Is co-management (or hybrid) required for Azure-joined machines to access domain services?

Copper Contributor

Our company is using ZenWorks for our Windows 7 machines. We have begun deploying Windows 10 machines under Intune MDM (joining to Azure) with great success so far. We do not have SCCM in place (yet).

 

However, our biggest pain point right now is Windows 10 users accessing on-prem domain services like printing, file share, etc. These services are not going to the cloud anytime soon. As we all know, we cannot domain join a machine that is already Azure AD joined.

 

Is co-management required for Windows 10 MDM'ed machine to gain access to these services? Or can we leverage AAD Connect to solve this issue?

3 Replies

No, co-management does not resolve traditional auth challenges for AAD Joined Win10 clients (e.g. printing, NTLM, Kerb Auth).  This can be somewhat addressed by having a Server 2016 DC and using Windows Hello for auth.  The co-management intent is to provide AD+AAD Joined and SCCM+Intune, but to your point, this can't be done for machines already AAD Joined.

@Jason_Githensyou mentioned that co-management is required for AD+AAD joining.

 

So even if it won't allow for SSO, Windows 10 MDM'ed machines will be able to at least access these services when co-managed?

With AAD joined devices and AAD Connect synchronizing user accounts between AD and AAD, devices will realize when they see a domain controller and automatically get a Kerberos ticket for authenticating to domain-joined resources.  So yes, the AAD joined machine will get single sign-on access to domain-joined servers, IIS sites, etc.