06-23-2020 01:50 AM
06-23-2020 01:50 AM
With this new option "Skip AD connectivity check" during deployment to remote machines, will the machine ever attempt to complete the Hybrid Join between AAD and AD on premise?
It is a great option for deploying devices to remote workers who do not have line of site access to a DC during initial deployment.
Would be great to understand the process behind the Hybrid Join recovery if there is one.
06-23-2020 05:50 AM
@torquetechit_tonyd yes if you have everything else in place for Hybrid AD Join and you successfully can use it from inside your office with visibility to the DC.
Then you only need to have a VPN client coming from Intune that can do prelogon authentication and configure it to be required installed to the device in the ESP phase.
06-23-2020 07:48 PM - edited 06-23-2020 07:51 PM
@Matthias_Hei thanks for the advise.
However, it seems the Hybrid Join Skip process prevents you logging onto the machine until such a time that AD DC is in line of site and you logon using the internal AD DC account.
Here is my scenario,
Established VPN connectivity into internal domain so DC is now in line of site.
Maybe I am doing something completely wrong here, however, I would have thought the device would have completed the original deployment connected AADJ therefore being able to logon to the device using an O365 account not an internal AD Domain as this may not be accessible at the time the device is deployed.
Maybe a bug or maybe my process is wrong..
Look forward to some sage advise...
06-24-2020 03:03 AM
@torquetechit_tonyd some additional info on Michael Niehaus his blog https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet...
06-24-2020 01:58 PM - edited 06-24-2020 01:59 PM
Sounds ok to me what you described.
You first see the Device ESP and then you are asked to log on but with a on premise AD account and with VPN. The device is at this stage actually a normal AD machine that is registered for Hybrid AD but that doesn't mean you can log on with a pure Azure AD account.
After log on the user ESP runs and there is also now the waiting time till the machine AD account is suycned up into AAD and successfully registered for Hybrid AD join.
Only then the desktop opens up for access.