Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

AD Broken trust relationship

Occasional Contributor

We are in situation where our machines broken trust relationship. End users not ready to come back office and the object aren’t in AD. Now we want to make them Hybrid AAD join/Azure AD join

Is there a way to bring the machine back to domain?

9 Replies
You can get them back to the domain using VPN connection to your office when the user is still working at home. You can put them in a workgroup and rejoin them again using VPN and Teamviewer, the machine will then receive policies when connected and will hybrid azure ad join so that you can use the Intune functionality.

Please be aware of the fact that when you use the Wipe option in Intune and you have a hybrid join profile, that the machine must have a supported VPN connection when going through the Autopilot proces or it must be at the office. (Machine must be able to connect to your Domain Controllers)
Thank you Harm_Veenstra but i have more than 10k devices. OEM can provide hardware hash by serial number ?so that we can try wipe
Ok, that's an option but is the user going to wipe the device? They are not in Intune now? How do you manage them now?

You can autopilot deploy them if they are not in the office using the OEM for getting you the hardware hashes, Hybrid AAD join is more difficult because of the VPN requirement but if you don't need that and just want them to join Azure AD/Intune.. Then it's easy :)
Harm_Veenstra Thank you
we do have VPN now..easy way i am thinking is join them AAD bring them to intune deploy VPN and deploy domain join profile i am sure whether it works or not
If you join them to AAD, then can enroll into Intune and then you can manage them. But do they really need to be joined in the domain? I mean, they do work now without it from home using VPN to a terminal environment or just using Office locally and some SAAS apps?
Thank you Harm_Veenstra
There seems to be issue with AAD join with firewall , is there a way to disable the firewall without admin access
You don't have the local admin account of those machines from the time that they were joined to your Active Directory environment?
they have.. let me try Thank you

Hi @JE,

Unfortunately you need to do a lot of manual work to bring the devices HAAD or AAD. Have you thought about using Azure Virtual Desktop? You have to pay for the vms but at least you have time to bring those devices Azure AD Join.

I don't recommend using Hybrid join, stay with Azure AD Join, especially if you sync your users with ADConnect.

Hope this helps!
Moe