In this nugget we are going to take a look over Microsoft's new feature- which lets us implement Autopilot and does a Hybrid Azure AD join of the device
Its been a year though, but still your video is very useful to understand the background flow which is key to master any technology. You are doing an excellent job Saurabh. Keep this going.
Good video. The best part is the flow profess. It could have been about 30min or 1 hour shorter but others may like all the repeating of configs. Also you can add the -online variable to the get-windowsautopilotinfo to have the device upload to Intune automatically so no manual import is needed. Thanks for all the great videos m
just a quick note: in hybrid mode, device is register to AAD and joined to AD (not "joined" to AAD). its not just terminology - but different device state in azure ad.
@rizo marshal - Thanks for your kind comment. actually technically thats not exactly correct. Hybrid Azure AD Join is NOT equal to On-prem domain join + Azure AD registration. If that was the case then, if we Take a machine>Join it to the on-prem domain>go to access work-school account>Manually register the device to azure. Now the device is on-prem domain joined + Azure AD registered. But not Hybrid Azure AD joined. There are some other attributes to it actually. I would be explaining that in a dedicated nugget i do for Windows Enrollment
@@everythingaboutintune1713 Microsoft official docs refer to hybrid device state is different from AAD join (can find this in all Microsoft documentation). but you have a point here as well. my assumption is that hybrid refer to "device" source is the local AD (join). the registration flow is by the connector and fully local AD aware ....so its actually different from "just register" from work or school, but in addition NOT AAD Joined as well. not like device join to azure ad - in hybrid you cant login with "azure ad" account (correct me if i am wrong here). anyway - it be good to have a deep dive session on the hybrid device and the different from register and azure ad join :) thanks again for sharing your knowledge and experience!!!
When Hybrid AAD join deployment the end machine joined to on-prem domain with help of ODJ blob, after receiving blob the end machine will contacting with domain (here VPN/intranet required) then after successfully login with on-prem domain credentials . from AD connect (where installed in windows AD server) to AAD , After the successful sync the end machine details will share to AAD , now AAD also having this end user machine details . Now from both sides (on-premises & could domains) having the machine details. which is called Hybrid Azure AD join Hi All, Please correct me if its wrong
really good explained. I have a couple of questions about preparation. I read that non routable domain names or not supported (means *.local). How shall i handle such an issue what i have to do in front of installation of the connector and the policy creation? Next which ports and and endpoint the connector has to reach, meaning which FW rules i have to establish to get it to work? Is the local login with the email address necessary (meaning login local=AAD)? So all steps before you start with the real are interesting for me. Can you please detail this a bit?
Hello Sir, Good evening Hope this message finds you well Thank you helping us out on Intune Management. I have a question for Autopilot Hybrid Azure AD Joined. What if we have 100 or 1000 devices joined to On-prem domain and we want to make those devices behave as Autopilot (On-prem Joined + Azure AD Joined). Do we manually need to fetch Device Hardware hash for those 1000 devices or is there any other way to have hash value of those devices and proceed with Autopilot Hybrid process. Excuse me for my stupid question just I have a doubt/query in my mind. Please take your time. Thank you Sahil Kashyap.
Great Video, I have a question if you could help. We have enrolled over 10k devices under Autopilot hybrid azure ad join(It has been over 3 years), all these devices have an Azure Ad joined device entry and a hybrid azure ad joined entry. the hybrid azure ad join entry reflects the correct activity status but the all the azure ad joined entries are stale. Ideally, I believe that there should be only one entry in Azure i.e hybrid azure ad joined, Is there a way to remove the other entry? We cannot delete it since these are autopilot device entries..
Thank you so much, great work could you clarify for me after completing step 12 (which means once the blob receives to the end-user machine) it will reboot. which indicates joining the domain. I think the blob holding a temporary password to enroll to on-prem domain join. i am a bit confused about steps 13 & 14. Could you explain a bit more...
Hi Saurabh, can you please help me to understand whether we can use Windows autopilot enrollment for existing windows 10 devices which has baseline OS image installed, even after resetting that windows device?
Hi Saurabh , Hybrid explanation is really nice , kindly provide the detail about device which is coming from internet scenario is hybrid so how can we configure the vpn and troubleshoot if it happens any issue
Hello Sourav Have a backend process flow doubt here. The device first gets Intune enrolled in order to receive the ODJ configuration from Intune, It means the device must have already been registered to AAD as part of Intune enrollment process. And after a restart device joins to On-prem domain during OOBE. Do we really need Hybrid AAD configured in AAD connect tool as we have the device already joined to On-prem domain as well as AAD ?
If the user is at home .....and obviously it's on the internet then how does the device silent ping to the domain controller ....if it's not do that so it'll not enroll to On-prem....or it takes some time to replicate .
Can we install Intune ODJ connector on DC along with AD connector ? i do not want to spin up another server only for AD connect and Intune ODJ connector in my lab
Do you have to create a new OU to put the devices in, or can you use an existing one? If you do have to create a new OU, can you then move the computer object into another OU? This will impact the way we link our GPOs. Thanks!
Hi, Great vdo.. Is it possible to have vdo on hybrid domain autopilot on VPN? Certificate handling via scep Or pkcs.? If you have good blog or something please share. Peace ✌
Its been a year though, but still your video is very useful to understand the background flow which is key to master any technology. You are doing an excellent job Saurabh. Keep this going.
TY so much for the simplest explanation :)
Good video. The best part is the flow profess. It could have been about 30min or 1 hour shorter but others may like all the repeating of configs. Also you can add the -online variable to the get-windowsautopilotinfo to have the device upload to Intune automatically so no manual import is needed. Thanks for all the great videos m
Thank you so much for this video! Appreciate you taking the time to share this with us. This deserves so many more views!
Awesome work bro.
Best video, Thanks for sharing your knowledge
Great video. Good Job buddy.
just a quick note:
in hybrid mode, device is register to AAD and joined to AD (not "joined" to AAD).
its not just terminology - but different device state in azure ad.
@rizo marshal - Thanks for your kind comment. actually technically thats not exactly correct. Hybrid Azure AD Join is NOT equal to On-prem domain join + Azure AD registration. If that was the case then, if we Take a machine>Join it to the on-prem domain>go to access work-school account>Manually register the device to azure. Now the device is on-prem domain joined + Azure AD registered. But not Hybrid Azure AD joined. There are some other attributes to it actually. I would be explaining that in a dedicated nugget i do for Windows Enrollment
@@everythingaboutintune1713
Microsoft official docs refer to hybrid device state is different from AAD join (can find this in all Microsoft documentation).
but you have a point here as well.
my assumption is that hybrid refer to "device" source is the local AD (join).
the registration flow is by the connector and fully local AD aware ....so its actually different from "just register" from work or school, but in addition NOT AAD Joined as well.
not like device join to azure ad - in hybrid you cant login with "azure ad" account (correct me if i am wrong here).
anyway - it be good to have a deep dive session on the hybrid device and the different from register and azure ad join :)
thanks again for sharing your knowledge and experience!!!
When Hybrid AAD join deployment
the end machine joined to on-prem domain with help of ODJ blob, after receiving blob the end machine will contacting with domain (here VPN/intranet required) then after successfully login with on-prem domain credentials .
from AD connect (where installed in windows AD server) to AAD , After the successful sync the end machine details will share to AAD , now AAD also having this end user machine details .
Now from both sides (on-premises & could domains) having the machine details. which is called Hybrid Azure AD join
Hi All, Please correct me if its wrong
please make a video forlogs analysis and troubleshooting.
really good explained. I have a couple of questions about preparation. I read that non routable domain names or not supported (means *.local). How shall i handle such an issue what i have to do in front of installation of the connector and the policy creation? Next which ports and and endpoint the connector has to reach, meaning which FW rules i have to establish to get it to work? Is the local login with the email address necessary (meaning login local=AAD)? So all steps before you start with the real are interesting for me. Can you please detail this a bit?
Hello Sir,
Good evening
Hope this message finds you well
Thank you helping us out on Intune Management.
I have a question for Autopilot Hybrid Azure AD Joined.
What if we have 100 or 1000 devices joined to On-prem domain and we want to make those devices behave as Autopilot (On-prem Joined + Azure AD Joined).
Do we manually need to fetch Device Hardware hash for those 1000 devices or is there any other way to have hash value of those devices and proceed with Autopilot Hybrid process.
Excuse me for my stupid question just I have a doubt/query in my mind.
Please take your time.
Thank you
Sahil Kashyap.
Great Video,
I have a question if you could help. We have enrolled over 10k devices under Autopilot hybrid azure ad join(It has been over 3 years), all these devices have an Azure Ad joined device entry and a hybrid azure ad joined entry. the hybrid azure ad join entry reflects the correct activity status but the all the azure ad joined entries are stale.
Ideally, I believe that there should be only one entry in Azure i.e hybrid azure ad joined, Is there a way to remove the other entry? We cannot delete it since these are autopilot device entries..
Thank you so much, great work
could you clarify for me
after completing step 12 (which means once the blob receives to the end-user machine) it will reboot. which indicates joining the domain. I think the blob holding a temporary password to enroll to on-prem domain join.
i am a bit confused about steps 13 & 14. Could you explain a bit more...
Hi Saurabh, can you please help me to understand whether we can use Windows autopilot enrollment for existing windows 10 devices which has baseline OS image installed, even after resetting that windows device?
Hi Saurabh ,
Hybrid explanation is really nice , kindly provide the detail about device which is coming from internet scenario is hybrid so how can we configure the vpn and troubleshoot if it happens any issue
Hello Sourav
Have a backend process flow doubt here.
The device first gets Intune enrolled in order to receive the ODJ configuration from Intune, It means the device must have already been registered to AAD as part of Intune enrollment process. And after a restart device joins to On-prem domain during OOBE.
Do we really need Hybrid AAD configured in AAD connect tool as we have the device already joined to On-prem domain as well as AAD ?
in the step 13 of the diagram, if the machine is not able to ping the domain controller then how would it join the domain over the internet?
If the user is at home .....and obviously it's on the internet then how does the device silent ping to the domain controller ....if it's not do that so it'll not enroll to On-prem....or it takes some time to replicate .
Can we install Intune ODJ connector on DC along with AD connector ?
i do not want to spin up another server only for AD connect and Intune ODJ connector in my lab
Do you have to create a new OU to put the devices in, or can you use an existing one? If you do have to create a new OU, can you then move the computer object into another OU?
This will impact the way we link our GPOs. Thanks!
How Off Line site computer will join Hybrid AD, since silent ping will fail?
Hi,
Great vdo..
Is it possible to have vdo on hybrid domain autopilot on VPN?
Certificate handling via scep Or pkcs.?
If you have good blog or something please share. Peace ✌
I have already done deep dives on SCEP and PKCS (Nugget 10 and 9 respectively)
Do you have any best article from MS to troubleshoot and fix Intune autopilot issues?.
www.anoopcnair.com/windows-autopilot-hybrid-azure-ad-join-trouble/