Understanding hybrid Azure AD join and co-management

Published Mar 18 2021 02:48 PM 58.5K Views

As we talk with our customers that are using Microsoft Endpoint Manager to deploy, manage, and secure their client devices, we often get questions regarding co-managing devices and hybrid Azure Active Directory (AD) joined devices. Many customers confuse these two topics – the first is a management option, while the second is an identity option. In this blog, I hope to clear up any confusion and give guidance and scenarios on how to use both to manage and protect your devices.

Let’s start with the basics: management

Microsoft Endpoint Manager is the combination of Configuration Manager – the on-premises management tool that you’ve been using for decades - and Microsoft Intune – the cloud-based management solution used for modern device security and management. Endpoint Manager’s goal is unifying both of your management solutions and bringing the power of the cloud to your entire endpoint estate.

To accomplish this goal, we first launched tenant attach to provide an easy and low-risk path to cloud attach your Configuration Manager infrastructure to your Intune tenant. This is an on-premises to cloud attachment like you’ve seen before when connecting your Exchange Server on-premises infrastructure to Exchange online and sync’d those mailboxes, and when you connected Active Directory to Azure Active Directory and sync’d those user accounts and other objects. Tenant attach is the same idea: attach the Configuration Manager infrastructure to Intune and sync the Windows 10 Configuration Manager managed devices to the cloud-based Intune tenant. Creating this connection brings the value of remote actions and analytics, immediately.

During or after the initial attachment, you can start moving certain workloads from Configuration Manager to Intune, either one at a time or en masse. You choose the path that’s right for you. Co-management is the act of moving workloads from Configuration Manager to Intune and telling the Windows 10 client who the management authority is for that particular workload. For example, you might move Compliance Policies and Device Configuration workloads to Intune while leaving all other workloads set to Configuration Manager. This tells the Windows 10 client to listen to Configuration Manager for app deployment and security policies, for example, while listening to Intune for compliance policies and device configuration policies.

Figure 1: Graphic representation of Microsoft Endpoint Manager, Configuration Manager, and Microsoft Intune.Figure 1: Graphic representation of Microsoft Endpoint Manager, Configuration Manager, and Microsoft Intune.

As you continue to modernize, continue moving workloads to Intune until you are managing everything in the cloud, or keep all of the workloads directed to Configuration Manager and stay on the tenant attach step. Or you can even start in Intune as cloud-native. With tenant attach and co-management, you choose the path and the end state.

Let’s start with the basics: identity

Active Directory Domain Services (AD DS) has been around since 2000, with the release of Windows 2000 Server. Traditionally, we join our Windows devices to Active Directory to take advantage of Group Policies, security settings, and even to give permissions to resources that are stored in a different Active Directory environment - either in the same Active Directory forest or a different forest. Devices can be joined to only one AD DS environment.

Like we said earlier, though, it’s possible to connect the on-premises AD DS environment to Azure Active Directory (Azure AD). When this connection is made, the devices that are joined to AD DS may then be registered in Azure AD. This connection and registration is known as hybrid Azure AD joined.

Figure 2: Diagram depicting a Hybrid Azure AD joined corporate laptop.Figure 2: Diagram depicting a Hybrid Azure AD joined corporate laptop.

Devices that are co-managed, or devices that are enrolled in in Intune, may be joined directly to Azure AD, or they may be hybrid Azure AD joined but they must have a cloud identity.

Our guidance

Not all devices in your organization need to be managed the same. Each device serves a different purpose, as such has different management and identity requirements. For example, new devices may not need to be joined to AD DS, and instead can be initially provisioned as Azure AD joined, being managed either by Intune natively or by co-management. Starting this device as hybrid Azure AD joined will introduce challenges later as you adopt more modern solutions, such as migrating user data, user profiles, and determining which group policies are assigned to the device. So before joining any new devices to AD DS and deciding on that hybrid approach, ask yourself, “Does this device need to be hybrid Azure AD joined? What are the benefits of joining this device to my AD DS environment?

Hybrid Azure AD joining a device is great for uplifting your existing AD DS joined devices, but Azure AD is the Microsoft recommended path for most new or repurposed devices, especially when using modern deployment tools like Windows Autopilot.

Scenarios

Many of our customers have been using AD DS for 20 years, joining client (and server) operating systems from Windows 2000, Windows XP, Windows 7, Windows 8/8.1, Windows 10, and everything in between (I’m looking at you Windows Vista!). Because of how long AD DS has been around, you may have Group Policy Objects (GPOs) that you need to leverage, or Win32 authentication, or other scenarios that will make moving to a pure Azure AD environment challenging. Let’s look at some of these scenarios and our guidance with each one.

Scenario #1: User profile migration

Scenario

When a device is joined to Azure AD, it creates a new profile for the logged-on user, and does not reference any existing profiles. In a new device scenario, this won’t be an issue as there are no profiles yet on the endpoint. User profiles typically include the following local directories:

  • Local files in the Desktop, Documents, Pictures folders
  • Start menu and Taskbar customizations
  • Favorites
  • Browser settings
  • Cached credentials
  • Outlook cache and settings
  • Third-party app settings

But if the devices were previously AD DS joined or joined to its own workgroup, you may need a profile migration, as seen in the table below:

Original device state

Once joined to Azure AD

New or re-imaged/repurposed device

No profile migration needed

Local workgroup

User profiles need to be migrated

AD DS joined

User profiles need to be migrated

Table 1. User profile migration needs when joining a device to Azure AD.

Guidance

Our guidance in the case where a user profile migration is needed is to:

  • Manually copy/paste to migrate profiles, or use a third-party profile migration tool
  • Re-map existing files and settings to the new profile
  • Preserve all cache settings
  • Use Enterprise State Roaming
  • Force synchronization of browser data
  • Moving your on-premises file shares to SharePoint Online
  • Use OneDrive for Business Known Folder Move

Scenario #2: Group Policy Objects

Scenario

Though we are constantly adding configuration service providers (CSPs) settings that Windows supports into Intune and making configuration of settings easier for you, some of the GPOs that are configured on-premises may not have equivalent CSPs in Intune. These GPOs typically revolve around very specific user-based configurations, such as:

  • Start menu and Taskbar customizations
  • Desktop wallpaper and screensaver settings
  • Some registry settings
  • Other Group Policy Preferences

Guidance

  • Run Group Policy Analytics to analyze these GPOs and determine your level of modern management support.
  • Do a thorough assessment of supported settings in MDM – do you still need them? Are there alternative technologies with higher security? Are the registry changes covered by a KB article? Is the policy still required? Do a hard rationalization with your team!
  • If you are setting Registry to configure apps, re-evaluate if the configuration is supported via ADMX (Administrative Templates).
  • Migrate those GPO settings that have equivalent CSPs to an Intune policy. For devices born in the cloud, use Security baselines to configure Windows 10 devices in Intune as these have recommended MDM configurations.
  • Re-evaluate the necessity of those GPO settings that do not have an equivalent CSP and report to us.

Scenario #3: Win32 apps and legacy authentication

Scenario

Some Win32 apps have a need for some legacy form of authentication. Any apps that require AD DS machine authentication will not work.

The apps that work are the apps that support NT LAN Manager (NTLM), Modern Auth, and Kerberos TGT.

Guidance

  • Once you have a better idea of who is using legacy authentication in your directory and which applications depend on it, the next step is upgrading your users to use modern authentication.
  • Migrate these apps to apps that support modern types of authentication.
  • Re-evaluate the necessity of AD DS machine authentication.
  • Get application compatibility assistance at no additional cost.

Scenario #4: Printing

Scenario

Your users are using printers that are directly connected to their devices or that have a direct path in the Printer settings. And some may be using AD Printer Discovery to find the printer closest to them. Because there are many printer-type scenarios, consider the following in the table below:

Printer scenario

Result

User has a printer directly connected

This will continue to work

User has a direct path to a printer

This will continue to work

User uses AD Printer Discovery

This will not work

Table 2. Printer scenarios when migrating a device to Azure AD.

Guidance

  • Notify users of a direct printer path, when possible
  • Deploy a PowerShell script from Intune to map the printers
  • Best: Use Universal Print, our driverless cloud-based, print service

Conclusion

Hybrid Azure AD joining a device is a device identity scenario, which has your device joined to the on-premises AD DS domain, and registered in Azure AD. This is a good scenario when starting your identity and security migration from on-premises to the cloud.

Co-management is a device management scenario, which has your device being managed by both Configuration Manager and Microsoft Intune, with each being the management authority of specific workloads.

Consider the points in this table as our recommendations to realize the benefits of cloud management.

Identity

Management

Provisioning

Cloud modernization

AD DS only

Configuration Manager + Tenant Attach

Operating System Deployment

Low

Hybrid Azure AD joined

Tenant Attach + Co-management

Operating System Deployment

Medium

Azure AD only

Co-management

Or

Microsoft Intune

Windows Autopilot

High

Table 3. Recommended Windows client management strategy based on device Identity

As you start to move from your legacy AD DS and Configuration Manager environments, we’re here to help! Reach out to our FastTrack team and follow us on Twitter @IntuneSuppTeam! And bookmark the Microsoft Endpoint Manager community for more blogs and information on managing all of your devices, including iOS, iPad OS, macOS, Android, and Windows!

 

15 Comments
Senior Member

Great overview article! Thank you!

 

Is the chart at the bottom missing a row in-between HAADJ and AAD-only? Similar to the HAADJ row, but with Autopilot provisioning?

Senior Member

Following my previous comment: I see the table is for "Recommended" options. In that case I take back my question about HAADJ + Autopilot being missing. I understand that it's a supported/valid option, but not actually recommended.

 

Thanks again for the article.

 

 

Hi @MaxM 

 

Excited to be doing this! Glad you like it!

 

In reference to your question, we strongly discourage any customer from building their modern provisioning plan on Hybrid Azure AD Join. At best you’re deferring a problem you’ll still have to solve and won’t necessarily get any easier with time. At worst you’ll end up investing lots of time and effort to try and solve a complex problem and gain very little benefit over the current solution you have today that work well and reliably.

 

  • The HAADJ flow during Autopilot is one we’re seeing customers see issues and lots of unnecessary complexity.
  • HAADJ is really intended to uplift a customer’s existing domain join devices.
  • AAD is the Microsoft recommended path for most new or repurposed devices, especially when using modern deployment tools like Windows Autopilot 
Senior Member

@Herman Arnedo Mahr I'm pleasantly surprised to see you/MSFT state that so decisively. Thank you.

Senior Member

Great article - having just enabled co-management and hybrid join, the scenarios such as GPOs and how to shift away from legacy apps is very useful.

Senior Member

Nice overview. But HAADJ+Autopilot is recommended by MS, but it not listed here. Practically HAADJ+Autopilot having more time-consuming implementation, operational changes were there. Do you agree?

Any comments from others welcome. 

Senior Member

Is it possible to only to move workloads only for a subset of one's devices? For example move the windows update workload only for a number of surface devices that are HAAD joined. Then have everything else being managed the traditional way.

@BitwinTheSheets Starting in version 1906, you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads. 

 

Please check the following links and if you have any questions, don't hesitate to ask! 

 

Microsoft

This is a great article and well explained :)

 

What about those scenarios that fall into the category of 'co-existence' where existing devices are managed by 3rd Party MDM providers?

Frequent Contributor

Good article and needed. Thanks.

Microsoft

@Vadivelu_B This statement is not correct: "But HAADJ+Autopilot is recommended by MS". We fully support doing this, but as @Herman Arnedo Mahr calls out, this path is not ideal, and our recommendation is for organizations to embrace AADJ for new devices as soon as possible. We understand that it's not an on/off proposition for most organizations which is why we will continue to support HAADJ + Autopilot, however, don't conflate support with recommendation. Our clear and stated direction is and always has been to move orgs to the cloud. This direction has been clearly reinforced over the last 18 months with dependencies to on-prem only resources (like Active Directory) becoming a major obstacle and productivity inhibitor for many organizations.

Senior Member

Great article but I'd like to propose an additional scenario that is holding us back from embracing AADJ for new devices, Certificate Services. We use an MS Enterprise PKI built on top of our AD for all the things it's great at. If my devices aren't ADDS joined I lose a lot of the automated features that platform provides for cert management.

 

We're actively moving our GPOs to modern policies, we've got software deployment pivoting from ECM to Intune and have a solution for printing, but the PKI requirement has us stumped. Is there a solution we haven't thought of or perhaps are MS looking at a PKI add-on for AAD?

Microsoft

Hi @DonalC, secure certificate deployment in a cloud-first world is a challenge particularly since this needs to account for all platforms that we currently manage (or those that we may manage in the future). Because of this, we must use a standards-based toolset to deliver the certs to the endpoints. Because of this, Intune uses a certificate connector that facilitates communication with your existing Enterprise PKI and delivers certs in one of two industry standard methods: SCEP or PKCS. You can read about the Intune Certificate Connector and these two certificate delivery options at Certificate connectors for Microsoft Intune - Azure | Microsoft Docs. If you search the web for Intune Certificate Connector you'll find lots of hits with additional official documentation as well as supplemental documentation from the community.

Senior Member

Hi @Jason_Sandys and many thanks for taking the time to respond. We're actually running the Intune Connector and have it plugged into our MS CA using SCEP. My challenge is this is a lot of on-premise (or Azure IaaS), domain joined infrastructure that needs to be deployed and managed for a working PKI solution.

 

What I'd love to see is a PaaS based PKI solution built directly into MEM that could be seamlessly integrated into the device lifecycle and connected to systems for functionality such as NAC, AOVPN etc.

 

If we're moving to the cloud, I really want to move to the cloud, and not have to build masses of on-premise infrastructure to support that move.

Microsoft

Thank you for the feedback. Personally, yes, I'd love to see a PaaS and Azure-based PKI as well. At this time though, we don't have this. There have been hallway-type conversations and investigations (so I'm not alone in this desire), but there are no formal plans or commitments right now. Please use the feedback capabilities within Azure and the MEM admin console to submit this to ensure it receives increased visibility.

%3CLINGO-SUB%20id%3D%22lingo-sub-2221201%22%20slang%3D%22en-US%22%3EUnderstanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2221201%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAs%20we%20talk%20with%20our%20customers%20that%20are%20using%20Microsoft%20Endpoint%20Manager%20to%20deploy%2C%20manage%2C%20and%20secure%20their%20client%20devices%2C%20we%20often%20get%20questions%20regarding%20co-managing%20devices%20and%20hybrid%20Azure%20Active%20Directory%20(AD)%20joined%20devices.%20Many%20customers%20confuse%20these%20two%20topics%20%E2%80%93%20the%20first%20is%20a%20management%20option%2C%20while%20the%20second%20is%20an%20identity%20option.%20In%20this%20blog%2C%20I%20hope%20to%20clear%20up%20any%20confusion%20and%20give%20guidance%20and%20scenarios%20on%20how%20to%20use%20both%20to%20manage%20and%20protect%20your%20devices.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--498454763%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%20id%3D%22toc-hId--498454764%22%3ELet%E2%80%99s%20start%20with%20the%20basics%3A%20management%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fmicrosoft-365%2Fmicrosoft-endpoint-manager%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Endpoint%20Manager%3C%2FA%3E%20is%20the%20combination%20of%20Configuration%20Manager%20%E2%80%93%20the%20on-premises%20management%20tool%20that%20you%E2%80%99ve%20been%20using%20for%20decades%20-%20and%20Microsoft%20Intune%20%E2%80%93%20the%20cloud-based%20management%20solution%20used%20for%20modern%20device%20security%20and%20management.%20Endpoint%20Manager%E2%80%99s%20goal%20is%20unifying%20both%20of%20your%20management%20solutions%20and%20bringing%20the%20power%20of%20the%20cloud%20to%20your%20entire%20endpoint%20estate.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20accomplish%20this%20goal%2C%20we%20first%20launched%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fconfigmgr%2Ftenant-attach%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Etenant%20attach%3C%2FA%3E%20to%20provide%20an%20easy%20and%20low-risk%20path%20to%20cloud%20attach%20your%20Configuration%20Manager%20infrastructure%20to%20your%20Intune%20tenant.%20This%20is%20an%20on-premises%20to%20cloud%20attachment%20like%20you%E2%80%99ve%20seen%20before%20when%20connecting%20your%20Exchange%20Server%20on-premises%20infrastructure%20to%20Exchange%20online%20and%20sync%E2%80%99d%20those%20mailboxes%2C%20and%20when%20you%20connected%20Active%20Directory%20to%20Azure%20Active%20Directory%20and%20sync%E2%80%99d%20those%20user%20accounts%20and%20other%20objects.%20Tenant%20attach%20is%20the%20same%20idea%3A%20attach%20the%20Configuration%20Manager%20infrastructure%20to%20Intune%20and%20sync%20the%20Windows%2010%20Configuration%20Manager%20managed%20devices%20to%20the%20cloud-based%20Intune%20tenant.%20Creating%20this%20connection%20brings%20the%20value%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fconfigmgr%2Ftenant-attach%2Fdevice-sync-actions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eremote%20actions%3C%2FA%3E%20and%20analytics%2C%20immediately.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EDuring%20or%20after%20the%20initial%20attachment%2C%20you%20can%20start%20moving%20certain%20workloads%20from%20Configuration%20Manager%20to%20Intune%2C%20either%20one%20at%20a%20time%20or%20en%20masse.%20You%20choose%20the%20path%20that%E2%80%99s%20right%20for%20you.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fconfigmgr%2Fcomanage%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECo-management%3C%2FA%3E%20is%20the%20act%20of%20moving%20workloads%20from%20Configuration%20Manager%20to%20Intune%20and%20telling%20the%20Windows%2010%20client%20who%20the%20management%20authority%20is%20for%20that%20particular%20workload.%20For%20example%2C%20you%20might%20move%20Compliance%20Policies%20and%20Device%20Configuration%20workloads%20to%20Intune%20while%20leaving%20all%20other%20workloads%20set%20to%20Configuration%20Manager.%20This%20tells%20the%20Windows%2010%20client%20to%20listen%20to%20Configuration%20Manager%20for%20app%20deployment%20and%20security%20policies%2C%20for%20example%2C%20while%20listening%20to%20Intune%20for%20compliance%20policies%20and%20device%20configuration%20policies.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Graphic%20representation%20of%20Microsoft%20Endpoint%20Manager%2C%20Configuration%20Manager%2C%20and%20Microsoft%20Intune.%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F265313i625DD533BCF22178%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Hybrid%20Azure%20AD%20and%20Co-management%20scenarios%201.png%22%20alt%3D%22Figure%201%3A%20Graphic%20representation%20of%20Microsoft%20Endpoint%20Manager%2C%20Configuration%20Manager%2C%20and%20Microsoft%20Intune.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%201%3A%20Graphic%20representation%20of%20Microsoft%20Endpoint%20Manager%2C%20Configuration%20Manager%2C%20and%20Microsoft%20Intune.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAs%20you%20continue%20to%20modernize%2C%20continue%20moving%20workloads%20to%20Intune%20until%20you%20are%20managing%20everything%20in%20the%20cloud%2C%20or%20keep%20all%20of%20the%20workloads%20directed%20to%20Configuration%20Manager%20and%20stay%20on%20the%20tenant%20attach%20step.%20Or%20you%20can%20even%20start%20in%20Intune%20as%20cloud-native.%20With%20tenant%20attach%20and%20co-management%2C%20you%20choose%20the%20path%20and%20the%20end%20state.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-1989058070%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%20id%3D%22toc-hId-1989058069%22%3ELet%E2%80%99s%20start%20with%20the%20basics%3A%20identity%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EActive%20Directory%20Domain%20Services%20(AD%20DS)%20has%20been%20around%20since%202000%2C%20with%20the%20release%20of%20Windows%202000%20Server.%20Traditionally%2C%20we%20join%20our%20Windows%20devices%20to%20Active%20Directory%20to%20take%20advantage%20of%20Group%20Policies%2C%20security%20settings%2C%20and%20even%20to%20give%20permissions%20to%20resources%20that%20are%20stored%20in%20a%20different%20Active%20Directory%20environment%20-%20either%20in%20the%20same%20Active%20Directory%20forest%20or%20a%20different%20forest.%20Devices%20can%20be%20joined%20to%20only%20one%20AD%20DS%20environment.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ELike%20we%20said%20earlier%2C%20though%2C%20it%E2%80%99s%20possible%20to%20connect%20the%20on-premises%20AD%20DS%20environment%20to%20Azure%20Active%20Directory%20(Azure%20AD).%20When%20this%20connection%20is%20made%2C%20the%20devices%20that%20are%20joined%20to%20AD%20DS%20may%20then%20be%20registered%20in%20Azure%20AD.%20This%20connection%20and%20registration%20is%20known%20as%20hybrid%20Azure%20AD%20joined.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Diagram%20depicting%20a%20Hybrid%20Azure%20AD%20joined%20corporate%20laptop.%22%20style%3D%22width%3A%20735px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F265314i79F92C00D32B22D3%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Hybrid%20Azure%20AD%20and%20Co-management%20scenarios%202.png%22%20alt%3D%22Figure%202%3A%20Diagram%20depicting%20a%20Hybrid%20Azure%20AD%20joined%20corporate%20laptop.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%202%3A%20Diagram%20depicting%20a%20Hybrid%20Azure%20AD%20joined%20corporate%20laptop.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EDevices%20that%20are%20co-managed%2C%20or%20devices%20that%20are%20enrolled%20in%20in%20Intune%2C%20may%20be%20joined%20directly%20to%20Azure%20AD%2C%20or%20they%20may%20be%20hybrid%20Azure%20AD%20joined%20but%20they%20must%20have%20a%20cloud%20identity.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-181603607%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%20id%3D%22toc-hId-181603606%22%3EOur%20guidance%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ENot%20all%20devices%20in%20your%20organization%20need%20to%20be%20managed%20the%20same.%20Each%20device%20serves%20a%20different%20purpose%2C%20as%20such%20has%20different%20management%20and%20identity%20requirements.%20For%20example%2C%20new%20devices%20may%20not%20need%20to%20be%20joined%20to%20AD%20DS%2C%20and%20instead%20can%20be%20initially%20provisioned%20as%20Azure%20AD%20joined%2C%20being%20managed%20either%20by%20Intune%20natively%20or%20by%20co-management.%20Starting%20this%20device%20as%20hybrid%20Azure%20AD%20joined%20will%20introduce%20challenges%20later%20as%20you%20adopt%20more%20modern%20solutions%2C%20such%20as%20migrating%20user%20data%2C%20user%20profiles%2C%20and%20determining%20which%20group%20policies%20are%20assigned%20to%20the%20device.%20So%20before%20joining%20any%20new%20devices%20to%20AD%20DS%20and%20deciding%20on%20that%20hybrid%20approach%2C%20ask%20yourself%2C%20%E2%80%9C%3CEM%3EDoes%20this%20device%20need%20to%20be%20hybrid%20Azure%20AD%20joined%3F%20What%20are%20the%20benefits%20of%20joining%20this%20device%20to%20my%20AD%20DS%20environment%3F%3C%2FEM%3E%E2%80%9D%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EHybrid%20Azure%20AD%20joining%20a%20device%20is%20great%20for%20uplifting%20your%20existing%20AD%20DS%20joined%20devices%2C%20but%20Azure%20AD%20is%20the%20Microsoft%20recommended%20path%20for%20most%20new%20or%20repurposed%20devices%2C%20especially%20when%20using%20modern%20deployment%20tools%20like%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fmicrosoft-365%2Fwindows%2Fwindows-autopilot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Autopilot%3C%2FA%3E.%3C%2FP%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--1625850856%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%20id%3D%22toc-hId--1625850857%22%3EScenarios%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EMany%20of%20our%20customers%20have%20been%20using%20AD%20DS%20for%2020%20years%2C%20joining%20client%20(and%20server)%20operating%20systems%20from%20Windows%202000%2C%20Windows%20XP%2C%20Windows%207%2C%20Windows%208%2F8.1%2C%20Windows%2010%2C%20and%20everything%20in%20between%20(I%E2%80%99m%20looking%20at%20you%20Windows%20Vista!).%20Because%20of%20how%20long%20AD%20DS%20has%20been%20around%2C%20you%20may%20have%20Group%20Policy%20Objects%20(GPOs)%20that%20you%20need%20to%20leverage%2C%20or%20Win32%20authentication%2C%20or%20other%20scenarios%20that%20will%20make%20moving%20to%20a%20pure%20Azure%20AD%20environment%20challenging.%20Let%E2%80%99s%20look%20at%20some%20of%20these%20scenarios%20and%20our%20guidance%20with%20each%20one.%3C%2FP%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--935289382%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%20id%3D%22toc-hId--935289383%22%3EScenario%20%231%3A%20User%20profile%20migration%3C%2FH3%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CEM%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EWhen%20a%20device%20is%20joined%20to%20Azure%20AD%2C%20it%20creates%20a%20new%20profile%20for%20the%20logged-on%20user%2C%20and%20does%20not%20reference%20any%20existing%20profiles.%20In%20a%20new%20device%20scenario%2C%20this%20won%E2%80%99t%20be%20an%20issue%20as%20there%20are%20no%20profiles%20yet%20on%20the%20endpoint.%20User%20profiles%20typically%20include%20the%20following%20local%20directories%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3ELocal%20files%20in%20the%20Desktop%2C%20Documents%2C%20Pictures%20folders%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EStart%20menu%20and%20Taskbar%20customizations%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EFavorites%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EBrowser%20settings%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ECached%20credentials%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EOutlook%20cache%20and%20settings%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EThird-party%20app%20settings%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EBut%20if%20the%20devices%20were%20previously%20AD%20DS%20joined%20or%20joined%20to%20its%20own%20workgroup%2C%20you%20may%20need%20a%20profile%20migration%2C%20as%20seen%20in%20the%20table%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CTABLE%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22background-color%3A%20%23243a5e%3B%22%3E%0A%3CTD%20width%3D%22252%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20color%3D%22%23FFFFFF%22%3EOriginal%20device%20state%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%20height%3D%2229px%22%3E%3CP%3E%3CFONT%20color%3D%22%23FFFFFF%22%3EOnce%20joined%20to%20Azure%20AD%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22252%22%20height%3D%2229px%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3ENew%20or%20re-imaged%2Frepurposed%20device%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%20height%3D%2229px%22%3E%3CP%3ENo%20profile%20migration%20needed%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22252%22%20height%3D%2229px%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3ELocal%20workgroup%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%20height%3D%2229px%22%3E%3CP%3EUser%20profiles%20need%20to%20be%20migrated%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22252%22%20height%3D%2229px%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3EAD%20DS%20joined%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%20height%3D%2229px%22%3E%3CP%3EUser%20profiles%20need%20to%20be%20migrated%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CFONT%20size%3D%222%22%3E%3CEM%3ETable%201.%20User%20profile%20migration%20needs%20when%20joining%20a%20device%20to%20Azure%20AD.%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CEM%3E%3CSTRONG%3EGuidance%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EOur%20guidance%20in%20the%20case%20where%20a%20user%20profile%20migration%20is%20needed%20is%20to%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EManually%20copy%2Fpaste%20to%20migrate%20profiles%2C%20or%20use%20a%20third-party%20profile%20migration%20tool%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ERe-map%20existing%20files%20and%20settings%20to%20the%20new%20profile%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EPreserve%20all%20cache%20settings%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EUse%20Enterprise%20State%20Roaming%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2FDeployEdge%2Fmicrosoft-edge-policies%23forcesync%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EForce%20synchronization%20of%20browser%20data%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EMoving%20your%20on-premises%20file%20shares%20to%20SharePoint%20Online%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EUse%20OneDrive%20for%20Business%20Known%20Folder%20Move%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId-1552223451%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%20id%3D%22toc-hId-1552223450%22%3EScenario%20%232%3A%20Group%20Policy%20Objects%3C%2FH3%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CEM%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EThough%20we%20are%20constantly%20adding%20configuration%20service%20providers%20(CSPs)%20settings%20that%20Windows%20supports%20into%20Intune%20and%20making%20configuration%20of%20settings%20easier%20for%20you%2C%20some%20of%20the%20GPOs%20that%20are%20configured%20on-premises%20may%20not%20have%20equivalent%20CSPs%20in%20Intune.%20These%20GPOs%20typically%20revolve%20around%20very%20specific%20user-based%20configurations%2C%20such%20as%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EStart%20menu%20and%20Taskbar%20customizations%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EDesktop%20wallpaper%20and%20screensaver%20settings%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ESome%20registry%20settings%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EOther%20Group%20Policy%20Preferences%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CEM%3E%3CSTRONG%3EGuidance%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3ERun%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fconfiguration%2Fgroup-policy-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGroup%20Policy%20Analytics%3C%2FA%3E%26nbsp%3Bto%20analyze%20these%20GPOs%20and%20determine%20your%20level%20of%20modern%20management%20support.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EDo%20a%20thorough%20assessment%20of%20supported%20settings%20in%20MDM%20%E2%80%93%20do%20you%20still%20need%20them%3F%20Are%20there%20alternative%20technologies%20with%20higher%20security%3F%20Are%20the%20registry%20changes%20covered%20by%20a%20KB%20article%3F%20Is%20the%20policy%20still%20required%3F%20Do%20a%20hard%20rationalization%20with%20your%20team!%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EIf%20you%20are%20setting%20Registry%20to%20configure%20apps%2C%20re-evaluate%20if%20the%20configuration%20is%20supported%20via%20ADMX%20(Administrative%20Templates).%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EMigrate%20those%20GPO%20settings%20that%20have%20equivalent%20CSPs%20to%20an%20Intune%20policy.%20For%20devices%20born%20in%20the%20cloud%2C%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fsecurity-baselines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESecurity%20baselines%3C%2FA%3E%20to%20configure%20Windows%2010%20devices%20in%20Intune%20as%20these%20have%20recommended%20MDM%20configurations.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ERe-evaluate%20the%20necessity%20of%20those%20GPO%20settings%20that%20do%20not%20have%20an%20equivalent%20CSP%20and%20report%20to%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eus%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--255231012%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%20id%3D%22toc-hId--255231013%22%3EScenario%20%233%3A%20Win32%20apps%20and%20legacy%20authentication%3C%2FH3%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CEM%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ESome%20Win32%20apps%20have%20a%20need%20for%20some%20legacy%20form%20of%20authentication.%20Any%20apps%20that%20require%20AD%20DS%20machine%20authentication%20will%20not%20work.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EThe%20apps%20that%20work%20are%20the%20apps%20that%20support%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fopenspecs%2Fwindows_protocols%2Fms-nlmp%2Fb38c36ed-2804-4868-a9ff-8dd3182128e4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENT%20LAN%20Manager%20(NTLM)%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fenterprise%2Fhybrid-modern-auth-overview%3Fview%3Do365-worldwide%23what-is-modern-authentication%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EModern%20Auth%3C%2FA%3E%2C%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fopenspecs%2Fwindows_protocols%2Fms-kile%2Fb4af186e-b2ff-43f9-b18e-eedb366abf13%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EKerberos%20TGT%3C%2FA%3E.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CEM%3E%3CSTRONG%3EGuidance%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EOnce%20you%20have%20a%20better%20idea%20of%20who%20is%20using%20legacy%20authentication%20in%20your%20directory%20and%20which%20applications%20depend%20on%20it%2C%20the%20next%20step%20is%20upgrading%20your%20users%20to%20use%20modern%20authentication.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EMigrate%20these%20apps%20to%20apps%20that%20support%20modern%20types%20of%20authentication.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ERe-evaluate%20the%20necessity%20of%20AD%20DS%20machine%20authentication.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EGet%20application%20compatibility%20assistance%20at%20no%20additional%20cost.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2017px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--2062685475%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%20id%3D%22toc-hId--2062685476%22%3EScenario%20%234%3A%20Printing%3C%2FH3%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CEM%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EYour%20users%20are%20using%20printers%20that%20are%20directly%20connected%20to%20their%20devices%20or%20that%20have%20a%20direct%20path%20in%20the%20Printer%20settings.%20And%20some%20may%20be%20using%20AD%20Printer%20Discovery%20to%20find%20the%20printer%20closest%20to%20them.%20Because%20there%20are%20many%20printer-type%20scenarios%2C%20consider%20the%20following%20in%20the%20table%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CTABLE%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22background-color%3A%20%23243a5e%3B%22%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3E%3CFONT%20color%3D%22%23FFFFFF%22%3EPrinter%20scenario%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3E%3CFONT%20color%3D%22%23FFFFFF%22%3EResult%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3EUser%20has%20a%20printer%20directly%20connected%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3EThis%20will%20continue%20to%20work%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3EUser%20has%20a%20direct%20path%20to%20a%20printer%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3EThis%20will%20continue%20to%20work%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22312%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3EUser%20uses%20AD%20Printer%20Discovery%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22312%22%3E%3CP%3EThis%20will%20not%20work%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CFONT%20size%3D%222%22%3E%3CEM%3ETable%202.%20Printer%20scenarios%20when%20migrating%20a%20device%20to%20Azure%20AD.%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CEM%3E%3CSTRONG%3EGuidance%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3ENotify%20users%20of%20a%20direct%20printer%20path%2C%20when%20possible%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EDeploy%20a%20PowerShell%20script%20from%20Intune%20to%20map%20the%20printers%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EBest%3A%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Funiversal-print%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUniversal%20Print%3C%2FA%3E%2C%20our%20driverless%20cloud-based%2C%20print%20service%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20style%3D%22margin-top%3A%2036px%3B%20margin-bottom%3A%2020px%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Geneva%2C%20sans-serif%3B%20font-weight%3A%20600%3B%20font-size%3A%2020px%3B%20color%3A%20%23333333%3B%22%20id%3D%22toc-hId--2073188579%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%20id%3D%22toc-hId--2073188580%22%3EConclusion%3C%2FH2%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3EHybrid%20Azure%20AD%20joining%3C%2FSTRONG%3E%20a%20device%20is%20a%20device%20identity%20scenario%2C%20which%20has%20your%20device%20joined%20to%20the%20on-premises%20AD%20DS%20domain%2C%20and%20registered%20in%20Azure%20AD.%20This%20is%20a%20good%20scenario%20when%20starting%20your%20identity%20and%20security%20migration%20from%20on-premises%20to%20the%20cloud.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSTRONG%3ECo-management%3C%2FSTRONG%3E%20is%20a%20device%20management%20scenario%2C%20which%20has%20your%20device%20being%20managed%20by%20both%20Configuration%20Manager%20and%20Microsoft%20Intune%2C%20with%20each%20being%20the%20management%20authority%20of%20specific%20workloads.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EConsider%20the%20points%20in%20this%20table%20as%20our%20recommendations%20to%20realize%20the%20benefits%20of%20cloud%20management.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CTABLE%20width%3D%22100%25%22%3E%0A%3CTBODY%3E%0A%3CTR%20style%3D%22background-color%3A%20%23243a5e%3B%22%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3E%3CFONT%20color%3D%22%23FFFFFF%22%3EIdentity%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22256%22%3E%3CP%3E%3CFONT%20color%3D%22%23FFFFFF%22%3EManagement%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22117%22%3E%3CP%3E%3CFONT%20color%3D%22%23FFFFFF%22%3EProvisioning%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3E%3CFONT%20color%3D%22%23FFFFFF%22%3ECloud%20modernization%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22150%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3EAD%20DS%20only%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22256%22%3E%3CP%3EConfiguration%20Manager%20%2B%20Tenant%20Attach%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22117%22%3E%3CP%3EOperating%20System%20Deployment%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3ELow%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22150%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3EHybrid%20Azure%20AD%20joined%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22256%22%3E%3CP%3ETenant%20Attach%20%2B%20Co-management%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22117%22%3E%3CP%3EOperating%20System%20Deployment%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EMedium%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22150%22%20style%3D%22background-color%3A%20%23f2f2f2%3B%22%3E%3CP%3EAzure%20AD%20only%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22256%22%3E%3CP%3ECo-management%3C%2FP%3E%0A%3CP%3EOr%3C%2FP%3E%0A%3CP%3EMicrosoft%20Intune%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22117%22%3E%3CP%3EWindows%20Autopilot%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EHigh%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CFONT%20size%3D%222%22%3E%3CEM%3ETable%203.%20Recommended%20Windows%20client%20management%20strategy%20based%20on%20device%20Identity%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAs%20you%20start%20to%20move%20from%20your%20legacy%20AD%20DS%20and%20Configuration%20Manager%20environments%2C%20we%E2%80%99re%20here%20to%20help!%20Reach%20out%20to%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Ffasttrack%2Fintroduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EFastTrack%3C%2FA%3E%20team%20and%20follow%20us%20on%20Twitter%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E!%20And%20bookmark%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-endpoint-manager%2Fct-p%2Fmicrosoft-endpoint-manager%22%20target%3D%22_blank%22%3EMicrosoft%20Endpoint%20Manager%20community%3C%2FA%3E%20for%20more%20blogs%20and%20information%20on%20managing%20all%20of%20your%20devices%2C%20including%20iOS%2C%20iPad%20OS%2C%20macOS%2C%20Android%2C%20and%20Windows!%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2221201%22%20slang%3D%22en-US%22%3E%3CP%3EExplore%20the%20differences%20between%20hybrid%20Azure%20AD%20join%20and%20co-management%E2%80%94and%20how%20they%20work%20together.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2221201%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConfiguration%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Intune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222843%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222843%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20overview%20article!%20Thank%20you!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20chart%20at%20the%20bottom%20missing%20a%20row%20in-between%20HAADJ%20and%20AAD-only%3F%20Similar%20to%20the%20HAADJ%20row%2C%20but%20with%20Autopilot%20provisioning%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222854%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222854%22%20slang%3D%22en-US%22%3E%3CP%3EFollowing%20my%20previous%20comment%3A%20I%20see%20the%20table%20is%20for%20%22%3CEM%3ERecommende%3C%2FEM%3Ed%22%20options.%20In%20that%20case%20I%20take%20back%20my%20question%20about%20HAADJ%20%2B%20Autopilot%20being%20missing.%20I%20understand%20that%20it's%20a%20supported%2Fvalid%20option%2C%20but%20not%20actually%20recommended.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20the%20article.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2223166%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2223166%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102496%22%20target%3D%22_blank%22%3E%40Max%20Manning%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EExcited%20to%20be%20doing%20this!%20Glad%20you%20like%20it!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20reference%20to%20your%20question%2C%20we%20strongly%20discourage%20any%20customer%20from%20building%20their%20modern%20provisioning%20plan%20on%20Hybrid%20Azure%20AD%20Join.%20At%20best%20you%E2%80%99re%20deferring%20a%20problem%20you%E2%80%99ll%20still%20have%20to%20solve%20and%20won%E2%80%99t%20necessarily%20get%20any%20easier%20with%20time.%20At%20worst%20you%E2%80%99ll%20end%20up%20investing%20lots%20of%20time%20and%20effort%20to%20try%20and%20solve%20a%20complex%20problem%20and%20gain%20very%20little%20benefit%20over%20the%20current%20solution%20you%20have%20today%20that%20work%20well%20and%20reliably.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20HAADJ%20flow%20during%20Autopilot%20is%20one%20we%E2%80%99re%20seeing%20customers%20see%20issues%20and%20lots%20of%20unnecessary%20complexity.%3C%2FLI%3E%0A%3CLI%3EHAADJ%20is%20really%20intended%20to%20uplift%20a%20customer%E2%80%99s%20existing%20domain%20join%20devices.%3C%2FLI%3E%0A%3CLI%3EAAD%20is%20the%20Microsoft%20recommended%20path%20for%20most%20new%20or%20repurposed%20devices%2C%20especially%20when%20using%20modern%20deployment%20tools%20like%20Windows%20Autopilot%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2223196%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2223196%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F224687%22%20target%3D%22_blank%22%3E%40Herman%20Arnedo%20Mahr%3C%2FA%3E%26nbsp%3BI'm%20pleasantly%20surprised%26nbsp%3Bto%20see%20you%2FMSFT%20state%20that%20so%20decisively.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2223528%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2223528%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article%20-%20having%20just%20enabled%20co-management%20and%20hybrid%20join%2C%20the%20scenarios%20such%20as%20GPOs%20and%20how%20to%20shift%20away%20from%20legacy%20apps%20is%20very%20useful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2226583%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2226583%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20overview.%20But%20HAADJ%2BAutopilot%20is%20recommended%20by%20MS%2C%20but%20it%20not%20listed%20here.%20Practically%20HAADJ%2BAutopilot%20having%20more%20time-consuming%20implementation%2C%20operational%20changes%20were%20there.%20Do%20you%20agree%3F%3C%2FP%3E%3CP%3EAny%20comments%20from%20others%20welcome.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2229390%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2229390%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20only%20to%20move%20workloads%20only%20for%20a%20subset%20of%20one's%20devices%3F%20For%20example%20move%20the%20windows%20update%20workload%20only%20for%20a%20number%20of%20surface%20devices%20that%20are%20HAAD%20joined.%20Then%20have%20everything%20else%20being%20managed%20the%20traditional%20way.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2232586%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232586%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F288327%22%20target%3D%22_blank%22%3E%40BitwinTheSheets%3C%2FA%3E%26nbsp%3BStarting%20in%20version%201906%2C%20you%20can%20configure%20different%20pilot%20collections%20for%20each%20of%20the%20co-management%20workloads.%20Being%20able%20to%20use%20different%20pilot%20collections%20allows%20you%20to%20take%20a%20more%20granular%20approach%20when%20shifting%20workloads.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20check%20the%20following%20links%20and%20if%20you%20have%20any%20questions%2C%20don't%20hesitate%20to%20ask!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fcomanage%2Fworkloads%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECo-management%20workloads%20-%20Configuration%20Manager%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fcomanage%2Fhow-to-enable%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnable%20co-management%20-%20Configuration%20Manager%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2234685%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2234685%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20great%20article%20and%20well%20explained%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20about%20those%20scenarios%20that%20fall%20into%20the%20category%20of%20'co-existence'%20where%20existing%20devices%20are%20managed%20by%203rd%20Party%20MDM%20providers%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2243073%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2243073%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20article%20and%20needed.%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2454699%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2454699%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F295298%22%20target%3D%22_blank%22%3E%40Vadivelu_B%3C%2FA%3E%26nbsp%3BThis%20statement%20is%20not%20correct%3A%20%22%3CSPAN%3EBut%20HAADJ%2BAutopilot%20is%20recommended%20by%20MS%22.%20We%20fully%20support%20doing%20this%2C%20but%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F224687%22%20target%3D%22_blank%22%3E%40Herman%20Arnedo%20Mahr%3C%2FA%3E%26nbsp%3Bcalls%20out%2C%20this%20path%20is%20not%20ideal%2C%20and%20our%20recommendation%20is%20for%20organizations%20to%20embrace%20AADJ%20for%20new%20devices%20as%20soon%20as%20possible.%20We%20understand%20that%20it's%20not%20an%20on%2Foff%20proposition%20for%20most%20organizations%20which%20is%20why%20we%20will%20continue%20to%20support%20HAADJ%20%2B%20Autopilot%2C%20however%2C%20don't%20conflate%20support%20with%20recommendation.%20Our%20clear%20and%20stated%20direction%20is%20and%20always%20has%20been%20to%20move%20orgs%20to%20the%20cloud.%20This%20direction%20has%20been%20clearly%20reinforced%20over%20the%20last%2018%20months%20with%20dependencies%20to%20on-prem%20only%20resources%20(like%20Active%20Directory)%20becoming%20a%20major%20obstacle%20and%20productivity%20inhibitor%20for%20many%20organizations.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2532470%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2532470%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article%20but%20I'd%20like%20to%20propose%20an%20additional%20scenario%20that%20is%20holding%20us%20back%20from%20embracing%20AADJ%20for%20new%20devices%2C%20Certificate%20Services.%20We%20use%20an%20MS%20Enterprise%20PKI%20built%20on%20top%20of%20our%20AD%20for%20all%20the%20things%20it's%20great%20at.%20If%20my%20devices%20aren't%20ADDS%20joined%20I%20lose%20a%20lot%20of%20the%20automated%20features%20that%20platform%20provides%20for%20cert%20management.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20actively%20moving%20our%20GPOs%20to%20modern%20policies%2C%20we've%20got%20software%20deployment%20pivoting%20from%20ECM%20to%20Intune%20and%20have%20a%20solution%20for%20printing%2C%20but%20the%20PKI%20requirement%20has%20us%20stumped.%20Is%20there%20a%20solution%20we%20haven't%20thought%20of%20or%20perhaps%20are%20MS%20looking%20at%20a%20PKI%20add-on%20for%20AAD%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2570919%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2570919%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F726806%22%20target%3D%22_blank%22%3E%40DonalC%3C%2FA%3E%2C%20secure%20certificate%20deployment%20in%20a%20cloud-first%20world%20is%20a%20challenge%20particularly%20since%20this%20needs%20to%20account%20for%20all%20platforms%20that%20we%20currently%20manage%20(or%20those%20that%20we%20may%20manage%20in%20the%20future).%20Because%20of%20this%2C%20we%20must%20use%20a%20standards-based%20toolset%20to%20deliver%20the%20certs%20to%20the%20endpoints.%20Because%20of%20this%2C%20Intune%20uses%20a%20certificate%20connector%20that%20facilitates%20communication%20with%20your%20existing%20Enterprise%20PKI%20and%20delivers%20certs%20in%20one%20of%20two%20industry%20standard%20methods%3A%20SCEP%20or%20PKCS.%20You%20can%20read%20about%20the%20Intune%20Certificate%20Connector%20and%20these%20two%20certificate%20delivery%20options%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fcertificate-connectors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECertificate%20connectors%20for%20Microsoft%20Intune%20-%20Azure%20%7C%20Microsoft%20Docs%3C%2FA%3E.%20If%20you%20search%20the%20web%20for%20%3CA%20title%3D%22Intune%20Certificate%20Connector%22%20href%3D%22https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dintune%2Bcertificate%2Bconnector%26amp%3Bcvid%3D9ee9f41c787446ae9dfcdb8401e8b817%26amp%3Baqs%3Dedge.0.69i59j0l6.3838j0j1%26amp%3Bpglt%3D43%26amp%3BFORM%3DANNAB1%26amp%3BPC%3DW000%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EIntune%20Certificate%20Connector%3C%2FA%3E%20you'll%20find%20lots%20of%20hits%20with%20additional%20official%20documentation%20as%20well%20as%20supplemental%20documentation%20from%20the%20community.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2573949%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2573949%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F629631%22%20target%3D%22_blank%22%3E%40Jason_Sandys%3C%2FA%3E%26nbsp%3Band%20many%20thanks%20for%20taking%20the%20time%20to%20respond.%20We're%20actually%20running%20the%20Intune%20Connector%20and%20have%20it%20plugged%20into%20our%20MS%20CA%20using%20SCEP.%20My%20challenge%20is%20this%20is%20a%20lot%20of%20on-premise%20(or%20Azure%20IaaS)%2C%20domain%20joined%20infrastructure%20that%20needs%20to%20be%20deployed%20and%20managed%20for%20a%20working%20PKI%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I'd%20love%20to%20see%20is%20a%20PaaS%20based%20PKI%20solution%20built%20directly%20into%20MEM%20that%20could%20be%20seamlessly%20integrated%20into%20the%20device%20lifecycle%20and%20connected%20to%20systems%20for%20functionality%20such%20as%20NAC%2C%20AOVPN%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20we're%20moving%20to%20the%20cloud%2C%20I%20really%20want%20to%20move%20to%20the%20cloud%2C%20and%20not%20have%20to%20build%20masses%20of%20on-premise%20infrastructure%20to%20support%20that%20move.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2575482%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20hybrid%20Azure%20AD%20join%20and%20co-management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2575482%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20the%20feedback.%20Personally%2C%20yes%2C%20I'd%20love%20to%20see%20a%20PaaS%20and%20Azure-based%20PKI%20as%20well.%20At%20this%20time%20though%2C%20we%20don't%20have%20this.%20There%20have%20been%20hallway-type%20conversations%20and%20investigations%20(so%20I'm%20not%20alone%20in%20this%20desire)%2C%20but%20there%20are%20no%20formal%20plans%20or%20commitments%20right%20now.%20Please%20use%20the%20feedback%20capabilities%20within%20Azure%20and%20the%20MEM%20admin%20console%20to%20submit%20this%20to%20ensure%20it%20receives%20increased%20visibility.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Mar 18 2021 03:04 PM
Updated by: