Forum Discussion

Show_me_the_docs's avatar
Show_me_the_docs
Copper Contributor
Nov 10, 2023

Intune in a hybrid AD environment, joining computers only to cloud.

Currently in the planning and testing phase of deploying intune to our facility. Some quick pertinent facts: Hybrid AD manufacturing 300ish users, 20 remote users included Split win10 and win11 ...
Autopilot
Intune
H3nk13T's avatar
H3nk13T
Brass Contributor
Hi,

Looks like a domain joined device instead of azure only.

How did you deploy Windows? How is Entra Sync setup for devices?

Deleted's avatar
Deleted
Nov 14, 2023

It seems there might be a slight confusion in terminologies. As of my last knowledge update in January 2022, there isn't a specific technology or service called "Entra Sync" directly associated with Microsoft or common IT deployment practices. However, I'll provide guidance on deploying Windows in a typical scenario using Microsoft Endpoint Manager (Intune) and Azure AD.

Deploying Windows with Microsoft Endpoint Manager (Intune) and Azure AD:

  1. Azure AD Hybrid Join:
    • Ensure that your on-premises Active Directory is synchronized with Azure AD using Azure AD Connect.
    • Configure Azure AD Hybrid Join to allow devices to be joined to both your on-premises AD and Azure AD.
  2. Intune Enrollment:
    • Enroll devices in Intune for management. This can be done during the initial device setup or later by pushing the Intune MDM profile to devices.
    • Devices can be enrolled manually or automatically based on user or device groups.
  3. Autopilot Configuration:
    • Set up Autopilot profiles in the Microsoft Endpoint Manager admin center.
    • Define the configuration settings, naming conventions, and deployment mode (user-driven, self-deploying, etc.) in the Autopilot profile.
  4. Deploying Windows 11:
    • Once devices are enrolled and Autopilot profiles are configured, initiate the deployment of Windows 11 through the Autopilot process.
    • During the deployment, the Autopilot profile settings will be applied, and the device will be joined to Azure AD.
  5. Configuration Profiles:
    • Utilize Intune configuration profiles to enforce settings and configurations on the deployed Windows devices.
    • Configure security settings, compliance policies, application deployments, and other configurations as needed.
  6. Monitoring and Troubleshooting:
    • Regularly monitor the Intune console for device status, compliance, and any deployment issues.
    • Use the Intune troubleshooting tools and logs to identify and resolve any issues during the deployment process.

If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like 

Appreciate your Kudos! Proud to contribute! 

 

    • H3nk13T's avatar
      H3nk13T
      Brass Contributor
      Nov 14, 2023
      But maybe it can help:

      ChatGPT
      It looks like you've provided detailed information about the current state of a test device in your environment. From the information you've shared, the device is currently domain-joined but not Azure AD-joined. Here are some observations and recommendations:

      AD Configuration Test Failure [0x80070002]: The AD Configuration Test has failed with error code 0x80070002. This error typically indicates that the device couldn't find the required information to complete the Azure AD registration. Make sure that the device can reach the Azure AD endpoints and that there are no network or DNS issues.

      AzureAdJoined and EnterpriseJoined are both NO: This indicates that the device is not Azure AD-joined or Hybrid Azure AD-joined. For Autopilot and Intune to work seamlessly, you'll want the devices to be Azure AD-joined.

      WorkplaceJoined is YES: This indicates that the device is Workplace Joined. Workplace Join is a deprecated feature, and Azure AD Join is the recommended approach. If you are planning to move towards a modern management approach with Autopilot and Intune, it's advisable to transition to Azure AD Join.

      NgcSet is NO: NGC (Next Generation Credentials) set to NO indicates that Windows Hello for Business might not be set up on the device. This could be a consideration if you plan to use features like Windows Hello for Business in your deployment.

      Diagnostic Data: The AD Configuration Test failure and error code 0x80070002 need to be investigated further. Ensure that the device can communicate with Azure AD, and check for any network or DNS issues that might be preventing a successful Azure AD registration.

      IE Proxy Config and WinHttp Default Proxy Config: Ensure that proxy configurations are not causing issues with Azure AD communication. In some cases, proxy settings might interfere with the Azure AD registration process.

      Fallback to Sync-Join is ENABLED: This is configured to allow devices to fall back to traditional AD join if Azure AD join is not successful. While this can be a temporary measure, ideally, you'd want devices to successfully Azure AD join for a modern management approach.

      Link for Diagnostics Reference: The link provided in the diagnostic data can be visited for more information on specific error codes and troubleshooting steps.

      In summary, to prepare your environment for Autopilot and Intune in a hybrid AD scenario, focus on resolving the Azure AD Configuration Test failure, transition from Workplace Join to Azure AD Join, and ensure that NGC and other prerequisites are met for a smooth deployment. Investigate the network connectivity and DNS resolution to Azure AD endpoints. Regularly check Microsoft's official documentation for the latest information and best practices in deploying Intune and Autopilot.


Resources