SOLVED

Device Status when enrolled - Error

Iron Contributor

I have couple of questions.

 

1. I have defined the Configuration Profile for Domain Join profile and mentioned the

 

Computer name prefix -

Domain Name

Organizations Unit 

 

But, it seems to be not joining the domain and it is not taking the prefix instead it is giving its own prefix as DESKTOP-blahblah

2.  Under All devices it shows Error under "DEPLOYMENT STATUS", what am I doing wrong here?

 

Device Status.png

 

 

3. It was showing as "Waiting for Install status'

 

Screenshot 2022-08-09 115435.png

6 Replies
best response confirmed by oryxway (Iron Contributor)
Solution

@oryxway, there's a lot that may be going awry here. Your screenshots show issues with hybrid join and app deployment. 

 

  1. Assuming you're trying to hybrid join here (as that's what that configuration profile is for), may we also assume you've set up hybrid join in your AAD following these docs?
    Configure hybrid Azure Active Directory join - Microsoft Entra | Microsoft Docs
  2. Assuming this screenshot shows the device status for the "Domain Join" profile. Can you see any details else when you click on the error row?
  3. This screenshot seems to show app installations. That's completely unrelated, in my opinion, but it does make me suspect there's some other things that may be misconfigured. . 

I suggest you troubleshoot things one step at a time, making sure each element works before moving adding the next.

My concern is that when I enable this in Azure AD Connect (which is not enabled) will it affect all the devices OnPrem?

We are only wanting the new OOBE devices joining the Hybrid Azure AD

AADConnect will not affect your existing, on-prem devices (unless you tell it to do so :smile:). 

 

Are you sure you need to hybrid join, though? I would suggest you simply try to work with AAD joined devices, and only start looking into hybrid joining if you really need to. 

@NielsScheffers The MGMT does not want to do Azure AD for some reason as we have lots of apps that we know how it would work as that needs a big planning on our part. So, for now they want it to be Hybrid AAD.  

 

So, should I enable it in AD Connect even though I have an Intune Connector installed separately for this Hybrid Azure AD? If enabling it in AD Connector is what is going to do it, then why would we need Intune Connector? I am sorry kind of not sure why it is separate?

 

So, that is why I am doing this. I also noticed that in the Computer OU where the machines are going to be joined, I delegated the permissions as per this document 

https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid

 

Unfortunately when I went and saw the Object and viewed the security part of it, I see that it has only special permissions and not Full permissions as per this document. I have assigned Full permissions as per the document for these two Intune Connectors. So, I am wondering whether I should enable full permissions here

full-control.pngScreenshot 2022-08-10 070421.png

 

This is what I saw when I went to the permissions security on the OU and I see nothing applied. I have enabled full now and I am going to try it.

 

 

 

 

No disrespect intended, but I think you should take a couple of steps back and reconsider your design options here. It kind of sounds like your management thinks hybrid-joining is a stop-over in a migration trajectory. That's not true: it's a solution for very specific use cases (and it can be a tricky thing to operate). 

 

Anyway, addressing your first question: AADConnect and the Intune Connector are separate installs because they serve two distinctly different purposes. They don't even belong to the same solution.

 

Azure AD Connect is part of Azure AD. It is what enables you to create a relation between your on-prem AD and Azure AD. There's a lot of stuff involved here (like you authentication flow and such) so take your time and do it right. 

 

It is also required for hybrid-join, as it lays the ground-work for all this hybrid identity stuff. So, this would be the first thing you need to set up. 

 

The Intune Connector for AD is part of the Intune (MEM) solution. It makes sure Intune can coordinate the (offline) domain-join (to your on-prem AD) for your devices. You can only get this working after connecting your on-prem AD to Azure AD. 

 

Before we go any further into this, start by setting up your hybrid AD. All the other things are irrelevant until you've got that up and running. 

No Neil, you are fine. I totally agree with you and management is also rethinking should we go Hybrid Azure AD or be Azure AD. I am thinking that the mindset is changing. I have only done Azure AD, so that is why I have so many questions I have since I have never done Hybrid AAD.
1 best response

Accepted Solutions
best response confirmed by oryxway (Iron Contributor)
Solution

@oryxway, there's a lot that may be going awry here. Your screenshots show issues with hybrid join and app deployment. 

 

  1. Assuming you're trying to hybrid join here (as that's what that configuration profile is for), may we also assume you've set up hybrid join in your AAD following these docs?
    Configure hybrid Azure Active Directory join - Microsoft Entra | Microsoft Docs
  2. Assuming this screenshot shows the device status for the "Domain Join" profile. Can you see any details else when you click on the error row?
  3. This screenshot seems to show app installations. That's completely unrelated, in my opinion, but it does make me suspect there's some other things that may be misconfigured. . 

I suggest you troubleshoot things one step at a time, making sure each element works before moving adding the next.

View solution in original post