Feb 25 2022 11:13 PM
[New #BlogPost] Bit of an interesting take on how to perform a controlled Hybrid AAD Join deployment and make the workstations ready for #Intune and #MEM depending on the OU selection in the Azure AD Connect Sync tool.
Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment – Shehan Perera [techBlog]
Aug 10 2022 03:59 AM
Aug 10 2022 06:01 AM
Hi @oryxway,
Thanks for your comments about my article. I see you have few questions regarding the join mode and AAD connect. Please see my answers below.
1. For Autopilot to complete, you don't need to enable Hybrid AAD Join (HAAJ) mode. You only need HAADJ if you have an On-Premises AD which you need your Autopilot'ed machines to be joined afterwards. If not, they will be joined as AAD Joined to Azure AD. If you need to add devices to On-prem and join as HAADJ to Azure AD, then create the Domain Join profile and make sure you assign the Autopilot'ing device group to it and install the Intune Connector in an On-prem server.
2. Your 2nd question is not clear, is you can add a bit more details, that would be great :)
3. If Hybrid Azure AD configuration needs to be enabled in Azure AD Connect server, then will this affect any devices OnPrem? I do not want thousand of machines moving to Azure AD.
It depends on how you want to enable. How's your AD OUs syncing with Azure AD, sync scope that is?
a - Do you have a set of OUs that's syncing only or
b - Do you have your whole AD syncing with all the OUs?
If a, then you can create another OU, add your devices and add to the AAD Connect sync scope so only those machines will get synced. And then enable the HAADJ in AAD Connect tool and perform a full sync. So only machines that are syncing will get the Azure AD SCP via the AAD Connect tool
If b, then, again create another OU, add your devices which you need to be added as HAADJ and set the Azure AD SCP from a GPO, so only those machines will get added as HAADJ
The steps are in my article anyway.
Mainly HAADJ is best if your computers needs to get authenticated from the on-prem domain for various reasons (file shares, on-prem legacy apps etc.) If not its recommended to add devices to Azure AD join directly, but really either is fine.
Good luck!
Shehan.
Aug 10 2022 06:36 AM - edited Aug 10 2022 06:41 AM
Shehan,
Thank you for you're response.
Your Response
1. For Autopilot to complete, you don't need to enable Hybrid AAD Join (HAAJ) mode. You only need HAADJ if you have an On-Premises AD which you need your Autopilot'ed machines to be joined afterwards. If not, they will be joined as AAD Joined to Azure AD. If you need to add devices to On-prem and join as HAADJ to Azure AD, then create the Domain Join profile and make sure you assign the Autopilot'ing device group to it and install the Intune Connector in an On-prem server.
My Response - They are joining as AAD but I do not see them in Active Directory OU where we specifically have mentioned that these machines should be added with the delegation of permissions to both Intune Connectors as per this article.
https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid
We have setup the Intune Connectors and delegated permissions. But, I dot see the objects in AD. Also, the machine keeps spinning and we got the following error "Something went wrong" and error code 80070774.
Based on this error I went and checked, I checked this and we have both the Intune servers that are ACTIVE. But, one thing I noticed is that when we delegated permissions and gave full control as per the document above, I manually went and checked each server permissions and it had only special permissions and not full permissions as shown in this diagram. I just enabled full permissions here to see that would help when we rejoin.
Question 2
The device is not joining the domain but I see the device in Azure even though I have specified in the configuration profile Hybrid Azure AD.
The object should be seen in the OU where we have delegated that these Autopiloted devices should be joining. I am not seeing the Object, so I wondered whether it could be due to the permissions which I have mentioned in my Question 1 response.
Question 3
3. If Hybrid Azure AD configuration needs to be enabled in Azure AD Connect server, then will this affect any devices OnPrem? I do not want thousand of machines moving to Azure AD.
It depends on how you want to enable. How's your AD OUs syncing with Azure AD, sync scope that is?
a - Do you have a set of OUs that's syncing only or
b - Do you have your whole AD syncing with all the OUs?
Answer below:
I am having only one OU where we have the Intune Connectors delegated.
COMPUTERS
AID
BEC
AutoPilot Domain Join ---- so only this OU under Computers OU that is getting synced.
I tried doing the same process again and I see only this under devices but it is not showing up in AD OU where the object should go. And getting the same error message "Something went wrong" and error code 80070774. Based on one article, I was told to unassign the user from the device and try and it should work, but I tried unassigning the user and it did not do nothing nor it added to Endpoint.
Aug 11 2022 11:47 PM
Hi @oryxway
1. Have you created the Device Profile called "Domain Join"? This is where you specify the domain information.
About the Intune Connector - My advice is to go through the Microsoft Official document and configure the permissions.
2. Looks like you have the selected OU which has been set up for Autopilot, which is the controlled method.
Hope you have seen this already Windows Autopilot Error Code: 80070774 | Steve Hardie
Few things you can check -
* Run dsregcmd /status on the users computer to understand the join mode Troubleshoot hybrid Azure Active Directory-joined devices - Microsoft Entra | Microsoft Docs
* User who is enrolling the device needs to have proper licensing that covers Intune
* MDM user scope should be Some or All and that should capture the end user who is enrolling the device
* No proxy or firewall blocks Network endpoints for Microsoft Intune | Microsoft Docs
Shehan.
Aug 12 2022 06:07 AM
@shehanjp Thank you.
Yes, I am following the MS document for Autopilot. I have the Domain Join profile configured as per the requirements. Also, I have looked at that document. I ran the PS script from oofhours.com to see what is going on. Looks like it is the ODJConnector blob that is not being downloaded.
So, there is connectivity issue. We have opened all the network requirements as per the Microsoft suggestions and URL.
Aug 15 2022 10:36 AM
Aug 15 2022 11:11 PM
Hi @oryxway,
Since you mentioned the misconfiguration, please also check if the device has line of sight access to the DCs.
Aug 16 2022 07:04 AM