cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Windows Autopilot for existing devices now supports Hybrid Azure AD Join
By
Michael Niehaus
Published Jul 02 2019 10:00 AM 12.6K Views
Michael Niehaus
Microsoft
‎Jul 02 2019 10:00 AM

Windows Autopilot for existing devices now supports Hybrid Azure AD Join

‎Jul 02 2019 10:00 AM

First, a quick refresher on Windows Autopilot for existing devices:  For customers looking for a path to migrate from Windows 7 (or 8.1) to Windows 10 using Windows Autopilot, the challenge was always that you had to register the existing machines with Windows Autopilot in advance, but doing so was impossible because you couldn't grab the hardware hash from a device running Windows 7. 

 

So, we added the ability in Windows 10, version 1809 to use a JSON file containing the equivalent of the Windows Autopilot profile so that you didn't have to register the device in advance; you could then tell Microsoft Intune to harvest the hash from the device later and register the device after the fact.

 

This solution worked great and has been leveraged by a number of organizations to move from Windows 7 and Active Directory to Windows 10 and Azure Active Directory, using Microsoft Intune (often with Configuration Manager for co-management) to deploy and manage the device.

 

But some organizations weren't yet ready for Azure AD Join (even with the Administrative Templates support in Microsoft Intune, and full support for Kerberos authentication from an Azure AD-joined device to Active Directory-secured resources) and asked us to support this same process, but with Hybrid Azure AD Join.

 

With this month's Microsoft Intune updates, we can now support this. And no client changes are needed: this works with Windows 10, version 1809 and above. All you need to do is specify a JSON file that specifies to join Active Directory (via Hybrid Azure AD Join) instead of Azure Active Directory - the rest of the process (e.g. the Configuration Manager task sequence that deploys Windows 10 to the device) is unchanged.

 

Note that you will need to target a Domain Join profile (and any other device-targeted policies) to "All devices" since the device won't be known to Microsoft Intune in advance. (Don't worry, this Domain Join profile has no impact on already-deployed devices, as it's only used by Microsoft Intune to determine what domain and OU should be used when joining a device to Active Directory.)  See the updated documentation for more details.

3 Comments
Hakanandersson55
Copper Contributor
‎Jul 03 2019 03:17 AM
‎Jul 03 2019 03:17 AM

Will this work on Autopilot for white glove deployments?

0 Likes
Like
Michael Niehaus
Microsoft
‎Jul 03 2019 08:38 AM
‎Jul 03 2019 08:38 AM

No, white glove deployments require registering the device.  If you think about it, using Windows Autopilot for existing devices is designed for a completely different scenario: an already-deployed device where the user is going to go through the process.  White glove, on the other hand, is for a technician-driven process for new machines before they are given to the user.

rwarrick
Copper Contributor
‎Dec 11 2020 11:57 AM
‎Dec 11 2020 11:57 AM

I already have multiple domain join profiles assigned to many dynamic device groups (using GroupTag as criteria).  How can I create another domain join profile for "all devices" that won't interfere with the others? Windows Autopilot User-Driven Mode | Microsoft Docs

0 Likes
Like
Version history
Last update:
‎Jul 02 2019 10:24 AM
Updated by: