Support Tip: Windows Autopilot domain join profiles reporting bug

Published Nov 07 2018 10:34 AM 16.3K Views

By Jack Poehlman | Service Engineer on the Enterprise Mobility and Customer Experience Team

 

NOTE - Preview of this feature is now live. Docs on how to use the feature are here: https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid.

 

We recently released a new feature in preview: hybrid Azure AD joined devices using Intune and Windows Autopilot – something that we know customers are excited to try! We do want to make you aware of a known issue in reporting. First on the Overview landing page for the device configuration profile, after your users or devices have completed Autopilot, the Profile type -  Domain Join (Preview)  will show as “Not Applicable” for all devices (and users) regardless of the status of the device that completes Autopilot and domain joins via the profile. Here’s an example of what you will likely see on the overview of the new domain join profile after devices successfully complete the Autopilot enrollment process:

 

 JackAutoPilot.png

Second, the other related monitor pages (Devices status, User status, & Per-setting status) will show a similar “Not Applicable” result. We are working to improve this reporting in the future.  For now, we’re releasing this in preview while we continue to finalize the details on reporting. 

A few other things to keep in mind – reminders I learned from my own testing. You will need to assign the Domain Join (Preview) profile type to an Azure AD group containing the Autopilot devices you wish to domain join. You can directly assign Autopilot devices to a group or to a Dynamic Azure AD group with attributes unique to Autopilot devices. Here’s a few dynamic group Autopilot property operator values examples for different grouping scenarios:

  • If you want to create a group that includes all of your Autopilot devices, type (device.devicePhysicalIDs -any _ -contains "[ZTDId]")
  • If you want to create a group that includes all of your Autopilot devices with a specific order ID, type: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
  • If you want to create a group that includes all of your Autopilot devices with a specific Purchase Order ID, type: (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")

 

Remember, too, this feature will only work with the latest release of Windows 10, October 2018 update, Version 1809 and later. You can see preview documentation here: https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid.

 

If you are interested in testing this on a Virtual machine, build the Windows machine and complete OOBE, then use the guidance in Michael Niehaus’s blog to use the WindowsAutoPilotIntune script to collect a hardware hash and upload it to Autopilot via Intune. Once the VM is added to Autopilot and you configure Intune to deploy hybrid Azure AD joined devices using Intune and Windows Autopilot, use the Windows setting on the VM to “Reset this PC” and chose the “Remove Everything” option.  The virtual machine will complete the reset process and enter OOBE and the Autopilot experience.

 

Happy testing! 

14 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-282453%22%20slang%3D%22en-US%22%3ESupport%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-282453%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%20Jack%20Poehlman%20%7C%20Service%20Engineer%20on%20the%20Enterprise%20Mobility%20and%20Customer%20Experience%20Team%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENOTE%20-%20Preview%20of%20this%20feature%20is%20now%20live.%20Docs%20on%20how%20to%20use%20the%20feature%20are%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwindows-autopilot-hybrid%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwindows-autopilot-hybrid%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20recently%20released%20a%20new%20feature%20in%20preview%3A%20hybrid%20Azure%20AD%20joined%20devices%20using%20Intune%20and%20Windows%20Autopilot%20%E2%80%93%20something%20that%20we%20know%20customers%20are%20excited%20to%20try!%20We%20do%20want%20to%20make%20you%20aware%20of%20a%20known%20issue%20in%20reporting.%20First%20on%20the%20Overview%20landing%20page%20for%20the%20device%20configuration%20profile%2C%20after%20your%20users%20or%20devices%20have%20completed%20Autopilot%2C%20the%20Profile%20type%20-%20%26nbsp%3BDomain%20Join%20(Preview)%20%26nbsp%3Bwill%20show%20as%20%E2%80%9CNot%20Applicable%E2%80%9D%20for%20all%20devices%20(and%20users)%20regardless%20of%20the%20status%20of%20the%20device%20that%20completes%20Autopilot%20and%20domain%20joins%20via%20the%20profile.%20Here%E2%80%99s%20an%20example%20of%20what%20you%20will%20likely%20see%20on%20the%20overview%20of%20the%20new%20domain%20join%20profile%20after%20devices%20successfully%20complete%20the%20Autopilot%20enrollment%20process%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20831px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F59051iC4D4F83928C4EC49%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22JackAutoPilot.png%22%20title%3D%22JackAutoPilot.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESecond%2C%20the%20other%20related%20monitor%20pages%20(Devices%20status%2C%20User%20status%2C%20%26amp%3B%20Per-setting%20status)%20will%20show%20a%20similar%20%E2%80%9CNot%20Applicable%E2%80%9D%20result.%20We%20are%20working%20to%20improve%20this%20reporting%20in%20the%20future.%26nbsp%3B%20For%20now%2C%20we%E2%80%99re%20releasing%20this%20in%20preview%20while%20we%20continue%20to%20finalize%20the%20details%20on%20reporting.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20few%20other%20things%20to%20keep%20in%20mind%20%E2%80%93%20reminders%20I%20learned%20from%20my%20own%20testing.%20You%20will%20need%20to%20assign%20the%20Domain%20Join%20(Preview)%20profile%20type%20to%20an%20Azure%20AD%20group%20containing%20the%20Autopilot%20devices%20you%20wish%20to%20domain%20join.%20You%20can%20directly%20assign%20Autopilot%20devices%20to%20a%20group%20or%20to%20a%20Dynamic%20Azure%20AD%20group%20with%20attributes%20unique%20to%20Autopilot%20devices.%20Here%E2%80%99s%20a%20few%20dynamic%20group%20Autopilot%20property%20operator%20values%20examples%20for%20different%20grouping%20scenarios%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EIf%20you%20want%20to%20create%20a%20group%20that%20includes%20all%20of%20your%20Autopilot%20devices%2C%20type%20(device.devicePhysicalIDs%20-any%20_%20-contains%20%22%5BZTDId%5D%22)%3C%2FLI%3E%0A%3CLI%3EIf%20you%20want%20to%20create%20a%20group%20that%20includes%20all%20of%20your%20Autopilot%20devices%20with%20a%20specific%20order%20ID%2C%20type%3A%20(device.devicePhysicalIds%20-any%20_%20-eq%20%22%5BOrderID%5D%3A179887111881%22)%3C%2FLI%3E%0A%3CLI%3EIf%20you%20want%20to%20create%20a%20group%20that%20includes%20all%20of%20your%20Autopilot%20devices%20with%20a%20specific%20Purchase%20Order%20ID%2C%20type%3A%20(device.devicePhysicalIds%20-any%20_%20-eq%20%22%5BPurchaseOrderId%5D%3A76222342342%22)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERemember%2C%20too%2C%20this%20feature%20will%20only%20work%20with%20the%20latest%20release%20of%20Windows%2010%2C%20October%202018%20update%2C%20Version%201809%20and%20later.%20You%20can%20see%20preview%20documentation%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwindows-autopilot-hybrid%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20color%3D%22%230066cc%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwindows-autopilot-hybrid%3C%2FFONT%3E%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20interested%20in%20testing%20this%20on%20a%20Virtual%20machine%2C%20build%20the%20Windows%20machine%20and%20complete%20OOBE%2C%20then%20use%20the%20guidance%20in%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fmniehaus%2F2018%2F04%2F16%2Fmanaging-windows-autopilot-devices-using-the-intune-graph-api%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMichael%20Niehaus%E2%80%99s%20blog%3C%2FA%3E%3C%2FSPAN%3E%20to%20use%20the%20WindowsAutoPilotIntune%20script%20to%20collect%20a%20hardware%20hash%20and%20upload%20it%20to%20Autopilot%20via%20Intune.%20Once%20the%20VM%20is%20added%20to%20Autopilot%20and%20you%20configure%20Intune%20to%20deploy%20hybrid%20Azure%20AD%20joined%20devices%20using%20Intune%20and%20Windows%20Autopilot%2C%20use%20the%20Windows%20setting%20on%20the%20VM%20to%20%E2%80%9CReset%20this%20PC%E2%80%9D%20and%20chose%20the%20%E2%80%9CRemove%20Everything%E2%80%9D%20option.%26nbsp%3B%20The%20virtual%20machine%20will%20complete%20the%20reset%20process%20and%20enter%20OOBE%20and%20the%20Autopilot%20experience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHappy%20testing!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-282453%22%20slang%3D%22en-US%22%3E%3CP%3EUsing%20Autopilot%20and%20wanting%20to%20use%20the%20new%20hybrid%20Azure%20AD%20join%20feature%3F%20Read%20this%20support%20tip!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-282453%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESupport%20Tip%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358543%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358543%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239592%22%20target%3D%22_blank%22%3E%40Jack%20Poehlman%3C%2FA%3E%26nbsp%3B%20unfortunately%20with%20hybrid%20joined%20how%20you%20mentioned%20it%20still%20results%20in%20the%20same.%26nbsp%3B%20%3CSTRONG%3ENot%20applicable%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20771px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F84730iFF7F44F6A7EB8E68%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-02-28_16-09-54.jpg%22%20title%3D%222019-02-28_16-09-54.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-304312%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304312%22%20slang%3D%22en-US%22%3E%3CP%3EI%20did%20all%20those%20steps.%26nbsp%3B%20When%20I%20get%20back%20from%20the%20holidays%20I'll%20contact%20Intune%20Admin%20and%20see%20if%20they%20can%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-304176%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304176%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Bob%2C%20Sorry%20to%20hear%20you%20are%20having%20challenges.%26nbsp%3B%20For%20the%20solution%20to%20work%2C%20you%20would%20need%20the%20Windows%20Autopilot%20deployment%20profile%20created%20with%20the%20join%20type%20of%20%22Hybrid%20Azure%20AD%20Joined%20(Preview)%22%2C%20assigned%20to%20Autopilot%20device%20group%2C%20AND%20the%20device%20configuration%20profile%20type%20%22Domain%20Join%20(Preview)%22%20also%20assigned%20to%20the%20Autopilot%20device%20group.%26nbsp%3B%20All%20in%20addition%20to%20having%20the%20having%20the%20%22Intune%20Connector%20for%20Active%20Directory%20(Preview)%22%20installed%20and%20configured.%26nbsp%3B%20With%20everything%20set%2C%20on%20Windows%20device%2C%20go%20into%20settings%20-%26gt%3B%20update%20%26amp%3B%20Security%20-%26gt%3B%20Recovery%20-%26gt%3B%20Rest%20this%20PC%26nbsp%3B%20-%26gt%3B%20Get%20started%2C%20then%20chose%20Remove%20everything.%26nbsp%3B%20The%20device%20should%20go%20through%20a%20full%20reset%20of%20Windows%20and%20go%20through%20Autopilot%20setup.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20feature%20will%20not%20work%20on%20a%20device%20that%20has%20already%20completed%20the%20Windows%20Out%20of%20the%20Box%20setup%20experience%2C%20so%20registering%20in%20S4B%20will%20not%20trigger%20the%20domain%20join.%26nbsp%3B%20Hope%20that%20helps.%26nbsp%3B%20If%20you%20need%20assistance%2C%20please%20open%20a%20support%20case%20via%20the%20Intune%20Admin%20portal%2C%20Help%20and%20support.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJack%20Poehlman%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-304174%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304174%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20tried%20adding%20the%20computer%20to%20the%20S4B%20devices%20and%20assigning%20the%20User-Driven%20profile%20I%20got%20an%20error%200x80004005.%26nbsp%3B%20So%20I%20don't%20think%20lack%20of%20registration%20is%20the%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-304153%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304153%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20been%20trying%20to%20make%20this%20work%20both%20using%20the%20Auto%20Pilot%20settings%20to%20do%20hybrid%20AD%2C%20and%20by%20doing%20the%20domain%20join%20policy.%26nbsp%3B%20Neither%20appears%20to%20do%20anything%2C%20the%20test%20machine%20is%20still%20sitting%20in%20a%20workgroup.%26nbsp%3B%20I've%20done%20everything%20except%20the%20step%20to%20assign%20the%20device%20in%20the%20S4B%20to%20the%20Auto%20Pilot%20profile.%26nbsp%3B%20The%20rest%20of%20the%20Auto%20Pilot%20stuff%20seems%20to%20work%20with%20exception%20of%20the%20domain%20join%20and%20the%20computer%20doesn't%20show%20up%20in%20the%20Intune%20%26gt%3B%20Device%20enrollment%20-%20Windows%20enrollment%20%26gt%3B%20Windows%20Autopilot%20devices%20view.%26nbsp%3B%20It%20seems%20that%20registering%20the%20device%20when%20using%20User-Driven%20with%20Hybrid%20Azure%20AD%20joined%20shouldn't%20require%20the%20use%20of%20registering%20the%20device%2C%20but%20I'll%20try%20it%20with%20registering%20it%20in%20S4B%20and%20see%20if%20that%20works.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292998%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292998%22%20slang%3D%22en-US%22%3E%3CP%3EUnfortunately%2C%20there%20is%20not%20a%20work%20around%20for%20profile%20reporting%20%2F%26nbsp%3B%20monitor%20showing%20as%20%22Not%20Applicable%22.%26nbsp%3B%20This%20is%20only%20a%20reporting%20issue%2C%20but%20we%20are%20working%20to%20correct%20this%20while%20this%20feature%20is%20in%20Preview.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291280%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291280%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20work%20around%20for%20the%20Domain%20Join%20Profile%20showing%20up%20as%20Not%20Applicable%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-644309%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-644309%22%20slang%3D%22en-US%22%3E%3CP%3Ehave%20any%20of%20you%20resolved%20this%20issue%3F%20I%20have%20the%20same%20issue%20and%20have%20a%20ticket%20with%20Microsoft%20support%20but%20its%20been%202%20weeks%20and%20they%20are%20still%20looking%20at%20the%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-660903%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-660903%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F265972%22%20target%3D%22_blank%22%3E%40Wilmatic81%3C%2FA%3E%20The%20reporting%20to%20this%20policy%20has%20improved%20in%20that%20now%20we%20show%20success%20at%20least%20at%20the%20device%20level%20which%20is%20the%20key%20as%20this%20is%20a%20Device%20based%20policy.%26nbsp%3B%20In%20my%20console%20I%20see%20the%20%22Not%20Applicable%22%20status%20listed%20for%20users%20that%20logged%20on%20after%20the%20device%20was%20enrolled%2C%20whoever%20the%20enrolling%20user%20shows%20a%20%22Success%22.%26nbsp%3B%20This%20experience%20may%20very%20on%20a%20number%20of%20factors%2C%20and%20may%20take%20time%20for%20the%20reporting%20to%20catch%20up....%20we%20are%20continuing%20to%20work%20on%20better%20reporting%20for%20this%20feature.%26nbsp%3B%20PM%20me%20your%20support%20case%20number%20so%20I%20can%20look%20into%20what's%20going%20on%20with%20in%20your%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222959%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222959%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20this%20resolve%20I%20am%20Trying%20to%20get%20this%20to%20work%20still%20not%20working%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1225841%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1225841%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344453%22%20target%3D%22_blank%22%3E%40ritesh_jha%3C%2FA%3E%2C%20improvements%20to%20this%20feature%20has%20been%20made%20since%20this%20article%20was%20created.%3C%2FP%3E%0A%3CP%3EAs%20Jack%20mentioned%20above%2C%20the%20experience%20may%20vary%20on%20a%20number%20of%20factors%2C%20and%20would%20recommend%20reviewing%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fwindows-autopilot-hybrid%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDeploy%20hybrid%20Azure%20AD-joined%20devices%20by%20using%20Intune%20and%20Windows%20Autopilot%3C%2FA%3E%26nbsp%3Bdoc%20to%20validate%20the%20current%20configuration.%3C%2FP%3E%0A%3CP%3EIf%20you%20continue%20facing%20an%20issue%20with%20this%20not%20working%20as%20expected%2C%20please%20open%20a%20support%20case%20via%20the%20Intune%20Admin%20console's%20Help%20and%20Support%20or%20any%20of%20the%20methods%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Ffundamentals%2Fget-support%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%26nbsp%3Bas%20this%20will%20help%20the%20team%20capture%20all%20the%20information%20needed%20to%20resolve%20the%20issue.%20Feel%20free%20to%20private%20message%20us%20with%20your%20support%20case%20number%20for%20follow%20up.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1471871%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1471871%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20it%20only%20applies%20at%20OOBE%2C%20which%20does%20infer%20AutoPilot%20is%20required%20in%20order%20to%20configure%20a%20Hybrid%20AD%20setup%20as%20well%20as%20prepopulate%20the%20AAD%20device%20object.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20would%20have%20been%20fine%20if%20I%20were%20not%20in%20an%20acquisition.%26nbsp%3B%20Since%20I%20cannot%20delete%20AutoPilot%20devices%20until%20their%20AAD%20and%20Intune%20device%20objects%20are%20first%20deleted%2C%20the%20idea%20of%20issuing%20a%20Reset%20while%20also%20working%20on%20the%20new%20tenant%20to%20import%20the%20hashes%20and%20configure%20any%20assigned%20groups%20as%20needed%2C%20rather%20moot.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20will%20not%20work%20in%20a%20cross-tenant%20migration%20scenario.%26nbsp%3B%20I'm%20glad%20I'm%20just%20looking%20at%20the%20option%20now%2C%20versus%20the%20pain%20of%20mass-dismantling%20things%20in%20order%20to%20sanely%20migrate%20machines%20to%20the%20new%20tenant..%20in%20the%20middle%20of%20a%20pandemic%20when%20direct%20contact%20is%20not%20possible%2C%20and%20the%20company%20is%20national.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1714683%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1714683%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239592%22%20target%3D%22_blank%22%3E%40Jack%20Poehlman%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20been%20going%20through%20documentation%2C%20blogs%20and%20other%20discussion%20boards%20but%20there%20is%20not%20enough%20clarity%20on%20this%20topic.%3CBR%20%2F%3EI%20tried%20Domain%20Joining%20previously%20enrolled%20devices%2C%20that%20didn't%20work.%20I%20then%20setup%20a%20autopilot%20profile%20and%20group%20and%20initiated%20an%20autopilot%20process%20on%20an%20enrolled%20device.%20Based%20on%20your%20comments%20here%2C%20I%20thought%20the%20Domain%20Join%20process%20only%20took%20place%20at%20the%20OOBE%20(autopilot)%20process.%3C%2FP%3E%3CP%3EBut%20that%20didn't%20work%20either.%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20hand%2C%20the%20MS%20documentation%20actually%20hints%20that%20it%20should%20be%20possible%20to%20use%20previously%20enrolled%20devices%20and%20have%20the%20domain%20joined%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fwindows-autopilot-hybrid%23register-your-autopilot-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fwindows-autopilot-hybrid%23register-your-autopilot-devices%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20be%20good%20to%20have%20either%20better%20documentation%20or%20clarification%20on%20this%20topic.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1959707%22%20slang%3D%22en-US%22%3ERe%3A%20Support%20Tip%3A%20Windows%20Autopilot%20domain%20join%20profiles%20reporting%20bug%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1959707%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EUPDATE%20ON%20THIS%20POST%3A%26nbsp%3B%20I%20was%20having%20problems%20with%20getting%20this%20to%20work%20because%20the%20computer%20name%20in%20the%20Domain%20Join%20profile%20had%20%25serial%25%2C%20once%20I%20removed%20that%20I%20was%20able%20to%20join%20a%20computer%20to%20my%20AD%20domain%20over%20the%20internet.%26nbsp%3B%20As%20a%20suggestion%20maybe%20the%20MS%20docs%20should%20be%20update%20to%20explicitly%20say%20that%20macro%20like%20this%20are%20not%20supported%20in%20the%20domain%20join%20profile.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3Bvisiting%20the%26nbsp%3B%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fwindows-autopilot-hybrid%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDeploy%20hybrid%20Azure%20AD-joined%20devices%20by%20using%20Intune%20and%20Windows%20Autopilot%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%20page%20and%20looking%20at%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fwindows-autopilot-hybrid%23prerequisites%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eprerequisites%3C%2FA%3E%26nbsp%3Bit%20says%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20device%20to%20be%20enrolled%20must%20follow%20these%20requirements%3A%3C%2FP%3E%3CUL%3E%3CLI%3EUse%20Windows%2010%20v1809%20or%20greater.%3C%2FLI%3E%3CLI%3EHave%20access%20to%20the%20internet%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fautopilot%2Fnetworking-requirements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Efollowing%20Windows%20Autopilot%20network%20requirements%3C%2FA%3E.%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EHave%20access%20to%20an%20Active%20Directory%20domain%20controller.%20The%20device%20must%20be%20connected%20to%20the%20organization's%20network%20so%20that%20it%20can%3A%3C%2FSTRONG%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EResolve%20the%20DNS%20records%20for%20the%20AD%20domain%20and%20the%20AD%20domain%20controller.%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3ECommunicate%20with%20the%20domain%20controller%20to%20authenticate%20the%20user.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CSTRONG%3ESuccessfully%20ping%20the%20domain%20controller%20of%20the%20domain%20you're%20trying%20to%20join.%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EIf%20using%20Proxy%2C%20WPAD%20Proxy%20settings%20option%20must%20be%20enabled%20and%20configured.%3C%2FLI%3E%3CLI%3EUndergo%20the%20out-of-box%20experience%20(OOBE).%3C%2FLI%3E%3CLI%3EUse%20an%20authorization%20type%20that%20Azure%20Active%20Directory%20supports%20in%20OOBE.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWhen%20you%20go%20to%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fdomain-join-configure%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EConfiguration%20Domain%20Join%20settings%20for%20hybrid%20Azure%20AD%20joined%20devices%20in%20Microsoft%20Intune%3C%2FA%3E%26nbsp%3Bto%20understand%20creation%20of%20the%20the%20domain%20profile%20for%20the%20AD%20domain%20join%20it%20does%20not%20mention%20a%20requirement%20to%20have%20line%20of%20site%20to%20the%20on%20prem%20domain%20controller.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20these%202%20points%20what%20are%20the%20requirements%20to%20establish%20an%20offline%20domain%20join%20scenario%3F%26nbsp%3B%20As%20from%20the%20above%20prerequisites%20for%20a%20hybrid%20Azure%20AD%20device%20it%20mentions%20the%20device%20requires%20line%20of%20site%20to%20the%20domain%20controller.%26nbsp%3B%20I%20do%20understand%20for%20the%20user%20to%20complete%20the%20first%20login%20to%20the%20device%2C%20the%20domain%20controller%20must%20be%20reachable%20because%20there%20is%20no%20cached%20profile%20on%20the%20device.%26nbsp%3B%20But%20to%20actually%20have%20the%20hybrid%20device%20show%20up%20in%20active%20directory%20in%20the%20computers%20OU%20or%20one%20you%20specify%20for%20a%20Hybrid%20Azure-AD%20device%26nbsp%3B%3CSTRONG%3Edo%20you%20need%20to%20be%20able%20to%20communicate%20with%20the%20domain%20controller%20or%20not%3F%26nbsp%3B%20%3C%2FSTRONG%3EThe%20%3CA%20title%3D%22Windows%20Autopilot%20and%20Hybrid%20Azure%20AD%20Join%20over%20the%20Internet%20-%20Michael%20Niehaus%20(MSFT)%20-%20TXSMUG%22%20href%3D%22https%3A%2F%2Fyoutu.be%2FWnuBwwfYu4k%3Ft%3D1108%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eyoutube%20video%3C%2FA%3E%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F21544%22%20target%3D%22_blank%22%3E%40Michael%20Niehaus%3C%2FA%3E%26nbsp%3Bits%20clearly%20indicated%20that%20line%20of%20site%20to%20the%20domain%20controller%20is%20not%20required%2C%20so%20which%20is%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20Microsoft%20docs.microsoft.com%20link%20the%20clearly%20indicates%20the%20offline%20domain%20Join%20requirements%20for%20Hybrid%20Azure-AD%20device%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Nov 07 2018 01:09 PM
Updated by: