Autopilot and Hybrid AD Join

Configuring Autopilot and Hybrid AD Join can be useful if you want to be able to apply group policies on the workstation joined to Autopilot.The workstations can be configured using Microsoft Intune or/and through Active Directory group policies.
Prerequisites
Prerequisites for Autopilot
The following URL must be accessed with the system context. You can use Test Device Registration Connectivity script.
- https://enterpriseregistration.windows.net
- https://login.microsoftonline.com
- https://device.login.microsoftonline.com
Prerequisites for Intune Hybrid Connector
The server where the connector is installed must be running Windows Server 2016. The domain controller must be contactable.
Configure Hybrid AD Join
From the Azure AD Connect server, launch Configuration Wizard and click on Configure.
Click on Configure device options then on Next.

Enter credential of Global Admin account and click on Next.

Select Configure Hybrid Azure AD Join and click on Next.
Check Windows 10 or later domain-joined devices and click on Next.
The SCP configuration’s must be setup. Check the Active Directory domain name and Azure Active Directory for the Authentification Service. Click on Add for add Enterprise Admin Account. Enter credential of Enterprise Admin Account and click on Next.
Click on Configure to launch configuration. Click on Exit when it’s finished.
Configure Automatic Enrollment
From the intune portal, click on Devices, on Enroll devices then on Automatic Enrollment.
Configure MDM user scopeand click on Save.
Increase the computer account limit
The computers account of the autopilot-enrolled computers has created by the Intune Connector in Active Directory. The computer that hosts the Intune Connector must have the rights to create the computer objects. Additionally a limit is configured on Active Directory. Each computer object can be create 10 computer object by default. So it’s important to delegated to computer that host the intune connector the necessary right. I will positioned the permission on a Organization Unit. Nevertheless, it is possible to position the delegation on the root of the domain.
From the domain controller, open Active Directory Users and Computers and right click on the container who the delegation must be positioned and click on Delegate Control.
A wizard appear, click on Next.
Click on Add and select the desired computer account.
Check Create a custom task to delegate then click on Next.
Check Only the following objects in the folder and select Computer objects. Enable Create selected objects in this folder and Delete selected objects in this folder options then click on Next.
Select Full Control and click on Next.
Click on Next and Finish.
Install Intune Hybrid Connector
From the Intune portal (endpoint.microsoft.com), click on Devices then on Enroll devices.
A new windows appear, click on Intune Connector for Active Directory.
Click on Add for add new connector.
Click on Download the on-premises Intune Connector for Active Directory for download the connector.
Install the Intune connector
From the server cho you want to install the connector, run the installation file. A new windows appear, Accept the terms of the licence and click on Install.
When the installation is finished, click on Configure now.
A wizard appear, click on Sign In.
Enter username and password of Admin account. The Intune Connector for Active Directory is successfully enrolled, click OK and close the wizard.
On the Intune portal, Click to Devices, Windows, Windows enrollment and Intune Connector for Active Directory. The statut of the connector is Active.
Create dynamic group
From the Azure AD portal, click on Azure Active Directory then on Groups.
Click on New Group for create new group.
Enter the name of the group and select Dynamic Device on Membership type. Click on Add dynamic query for add query.
Click on Edit then on Rule Syntax.
Enter the following query and click on OK.
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
Click on Save then on Create.
CreateDeployment Profiles
From the intune portal, click on Devices then on Enroll devices.
Click on Deployment Profiles.
Click on Create profile for create new deployment profile.
Enter the name of the profile, the description and click on Next.
Select Hybrid Azure AD joined configure other option.
Assign to the desired groups and create profile.
The deployment profiles is now correctly created.
Configure Enrollment Status Page
From the Intune portal, click on Devices, Enroll devices and click on Enrollment Status Page.
Click on Create for create new Enrollment Status Page.
Enter the name and click on Next.
Configure Settings as needed.
Assign the profile to the dynamic group created previously.
Click on Next then on Create. The profile has been created.
Create Domain Join profile
From the intune portal, click on Devices the on Configuration Profiles.
Click on Create profile for create new policy.
Select Windows 10 and later on Platform drop-down and Domain Join on Profile drop-down. Click on Create.
Enter the name of the profile and click on Next.
Enter the prefix for the computer name and the domain name. For the Organizational Unit, you need enter the value of the distinguishedName attribut ldap of the Organizational Unit.
Assign the profile at the previously created group and create profile.
Repeat the same operation for disable user ESP. If you don’t disable ESP user, a timeout is present on Enrollment Status Page. Use the following information for create the Intune profile.
- Platform : Windows 10 and later
- Profile : Custom
- OMA-URI : ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
- Data Type : Boolean
- Value : True
Assign the profile at the same group that the previously profile and create profile.
Add device on Autopilot
I test Autopilot on my virtual machine. So before to use Autopilot, I need add device on autopilot platform. From the Windows 10 device, run the following command.
Install-Script -Name Get-WindowsAutoPilotInfo
Create a CSV file with ID of the device. This ID must be added on Autopilot. On the Windows 10 computer, run the command.
Get-WindowsAutoPilotInfo.ps1 -Outputfile VM-CL10.csv
From the Intune portal, click on Devices, Windows Enrollment and Devices.
Cliquez on Import and select the CSV file previously created. Click on Import for import file.
Click on Sync when import is finished.
Device appear in the Intune portal.
Device appear in the Intune portal. You can reset the computer and use the professionnal account for enroll device on Microsoft intune. From the Windows 10 computer, open Windows Settings and click on Update & Security.
Click on Remove everything for remove all files, apps, etc. Click on Next then on Reset to launch reset. Enter the username of your account and click on Next.
Set up is on progress
The computer account is added to Microsoft Intune
The account is present in Active Directory.
The computer is been join to AD and Azure AD.