Hi Rafael. Part 2 is available here: Microsoft Endpoint Manager (Intune) | Windows 10 Application Delivery | Office 365, Chrome, Step by Step ruclips.net/video/Oh2CaMnEMVo/видео.html
Part 2 - Microsoft Endpoint Manager (Intune) | Windows 10 Application Delivery | Office 365, Chrome, Step by Step ruclips.net/video/Oh2CaMnEMVo/видео.html
What is the reason you would want your devices that AAD join via Autopilot to join the on-premise domain? In my case, I am managing devices for students at a school and I don't see any advantage other than getting group policy, which is only going to happen if they are on premise right? Will the domain join setting in Intune even work if they go through OOBE off premise? We intend to create policies in Intune to replace what we have in Group Policy.
Hi bleuflamenco, the reason being is that if you need to authenticate and sign in with Active Directory credentials (validated against a AD domain controller) to run traditional GPOs for example or running third party application that requires this functionalty. The domain join setting will not work if the device has no access to a Domain Controller, if remote this an be achived via a VPN.
hello, how i can get the hardware id to do an autopilot, if is suppose that you sent the computer brand new to the user without any IT department intervention?
The OEM, reseller, or distributor can perform both of these processes from which the devices were purchased. Take a look at Autopilot registration overview for more details learn.microsoft.com/en-us/autopilot/registration-overview
Do you recommend the following scenario, I was wondering if this can change the Hardware Hash Key when device is reset. 1. Log into the computer and harvest hardware hash key. 2. Reset windows computer 3. Complete and sign in with work email at the OOB setup to complete enrollment
Hi Andrew, the hardware hash or device's hardware ID relates to information about the hardware, model, device serial number etc. That should not change unless the devices hardware changes substantially.
my test are the same as here, but i get Azure AD Join object AND i got Hybrid Azure AD join object which makes this identical duplicate object, why is this?
Hi, When hybrid Azure AD join is enabled in your organization you can get the issue where the device is also hybrid Azure AD joined. Therefore duplication. This Microsoft document discusses dual state of Hybrid Azure AD joined and Azure AD registered devices. docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-things-you-should-know
Hi Jeremy, can you post the error you are getting with the intune connector signin page? This can be due to the account being used to sign-in has not been assigned an Intune or Microsoft Office license docs.microsoft.com/en-us/troubleshoot/mem/intune/intune-connector-signin-unexpected-error
@@CloudInspired Here is the error from the ODJConnectorUI.log: ODJ Connector UI Information: 0 : Browser loaded page portal.manage.microsoft.com/Home/ClientLogonSuccess DateTime=2021-06-01T20:35:39.3848454Z ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: System.NullReferenceException: Object reference not set to an instance of an object. at ODJConnectorUI.Enrollment.webBrowser_LoadCompleted(Object sender, NavigationEventArgs e) DateTime=2021-06-01T20:35:39.4159868Z The account that I logged in with does have an Intune Admin role assigned, but it does not have an office license assigned.
Hi Jeremy. The account needs an assigned Intune license as well as Global Administrator or Intune Administrator role credentials. Install the Intune Connector guide here: docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#install-the-intune-connector
Great video. was wondering could you explained a little more on the intune connector and why you chose a different server? can't you install the intune connector on the same DC as the azure ADD connector?
Hi Phuc, Thanks for your commend. The Intune Connector for Active Directory had to be installed on a computer that's running Windows Server 2016 or later. Also prefer to split services out rather than running all on a single server.
@@andone3832Doing things right is not a "waste". Mixing roles onto a single server can often be much more complex than people think about at first glance. The directory sync service is something that should be considered to be at the highest risk due to the data it processes, you don't want t mix things at that level of risk.
Thank You for creating this vide. I have few devices which are domain joined and sync enabled. They are showing Azure AD Registered on Azure portal. Should I enable MDM as it is or Is there any way they can be registered as Azure AD Hybrid? What is the difference between these two process of registrations? Please help.
Hi and thanks for your great Video, I completed all the steps and was able to see the device on OnPrimes server, as meantime I was able to login by my domain user how ever when I logged in it went to completed the 3rd step and will stock on that part and not get pass have no idea why! I have to add that I tried the delta sync but had no effected, if you can provide me an email I can send you a full details.
Hi There, just to be clear - So the hardware hash needs to already be in EndPoint Manager and added to the Dyanamic group to then when the enrolment occurs it knows to Hybrid Domain Join that machine? So Even on a brand new PC out of the box, the hardware hash is required before you run and complete the OOBE ? Great Video, Thanks
Yes the idea being is that device owners can only register their devices with a valid hardware hash. Other methods (PKID, tuple) are available through OEMs or CSP partners. See the following for more information docs.microsoft.com/en-us/mem/autopilot/add-devices
Great video and well explained. In Azure AD connect tool don’t we also need to enable device write-back? I presume your OOBE device was on the same network as the DC as otherwise we need a VPN? Thanks
Hi Jass, thanks for the comment. Yes device write back was enabled in AD connect and the Windows 10 device was on the LAN at the time of domain join. It would need to communicate with a domain controller. Correct, if the device is not on the LAN then a VPN is required. This video might help you setting one up in Azure if it helps? ruclips.net/video/VZJLmh0ZweE/видео.html
I followed through your video for my Autopilot project. However I have the following issues. Through Hybrid join - is it possible to authenticate using an Azure Ad only account? Seems like all authentication is done through Domain controller? Also the Company Portal Comany app didn't show up automatically through deployment - did you install it after in this example? Hope you can help me further. Great video thank you so much for sharing this.
Hello, Hybrid Azure AD Join devices always need to sign in with Active Directory credentials (validated against as AD domain controller). The user will then receive a Kerberos ticket from Active Directory and also a Azure AD user token. This can then be used to authenticate agaist Azure AD services like Teams, Office 365, intune etc.
Great and valuable details! Already waiting for the next videos (App deployments).
Thanks Rafael for your comments.
Hi Rafael. Part 2 is available here:
Microsoft Endpoint Manager (Intune) | Windows 10 Application Delivery | Office 365, Chrome, Step by Step
ruclips.net/video/Oh2CaMnEMVo/видео.html
@@CloudInspired Another good one for the channel, thank you again!
@@pacifier316 No problem Rafael, thanks!
How to Map Network Drives on Microsoft Intune Devices?
This video really helped . I was successfully able to enrol the devices. Thanks appreciate your efforts
Hi Tatsavitur, thanks for the comment and glad it help you.
Great Video hope this part1 is just the begining
Thanks for the comment Incog! Yes intune application deployment will be released soon.
Part 2 - Microsoft Endpoint Manager (Intune) | Windows 10 Application Delivery | Office 365, Chrome, Step by Step
ruclips.net/video/Oh2CaMnEMVo/видео.html
What is the reason you would want your devices that AAD join via Autopilot to join the on-premise domain? In my case, I am managing devices for students at a school and I don't see any advantage other than getting group policy, which is only going to happen if they are on premise right? Will the domain join setting in Intune even work if they go through OOBE off premise? We intend to create policies in Intune to replace what we have in Group Policy.
Hi bleuflamenco, the reason being is that if you need to authenticate and sign in with Active Directory credentials (validated against a AD domain controller) to run traditional GPOs for example or
running third party application that requires this functionalty. The domain join setting will not work if the device has no access to a Domain Controller, if remote this an be achived via a VPN.
hello, how i can get the hardware id to do an autopilot, if is suppose that you sent the computer brand new to the user without any IT department intervention?
The OEM, reseller, or distributor can perform both of these processes from which the devices were purchased.
Take a look at Autopilot registration overview for more details learn.microsoft.com/en-us/autopilot/registration-overview
Great Video Training
Appreciate it Josue!
Do you recommend the following scenario, I was wondering if this can change the Hardware Hash Key when device is reset.
1. Log into the computer and harvest hardware hash key.
2. Reset windows computer
3. Complete and sign in with work email at the OOB setup to complete enrollment
Hi Andrew, the hardware hash or device's hardware ID relates to information about the hardware, model, device serial number etc. That should not change unless the devices hardware changes substantially.
my test are the same as here, but i get Azure AD Join object AND i got Hybrid Azure AD join object which makes this identical duplicate object, why is this?
Hi, When hybrid Azure AD join is enabled in your organization you can get the issue where the device is also hybrid Azure AD joined. Therefore duplication. This Microsoft document discusses dual state of Hybrid Azure AD joined and Azure AD registered devices.
docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-things-you-should-know
I can't get the Intune connector to complete enrollment. I enter the specified credentials, and it takes me back to sign in. Anyone here have an idea?
Hi Jeremy, can you post the error you are getting with the intune connector signin page?
This can be due to the account being used to sign-in has not been assigned an Intune or Microsoft Office license
docs.microsoft.com/en-us/troubleshoot/mem/intune/intune-connector-signin-unexpected-error
@@CloudInspired Here is the error from the ODJConnectorUI.log:
ODJ Connector UI Information: 0 : Browser loaded page portal.manage.microsoft.com/Home/ClientLogonSuccess
DateTime=2021-06-01T20:35:39.3848454Z
ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: System.NullReferenceException: Object reference not set to an instance of an object.
at ODJConnectorUI.Enrollment.webBrowser_LoadCompleted(Object sender, NavigationEventArgs e)
DateTime=2021-06-01T20:35:39.4159868Z
The account that I logged in with does have an Intune Admin role assigned, but it does not have an office license assigned.
Hi Jeremy. The account needs an assigned Intune license as well as Global Administrator or Intune Administrator role credentials. Install the Intune Connector guide here:
docs.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#install-the-intune-connector
Great video. was wondering could you explained a little more on the intune connector and why you chose a different server? can't you install the intune connector on the same DC as the azure ADD connector?
Hi Phuc, Thanks for your commend.
The Intune Connector for Active Directory had to be installed on a computer that's running Windows Server 2016 or later. Also prefer to split services out rather than running all on a single server.
@@CloudInspired but that would mean that you would have to install an extra server for the intune connector and thus also waste a server license
@@andone3832Doing things right is not a "waste". Mixing roles onto a single server can often be much more complex than people think about at first glance. The directory sync service is something that should be considered to be at the highest risk due to the data it processes, you don't want t mix things at that level of risk.
Thank You for creating this vide. I have few devices which are domain joined and sync enabled. They are showing Azure AD Registered on Azure portal. Should I enable MDM as it is or Is there any way they can be registered as Azure AD Hybrid? What is the difference between these two process of registrations? Please help.
Hi and thanks for your great Video, I completed all the steps and was able to see the device on OnPrimes server, as meantime I was able to login by my domain user how ever when I logged in it went to completed the 3rd step and will stock on that part and not get pass have no idea why! I have to add that I tried the delta sync but had no effected, if you can provide me an email I can send you a full details.
nicely explained
Thanks Rikin!
Hi There, just to be clear - So the hardware hash needs to already be in EndPoint Manager and added to the Dyanamic group to then when the enrolment occurs it knows to Hybrid Domain Join that machine? So Even on a brand new PC out of the box, the hardware hash is required before you run and complete the OOBE ? Great Video, Thanks
Yes the idea being is that device owners can only register their devices with a valid hardware hash. Other methods (PKID, tuple) are available through OEMs or CSP partners. See the following for more information docs.microsoft.com/en-us/mem/autopilot/add-devices
Woooo Thanks.
Enjoy Carlos!
Great video and well explained. In Azure AD connect tool don’t we also need to enable device write-back? I presume your OOBE device was on the same network as the DC as otherwise we need a VPN? Thanks
Hi Jass, thanks for the comment. Yes device write back was enabled in AD connect and the Windows 10 device was on the LAN at the time of domain join. It would need to communicate with a domain controller. Correct, if the device is not on the LAN then a VPN is required. This video might help you setting one up in Azure if it helps?
ruclips.net/video/VZJLmh0ZweE/видео.html
@@CloudInspired thank you - keep up with the great content 🙌
Thanks Jass
I followed through your video for my Autopilot project.
However I have the following issues.
Through Hybrid join - is it possible to authenticate using an Azure Ad only account?
Seems like all authentication is done through Domain controller?
Also the Company Portal Comany app didn't show up automatically through deployment - did you install it after in this example?
Hope you can help me further.
Great video thank you so much for sharing this.
Hello, Hybrid Azure AD Join devices always need to sign in with Active Directory credentials (validated against as AD domain controller). The user will then receive a Kerberos ticket from Active Directory and also a Azure AD user token.
This can then be used to authenticate agaist Azure AD services like Teams, Office 365, intune etc.