Autopilot and Hybrid AD Join

Autopilot and Hybrid AD Join

Comments 0 Comment
Autopilot and Hybrid AD Join

Configuring Autopilot and Hybrid AD Join can be useful if you want to be able to apply group policies on the workstation joined to Autopilot.The workstations can be configured using Microsoft Intune or/and through Active Directory group policies.

Prerequisites

Prerequisites for Autopilot

The following URL must be accessed with the system context. You can use Test Device Registration Connectivity script.

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
  • https://device.login.microsoftonline.com

Prerequisites for Intune Hybrid Connector
The server where the connector is installed must be running Windows Server 2016. The domain controller must be contactable.

Configure Hybrid AD Join

From the Azure AD Connect server, launch Configuration Wizard and click on Configure.

Autopilot and Hybrid AD Join - Configure Azure AD Connect

Click on Configure device options then on Next.

Autopilot and Hybrid AD Join -Configure device options

Enter credential of Global Admin account and click on Next.

Autopilot and Hybrid AD Join - Enter credentials

Select Configure Hybrid Azure AD Join and click on Next.

Autopilot and Hybrid AD Join - Configure Hybrid Azure AD Join

Check Windows 10 or later domain-joined devices and click on Next.

Autopilot and Hybrid AD Join - Select WIndows 10 domain join devices

The SCP configuration’s must be setup. Check the Active Directory domain name and Azure Active Directory for the Authentification Service. Click on Add for add Enterprise Admin Account. Enter credential of Enterprise Admin Account and click on Next.

Autopilot and Hybrid AD Join - Configure SCP for Hybrid AD Join

Click on Configure to launch configuration. Click on Exit when it’s finished.

Autopilot and Hybrid AD Join - Launch configuration of Hybrid AD Join

Configure Automatic Enrollment

From the intune portal, click on Devices, on Enroll devices then on Automatic Enrollment.

Click on Automatic Enrollment

Configure MDM user scopeand click on Save.

Configure MDM user scope

Increase the computer account limit

The computers account of the autopilot-enrolled computers has created by the Intune Connector in Active Directory. The computer that hosts the Intune Connector must have the rights to create the computer objects. Additionally a limit is configured on Active Directory. Each computer object can be create 10 computer object by default. So it’s important to delegated to computer that host the intune connector the necessary right. I will positioned the permission on a Organization Unit. Nevertheless, it is possible to position the delegation on the root of the domain.

From the domain controller, open Active Directory Users and Computers and right click on the container who the delegation must be positioned and click on Delegate Control.

Autopilot and Hybrid AD Join - Delegate control on Organisation Unit

A wizard appear, click on Next.

Autopilot and Hybrid AD Join - Wizard for delegate right on AD

Click on Add and select the desired computer account.

Autopilot and Hybrid AD Join - Select computer AD who connector is installed.

Check Create a custom task to delegate then click on Next.

Create custom task to delegate

Check Only the following objects in the folder and select Computer objects. Enable Create selected objects in this folder and Delete selected objects in this folder options then click on Next.

Configure delegation for Autopilot

Select Full Control and click on Next.

Check Full control right

Click on Next and Finish.

Install Intune Hybrid Connector

From the Intune portal (endpoint.microsoft.com), click on Devices then on Enroll devices.

Configure Enroll devices on Microsoft Intune

A new windows appear, click on Intune Connector for Active Directory.

Download Intune Connector for Active Directory

Click on Add for add new connector.

Add new connector Intune Connector for Active Directory

Click on Download the on-premises Intune Connector for Active Directory for download the connector.

Download the on-premises Intune Connector for Active Directory

Install the Intune connector

From the server cho you want to install the connector, run the installation file. A new windows appear, Accept the terms of the licence and click on Install.

Install Intune Connecter for Active Directory

When the installation is finished, click on Configure now.

Configure now the intune connector for AD

A wizard appear, click on Sign In.

Sign In on the wizard

Enter username and password of Admin account. The Intune Connector for Active Directory is successfully enrolled, click OK and close the wizard.

The intune connector is enrolled

On the Intune portal, Click to Devices, Windows, Windows enrollment and Intune Connector for Active Directory. The statut of the connector is Active.

The Intune connector is Active.

Create dynamic group

From the Azure AD portal, click on Azure Active Directory then on Groups.

Open Azure AD portal

Click on New Group for create new group.

Create new group on Azure AD

Enter the name of the group and select Dynamic Device on Membership type. Click on Add dynamic query for add query.

Configure new groups parameter

Click on Edit then on Rule Syntax.

Enter the Rule Syntax

Enter the following query and click on OK.

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
Enter the rule for the dynamic group

Click on Save then on Create.

The group has been created

CreateDeployment Profiles

From the intune portal, click on Devices then on Enroll devices.

Configure Enroll devices options

Click on Deployment Profiles.

Create Deployment Profiles

Click on Create profile for create new deployment profile.

Create autopilot profile

Enter the name of the profile, the description and click on Next.

Enter the name of the profile

Select Hybrid Azure AD joined configure other option.

Select Hybrid AD joined and

Assign to the desired groups and create profile.

Assign profile to the groups

The deployment profiles is now correctly created.

Configure Enrollment Status Page

From the Intune portal, click on Devices, Enroll devices and click on Enrollment Status Page.

Configure Enrollment Status Page

Click on Create for create new Enrollment Status Page.

Create Enrollment Status Page

Enter the name and click on Next.

Create profile for Hybrid AD Join

Configure Settings as needed.

Configure Settings as you want

Assign the profile to the dynamic group created previously.

Select group

Click on Next then on Create. The profile has been created.

The profile has been created

Create Domain Join profile

From the intune portal, click on Devices the on Configuration Profiles.

Create configuration profile on Intune

Click on Create profile for create new policy.

Create new policy on Intune

Select Windows 10 and later on Platform drop-down and Domain Join on Profile drop-down. Click on Create.

Create Domain Join profile on Intune

Enter the name of the profile and click on Next.

Enter the name of the Policy

Enter the prefix for the computer name and the domain name. For the Organizational Unit, you need enter the value of the distinguishedName attribut ldap of the Organizational Unit.

Configure domain join parameter on Intune

Assign the profile at the previously created group and create profile.

Assign Profile intune

Repeat the same operation for disable user ESP. If you don’t disable ESP user, a timeout is present on Enrollment Status Page. Use the following information for create the Intune profile.

  • Platform : Windows 10 and later
  • Profile : Custom
  • OMA-URI : ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
  • Data Type : Boolean
  • Value : True
Autopilot and Hybrid AD Join - Create OMA-URI profile

Assign the profile at the same group that the previously profile and create profile.

Add device on Autopilot

I test Autopilot on my virtual machine. So before to use Autopilot, I need add device on autopilot platform. From the Windows 10 device, run the following command.

Install-Script -Name Get-WindowsAutoPilotInfo
Autopilot and Hybrid AD Join - Install script for Autopilot

Create a CSV file with ID of the device. This ID must be added on Autopilot. On the Windows 10 computer, run the command.

Get-WindowsAutoPilotInfo.ps1 -Outputfile VM-CL10.csv
Autopilot and Hybrid AD Join - Create csv file with autopilot id
Autopilot and Hybrid AD Join - Autopilot ID for the Windows 10 computer

From the Intune portal, click on Devices, Windows Enrollment and Devices.

Autopilot and Hybrid AD Join - Add devices on AutoPilot

Cliquez on Import and select the CSV file previously created. Click on Import for import file.

Autopilot and Hybrid AD Join - Import CSV file for add device on Autopilot

Click on Sync when import is finished.

Sync for finish import device on Autopilot

Device appear in the Intune portal.

Device is present on Intune

Device appear in the Intune portal. You can reset the computer and use the professionnal account for enroll device on Microsoft intune. From the Windows 10 computer, open Windows Settings and click on Update & Security.

Open Windows Settings

Click on Recovery then on Get Started.

Reset this PC option is used

Click on Remove everything for remove all files, apps, etc. Click on Next then on Reset to launch reset. Enter the username of your account and click on Next.

Autopilot and Hybrid AD Join - enter professionnal account

Set up is on progress

Autopilot and Hybrid AD Join - Set up is on progress

The computer account is added to Microsoft Intune

Autopilot and Hybrid AD Join - Workstation is joined at Microsoft Intune

The account is present in Active Directory.

Autopilot and Hybrid AD Join - Computer is present on Active Directory

The computer is been join to AD and Azure AD.

Autopilot and Hybrid AD Join - Hybrid AD Join is ok

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.