Windows 10 Autopilot Hybrid Join
HTML-код
- Опубликовано: 3 авг 2024
- In this video, I walk you through the complete configuration of Hybrid Join with Windows 10 Autopilot. I discuss the requirements that need to be met and also discuss how this can benefit MSPs as they have many customers that have a local environment.
Full Windows 10 Autopilot Demo: • Windows 10 Autopilot D... 
Хобби
Thank you so much for this video! Appreciate you taking the time to share this with us. This deserves so many more views!
Just saw your comment on a reddit posting where you linked this video. Great video by the way explaining the whole process and showing the demo. Like everyone else here, THANKS for taking the time and sharing!
Hi Nick, these are great videos. i learnt few great things and was able to setup and configure azure/ intun in a lab. Thank you for the detail and for the time !
Great video, been looking for more information on this and learned a lot from it! :)
Glad it was helpful!
Fantastic videos Nick. Thanks!
thanks for this video...one of the best out there on this topic...very detailed and step by step. Subscribed as well
Thanks for the support!
Hi Nick , Thanks for the very informative and simplest way to enroll the device.. God bless you brother😇
Glad you liked it!
Brilliant video, thank you!
Thank you for this video, much appreciated.
Glad it was helpful!
Thank you for perfect guide.
Glad it was helpful!
Nice walk through showing all the details! I have a different scenario that would be so helpful to have a how to video on. We have ADFS servers that are federated to Office 365 so it complicates this deployment a little. Have you done any videos on deploying Intune Hybrid Join for ADFS federated environments?
Hello John were you able to successfully configure this?
Thank you for video chap it’s helped me out massively! Do you have a patreon or something ?
I do not but thanks for asking!
This is fantastic, just a quick question. At 20:75 now that it has been implemented, does skip domain connectivity change the entire process? If you enable it that is.
Great video man. Does this enable Hybrid join on your Entire Active Directory or just the machines added to the specific OU? You would have to change sync settings to include your specific AD computer groups right?
Correct, you can select it from within the Azure AD connect wizard
You havent dicussed on vpn App profile deploy to remote join to on prem AD.
Hi thanks for your video when setting up the the hybrid environment. Does this just affect the computer you installed the connector and uploaded to intune? Or can it affect other machines on the domain if not configured correctly? Also what do you suggest if you dont have a virtual machine to test with ?
This video is really useful! I’ve been having a debate with an engineer who informed me I’d have to manually join new devices to the local AD before using Autopilot. Your video helped me get my point across. If I’m correct, the new device would only need to be connected to the same network as the local AD say via WiFi, not joined to the local AD?
Thanks! Happy to help. It just needs line of sight to the DC so wifi would work if its the same network
@@t-minus365 I know this is old, but isn't there an option now to not check for AD connectivity initially so that the machine can connect to a VPN first?
Hey Nick,
Greats video. Can that process be the same for none OOBE? I have a lot of machine that are new. Would suck if we need to setup all the machine just to grab the ID. can we just manually set the machine up and sign-in when you get that op that ask if this machine will be setup for work?
Also, I have an onprem environment the setup that you show will that affect anything on the current environment at all? Initially I would like to leave how everything is now. But new Incoming users will be on intune.
Hope that made sense.
Very good Video. How long does it take to finish the "we are getting things ready" screen ? my Laptop show me this info since 45 minutes
Hi Nick, I'm having some trouble with the VM joining the local AD. The AutoPilot deployment works but only up until when it gets to "Joining" Portion. From there it just hangs and i'm not sure exactly on what to do? The machine never get's populated into AD and the VM just hangs...any ideas?
@T-Minus365 Did you create the security group in Azure or on prem AD?
Do you create the user on-prem or on M365. Thanks
Nice video, i followed your steps and efferething seems to work
Except for one thing
When i try to log into the pc it says it cant find the domain, do you know why that is?
If we have devices that were previously Autopilot joined, will we have to Autopilot reset them?
Just to make it clear, you do not need AUTOPILOT to manage Hybrid AD joined devices in Intune.
Hello Nick its nice video could you please tell us what is the function of inture connector how it works and it has be installed in DC server itself or any other members servers will work ?
The Intune AD Connector takes computers that have been enrolled into the endpoint manager (Intune) which is Azure AD and joins them to your on-prem AD and that turns it into a hybrid AD state.
Hey Nick, how would you get hardware IDs of many computers in bulk? I've ran the powershell script that pushes HWID to a local .csv but how can I achieve this in bulk? I can push with deployment tool any config. I'm thinking in pushing .csvs into a central location (file server) then merge all the CSVs and finally bulk upload them. Do you know the detailed method to do this?
Hey Kilo, I am working on a script to do this and put all computer serial IDs in a csv file on a network share. It is a great idea. Here is another resource that might help to for some automation in the meantime: oliverkieselbach.com/2018/07/17/automation-of-gathering-and-importing-windows-autopilot-information/
@@t-minus365 let me know how it goes, I'll try it today
Ok got it. Download the Get-AutoPilotInfo.ps1 and put it on a share that the computer and deployer user have access.
Powershell - ExecutionPolicy Bypass \\Yoursharepath\Get-AutoPilotInfo.ps1 - Outputfile \\Yoursharepath\hwid.csv - append
That will run ps1 with silent bypass policy and add a line on the csv per computer. You are welcome!
@@GATOtyger Thanks for this Kilo. How are you mapping the serialID to the computer name? As in how do you know which serialID is associated with which computer?
@@t-minus365 it's added to the csv of I'm not wrong?
Hi Nick, How to deploy autopilot profile for remote users in hybrid AD joined over the vpn?
Thank you for this! Question, is it possible to get the hardware ID before booting the machine?
Before booting the machine that’s going to be enrolled? If you have the serial numbers you could ask the vendor if they can send you the hardware IDs and they might be able to. Like if you have a bunch of unboxed stock sitting on shelves.
I get a TPM attestation failed error. I think it's because I'm testing on a VM but you've managed to do it in a VM so what's the difference? TIA
my test are the same as here, but i get Azure AD Join object AND i got Hybrid Azure AD join object which makes this identical duplicate object, why is this?
Hello all, in the intro you advised that the DC must be Windows 2016 and above? Where is that in the Microsoft documentation as I cant find that and we use Windows 2012R2 for the DC's and Windows 2016 for the Intune connector. Can someone please clarify this? Thanks
Hey there, this article explains further but you are right in that the requirement of a Windows 2016 server is specifically for the intune connector you would be installing . This server just has to have internet access and be able to talk to AD so sorry for the confusion there oofhours.com/2019/07/15/inside-windows-autopilot-user-driven-hybrid-azure-ad-join/
I was wondering if you have a video on bringing already domain joined machines into intune. We can't seem to figure out a way to get our already fully functional environment integrated with intune.
I would check this video out: ruclips.net/video/FIRmlticNiY/видео.html
i followed your guide but it's stuck on "wait meanwhile we configure your device".
This prompt appears after i've assigned profile to a user, and logged into the virtual machine. Been like this for 1h.
Hey man great video but I think you are mistaken on the requirement of 2016 domain controller. I believe 2012 is the lowest and that you are required to have a 2016 server for the connector software.
Hey Chris, thanks for the input here. Curious why you wouldnt be deploying the intune connector on the DC?
@@t-minus365 cause I'm running 2012 r2 as my domain controller so I have to put the connector on a 2016/19 server. I do the same thing with my AD connector.
Thanks for this. Question though, slightly outside the scope of the video...
But if you're having a device shipped straight from the supplier to your users, and then using this method to configure and hybrid-join your devices. How do you get it working if the user does not have direct connectivity to your domain controllers for the first sign-in? I know that we can use Always On VPN device tunnels (which I have already set up), but the problem I've found is that the device will arrive with Windows 10 home/pro installed, but the Always On VPN requires Windows 10 Enterprise to work, which only gets upgraded after the user signs in to the device using a licensed account....which they can't do without direct connectivity or a VPN...So there's a bit of a chicken and egg situation here....
Has anybody found a decent solution to this? Obviously we could ask our supplier to provide devices with Enterprise editions, but then we would be paying twice for a license. So any suggestions?
Good question. I am thinking the same, however my Microsoft fast track engineer is saying that the Intune connector for Active directory will handle this line of sight... I'll will see on Tuesday. Did you find a solution to this?
Hey Nick i have one question why Friendly name didnt pop up?
Hi Nick, great video! Is it possible to Hybrid Azure AD join an external device that's already domain joined to our on-premise infrastructure? We have an increased number of devices that our users use during the pandemic, we are looking for a method to hybrid join them without having the user attend site. They are already using cached credentials to login to these machines, would the OOBE remove these profiles in favour of a new one during the Autopilot setup? We ideally want these external devices to be hybrid joined and then managed by Endpoint Manager. Thanks.
Do the devices have pre-login vpn? If they do you’d an set up the ad connect and the GPO’s necessary to kick off both hybrid ad join and then the enrollment to the endpoint manager. You need the pre-logon vpn because of the group policies that need to run at the login to kick it off. Gpupdate /force won’t.
@@JLALALALA we're trialling Citrix Always on VPN which will hopefully solve our issue, thanks for the suggestion.
what will take presedence when using hybrid azure ad. GPO's or intune configuration profiles and what will happen when you have the same settings pushed in both environments?
GPOs still take precedence. docs.microsoft.com/en-us/mem/intune/fundamentals/resolve-gpo-and-microsoft-intune-policy-conflicts
In the case of the same setting, the GPO will just take precedence and the Intune policy will either show succeeded or not applicable.
@@t-minus365 thanks man. you helped me a lot with your videos. keep them coming.
@@ronald0122 Absolutely, happy to help!
Does the device needs to be connected to the company network just internet connection?
Company network either directly or over VPN
How do you do it the other way around? i have some laptops i manage with gpo but if users take it home i still want to manage it.
How i that process to get these devices in Intune?
Hey Ronald, you can join those devices manually by going to Settings>Accounts>Add Work or School>And Join to Azure AD which autoenrolls to Intune. This allows you to hybridly manage as well. Let me know if you have additional questions here.
@@t-minus365 you can do it with hybrid join to sync them to aad and intune with a gpo right?
@@ronald0122 You'd want to make sure you follow this guide: docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
I have a problem with my autopilot. Some devices have error in joining the active directory domain. The problem is, it is intermittent like 3 out of 5 gets this error. Do you have any idea what causes this?
What is the error you get?
do i need to enable automatic emrollment for autopilot?
Yes!
Hi, i tried this and setup the PC outside the domain. Did it when I was at home. It can't log in cuz it can't find the domain controller. So it only works if ur in the office / domain network?
With the situation now, everyone's working from home. What's the best approach?
You can join over a VPN now oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet-using-a-vpn/
@@t-minus365 Have created a video with the join over VPN? :) would be great!
Hey Nick, another question: Is it possible to autopilot hybrid join without bein on the company network? User being at home, autopilot kicks off on brand new device, can you hybrid join or it's not possible? What to do in this case, Azure Ad join only and then once the user logs in on the vpn maybe bind the computer to local AD?
Right now the computer needs line of sight to the dc but they are working on VPN to be able to do this. Its in development now: docs.microsoft.com/en-us/mem/intune/fundamentals/in-development#bring-your-own-devices-can-use-vpn-to-deploy
@@t-minus365 I spoke with the Microsoft guru Michael about this, he said it can be done with white glove and installing vpn manually, I'll test this on Monday. In one to two months vpn will be an option for hybrid but for now we can't. I'm thinking in workarounds...
@@GATOtyger Yea that would work but it just removes the power of being able to ship the device directly to the end user.
@@t-minus365 that's true, but what else can you do if hybrid is required and not available because vpn support is not live yet? I'm asking myself that question, I was going to test Azure ad join and then try to bind the device to ad after the user gets the device with a vpn pushed afterwards?
@@GATOtyger yea that could work. Pushing the VPN profile with intune would work out fine.
Hi @T-Minus 365, it's me again... why is the Autopilot Reset button still greyed out though? Can't figure out what's going on. I've followed your video minute by minute but I can't get it to work.
Hey so autopilot reset does not support hybrid joined devices, a full device wipe is required docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-reset
@@t-minus365 cool.
Hi,
We have followed all the steps and it seems that we have everything as shown in your publication, the only issue is that the laptop enrolled for hybrid is stuck in the last part in the account configuration and I wonder if this has something to do, in the ODJ Connector Service I have an event with this message:
{
"Metric": {
"Dimensions": {
"InstanceId": "8B56CD7F-4C33-431A-AEBE-4CD1FE2B9961",
"DiagnosticCode": "0x00000000",
"DiagnosticText": "Successful"
},
"Name": "RequestHandlingPipeline_Download_NoWork",
"Value": 0
}
}
Is the computer stuck at getting through the out of box experience?
Really wonderful Video. How do i change the Computer naming convention to Serial-Model in Hybrid Azure AD join?
Through the deployment configuration profile
Can we enable windows hello for business with hybrid ad joined computers?
Yes, you could do so with Group Policy or with Intune docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings
docs.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings
@@t-minus365 thanks a lot.
Not really a hybrid when the device enrolled is on the internal network. This would totally fail if the device was to be shipped to the end user directly!
I dont necessarily agree. Its hybrid joined because its joined locally and in Azure AD. Connectivity over VPN is now also a possibility so it could in fact work if the device was shipped directly to the end user: oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet-using-a-vpn/
is there any method to add on premise printers?
Couple of options here for this:
1. Hybrid cloud print: techcommunity.microsoft.com/t5/azure-active-directory-identity/print-to-corporate-printers-from-azure-ad-joined-windows-10/ba-p/245341#
2. Custom Powershell script with intune with the printer driver information: docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
3. Universal print (in preview): techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-universal-print-a-cloud-based-print-solution/ba-p/1204775
How is this hybrid?
The device is joined both locally and in Azure
@@t-minus365 ok. this assumes you're connected to the organization's network.