SOLVED

Domain joined & MDM managed

Steel Contributor

I find a lot of conflicting info on:

 

Is it possible to manage (using MDM) a domain joined device without registering/joining it with Azure AD? Based on our tests, it seems possible.

 

What is the impact on the MDM management when the device is or isn't registered/joined to Azure AD?

 

Thanks!

3 Replies

@bart vermeersch Just wondering what your use case is here? 

 

 

@JanBakkerOrphaned  that's a good question :)

 

I would like to understand the dependencies between "joined/registered/.." and "MDM/MAM".

 

If a user with a byod device is going through the AAD device registering flow (when configuring Outlook or Teams), what makes that the device will be enrolled in MDM? I understand the user can opt-in, during the registration flow, but how is this configured in Azure and when is it enrolled in MDM vs MAM?  

 

A domain joined device (AD) can be enrolled in MDM without (hybrid)joining the device. What are the benefits of hybrid joining if the device can be managed in MDM and SSO is covered in ADFS? 

 

In our tenant, on-prem domain joined devices are also listed as AAD registered, I always thought this was not possible and you had to use (hybrid)join.

 

Thanks!

best response confirmed by bart vermeersch (Steel Contributor)
Solution
You will have automatic enrollment enabled which states that a device that is joined to AAD (or registered) will automatically enroll into Intune (https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#enable-windows-10-automatic-en...).

You can block registration for domain joined PC's: HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001.

Have you checked out this site for more information about registration? https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register

Azure AD Registration is something that is mostly done on personal devices.

For your corporate devices, hybrid join is the way to go. Because you can't force a device registration.

Hybrid Join also provides capabilities within conditional access, which registration does not.
1 best response

Accepted Solutions
best response confirmed by bart vermeersch (Steel Contributor)
Solution
You will have automatic enrollment enabled which states that a device that is joined to AAD (or registered) will automatically enroll into Intune (https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#enable-windows-10-automatic-en...).

You can block registration for domain joined PC's: HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001.

Have you checked out this site for more information about registration? https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register

Azure AD Registration is something that is mostly done on personal devices.

For your corporate devices, hybrid join is the way to go. Because you can't force a device registration.

Hybrid Join also provides capabilities within conditional access, which registration does not.

View solution in original post