Forum Discussion
Solved
Intune Connector
Do we need Intune Azure Connector installed if we already have an Azure AD connector? This is for Hybrid environment?
That's for joining devices to your Active Directory and Azure AD. Azure AD Connect is for synchronizing users/groups to Azure AD.
Description of the Intune Connector:
"The Intune Connector for your Active Directory creates autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain."
https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid
No, they will not be applied to the devices since they are not joined to Active Directory. You need to replace your GPOs for Configuration Profiles if they are only joined to Azure AD and enrolled to Intune. You can see if your settings from your GPOs are compatible by using https://docs.microsoft.com/en-us/mem/intune/configuration/group-policy-analytics.
Thank you that makes sense and I had to ask this question to my manager since at one point they have to move away from OnPrem to Azure AD. So, a guy in his Nugget Video said that Azure AD connect is sufficient for DEVICES and Groups to be synced, is this still holds true?
- Dynamic Device Group with the addition of GroupTag (https://vmlabblog.com/2020/03/use-group-tag-to-change-autopilot-deployment-profile/) This way you can label the devices you imported the hardware hashes from, perhaps one group without a grouptag and one with a Test tag?
You can assign device manually by creating a group and putting the ID of the device in their (Check autopilot devices for that) and assigning that to the profile. Or dynamic groups of course, in both ways you should see (after assigning groups to the profile) which devices are assigned - So, you can create Dynamic User / Device. Which is the best and what situation do you create a Dynamic User Group and Dynamic Device Group and why?
The profiles I was talking is Deployment profiles. Created
1. Intune Autopilot Remote - Test
2. Intune Autopilot Remote - Production
When you click on any one of the profiles and go to Assigned Devices, I cannot see any device assigned. Not sure how you assign the devices to this Deployment Profile? - Create a Dynamic group which automatically fills that with all the devices you uploaded the hardware hash from https://docs.microsoft.com/en-us/mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune . But you said that you created profiles, multiple because?
And the device is open for anyone of your company with an Intune license, whoever enrolls the device is the Primary user by default... - Harm
Do we have to create a user group to assign these devices to users or do we assign it directly to each individual users? - Harm,
I created deployment profiles for Autopilot and what are the Included Groups and Excluded groups here. I am kind a confused as the interface is all changed.
Next, I am not able to assign devices to these Windows Autopilot deployment profile that I created. It looks like there is no way you could assign the imported device here. Has it moved anywhere else? - In Endpoint Manager you can create a dynamic group which automatically gets filled with all devices that you register for Autopilot (Hardware hash import) That's not a on-prem group, it's an Azure AD group. That group can be used to assign software to and for configuration and deployment profiles.
You mentioned on prem domain join, you said you want to do Azure only. The device gets inrolled into Azure by Autopilot and is a Endpoint Manager device from that moment. - Thank you, Harm. That was great info. Now, coming to creating Groups. It says create a device Group in endpoint manager. Now, do we have to create a group in our On Prem AD for devices since this is going to be an On Prem domain join of all devices? From what I see how this project is going, they want to have this up and running soon since we need to ship the devices, so I do not foresee that they are going to take the time to plan to do all AZURE AD joined devices. Since that needs a lot of planning.
- It depends on your contract with them or your reseller, some can upload directly and some will send a CSV file which you can import. Please check if they can install the machines using 'enterprise' images. enterprise meaning not the version but a clean Windows install without any bloatware.
- Another question in regard to devices being shipped to customers directly. Will Dell or HP send us the hardware hash or will they be able to add it to our Intune portal? How would they do it? Should we provide them access?
- No, then you don't need the intune connector and correct. Only for hybrid join. New devices will join Azure AD because of the Autopilot profile. There are good how to videos on YouTube and Microsoft Learn covers these topics
- Again something popped out. So, if we take the route to go Azure AD joined Autopilot deployment, do we still need the Intune Connector? As it is only for Hybrid Azure AD? So, if it is directly joining Azure AD, How will the new devices detect the domain and join in Azure AD?
- Thank you Thank you. You were of great help. Yes, I would think that would be the correct way to go, but I need to find out.
- That is true, that's the thing that Azure AD Connect is for. The main thing is that it syncs stuff from your on-prem Active Directory to Azure AD, but the source of identity is always Active Directory and changes to users and groups have to be made there. It does sync devices to Azure AD, but that doesn't do anything really. But when you use device-writeback (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback), it does sync/merge Azure AD device with Active Directory devices in a hybrid-join scenario. I wouldn't recommend using hybrid-join unless you have a very good reason for it, people use it for GPOs and file-server access. But with Azure AD only devices you can still access file-servers (https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso)
hybrid-join is complex and if you are moving away from Active Directory, enroll new devices using Azure AD only and connect file-servers if you really need to using the article above. (Best would be to move user data to Teams sites and OneDrive in my opinion)
