follow), see the screenshoot:

Screenshoot2.jpg

Do I really need this profile, once I already have the machine registered on Azure AD?

 

Thank you.

14 Replies

I have this exact same issue, the device joins local AD, reboots I sign in, the device joins Azure AD and I end up with two devices in Azure AD. One shows as Azure AD and the other as Hybrid Azure Joined. I also noticed that the Company Portal fails to recognise the device is joined and the user is not shown as the owner in Azure AD.

is your environment using ADFS? I have just discovered that this is not supported
My environment is not using ADFS. Where did you get that information?
Can you share it?
Thank you

this is the message I received from Intune Support As you requested, below are the details regarding the process of setting up Hybrid Azure AD join support for Autopilot: 

 

Pre-requisites:

 

1. Intune 1810

2. Windows 10 with October 2018 update

3. Successfully configure Hybrid Azure Active Directory Join for Managed Domains

4. Federated domains are not supported at this time

Hi @Christian Redgewell,

I recommend you to open a ticket with Microsoft (Microsoft Intune -> Help and support menu).
For some reason my devices cannot get the profiles or policies that I set. Microsoft technician will analyze my issue with the enrollment and soon I'll have some feedback.

My Company has a federated domain, ADFS configured in Azure AD Connect and uses Windows Autopilot Hybrid Azure AD join without issue

Well I’d be very interested to know your setup and autopilot process. The official word from support is that federated environments are not yet supported. We always end up with two computer objects in Azure AD one hybrid joined and one Azure ad joined which causes many issues.
Hi I did open a ticket and that was the response which as the client does have a federated domain means it is technically unsupported
We have 2 objects too, but everything else works fine. I deleted a device Azure AD registered object, kept the hybrid azure ad one and everything is still ok.
I can’t find any documentation stating that it is not supported, could you please send me a link?
it isn't in the documentation, it isn't stated anywhere as far as I can tell. I got that information directly from Intune support, which is what I had copied previously in this thread. With the two computer object accounts the issue was more to do with the user trying to sign into the Company Portal on their device. It says their device isn't connected yet when they try to connect they receive and error that the device is already being managed. Do you have that problem?

I have worked with quite a few customers using federation and it is very much supported for ADFS found here and 3rd party federation (depending on 3rd party support) found here.

You mean that problem?

https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Enrolled-Windows-10-devic...

 

Yes I am encountering this issue for a few days now. I contacted MS Support they are working on it, but they did not tell me it is an ADFS/Hybrid AAD issue.

Hi Frank, can I just confirm I am not stating it isn’t supported, I am stating that MICROSOFT Intune support responded and said that Autopilot Hybrid Join does not yet support Federation. Both those links you sent are for hybrid join which is very much supported with Federation, neither of those links are for the Preview Intune for Active Directory connector which this discussion is about.
Brilliant thank you, yes that exact issue. Again I only see this with AutoPilot Hybrid Join not Hybrid Join in general. I have several customers with Hybrid Join with no issues at all. I see this issue with Bulk Enrollment, Intune Deployment Enrollment Manager, Windows Configuration Designer and now AutoPilot Hybrid Join.