Since the release in 2017 of Windows Autopilot we’ve been able to provision devices using cloud technologies and joining them to Azure Active Directory. Organizations have shown great interest in Autopilot but one of the deployment blockers have been that they can’t perform a traditional Active Directory join. This is now changing when Microsoft is introducing a new capability for Autopilot that was announced at Microsoft Ignite 2018, configuring devices to join Azure Active Directory as Hybrid Azure AD joined devices. This means that Microsoft Intune and Autopilot now supports joining devices to an on-premise Active Directory and also registering the devices in Azure Active Directory enabling the benefits of the cloud along with traditional management capabilities.

NOTE: This blog post contains features that are currently in public preview and may be subject to change in a future release of Microsoft Intune.

Requirements

In order to successfully perform an Hybrid Azure AD join for a Windows Autopilot device using Intune, the following infrastructure requirements have to be setup and configured:

  • Hybrid Azure AD join configured in your environment
  • Automatic enrollment for Microsoft Intune enabled in Azure AD
  • On-premise Active Directory and a Windows Server joined to the domain running the Intune Connector software
  • Windows Autopilot enabled devices with a deployment profile assigned
  • Domain Join device configuration profile configured in Microsoft Intune

In addition, these requirements must be met on the device:

  • Windows 10 version 1809 and above
  • Access to the internet
  • Access to Active Directory (access through a VPN connection is not supported)
  • Go through the Out-of-Box Experience (OOBE)

Prepare Active Directory

In order to deliver an offline domain join blob file from Microsoft Intune down to the devices after they’ve been enrolled, there needs to be a way for that traffic to go through. The Intune Connector for Active Directory enables this functionality and is required to be installed locally in your on-premise infrastructure on a Windows Server.

Permissions for the computer account where the connector is installed needs to be delegated to a specific organizational unit in Active Directory to allow it to create computer accounts for the enrolling Windows Autopilot devices that’s configured for Hybrid Azure AD join. In this scenario I’ve created a specific Autopilot organizational unit to make it easier to differentiate where the computers are coming from. However, depending on your current design and structure, this might not be the ideal configuration.

  • Open the Active Directory Users and Computer management console.
  • Right-click a desired organizational unit in your directory where you want the Autopilot devices to be placed when they join the domain and select Delegate permissions.

  • Click Next in the wizard that appears.
  • Select Create a custom task to delegate and click Next.

  • Choose Only the following objects in the folder and select Computer object from the list. Check both the Create and Delete selected objects in the folder and click Next.

  • Select the Full control permissions to ensure the computer account gets all the access it requires and click Next.

  • Click Finish in the wizard to complete the delegation of permissions.

Active Directory has now been prepared for joining Windows Autopilot devices to the chosen organizational unit.

Azure AD Dynamic Group for all Autopilot devices

There are various dynamic query rules that can be used to create groups containing the Autopilot enabled devices. In order to assign an deployment profile for Autopilot, you’ll need at least one group that for instance collects all devices enabled for Autopilot. This can be accomplished by creating a simple dynamic group in Azure AD using the following query:

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")

Below is a screenshot of the query is used:

There’s additional ways that you can narrow down more specific devices, for instance a group containing all of your Autopilot devices with a specific order ID:

(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")

Another group could contain all of your Autopilot devices with a specific Purchase Order ID:

(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")

However you choose to create a dynamic group, it’s important to highlight that there needs to be at least one group containing the Autopilot devices for assignment of the deployment profile.

Configure the Intune Connector for Active Directory

With Active Directory prepared and a dynamic group created for Autopilot enabled devices, we can go ahead and install the Intune Connector for Active Directory.

  • Log in to the Azure portal using a Global Admin or Intune Service Administrator account.
  • Go to the Device Enrollment blade and select Windows Enrollment.
  • Click on Intune Connector for Active Directory.

  • Click Add.

  • Click on the link to download the on-premise Intune Connector for Active Directory.

  • On the Windows Server that has been delegated permissions to create computer accounts in Active Directory in accordance to the preparation steps mentioned above in this post, install the connector.

  • When the installation has completed, click Configure Now.

  • In the Enrollment tab that appears in the new application that opens up, click Sign In. Global Administrator or Intune Administrator roles are required for the user signing in for the connector enrollment to successfully complete.

  • Once the enrollment of the connector has successfully completed, click OK in the prompt that appears.

  • The Intune Connector for Active Directory has now successfully been installed.
  • Back in the Azure portal, we can now see the connector showing up. The connector name shows the name of the Windows Server where it was installed. In the image below the name has been redacted.

With the connect setup successfully what’s left to configure is a Windows Autopilot deployment profile.

Create Windows Autopilot deployment profile

A Windows Autopilot deployment profile is used to configure the devices enabled for Autopilot. In this profile the option to select how the devices will be joined, either to Azure Active Directory or through a Hybrid Azure AD join among other configuration settings. This part of the post will not go through all the different configuration options for a Windows Autopilot deployment profile, only the required configuration for successfully configuring devices for a Hybrid Azure AD join.

  • In the Azure portal, go to Device Enrollment – Windows Enrollment. Select Deployment Profiles and click Create profile.

  • Name the profile accordingly and ensure that you select Hybrid Azure AD join under the Join Azure AD as.

  • Configure the remaining settings for the deployment profile and finally click Create.
  • Finally, assign the deployment profile to the group created earlier to assign it to devices.

Create a Domain Join profile

The last piece of the puzzle is to create a Domain Join profile. In this profile we specify the device naming prefix, the domain the devices will be joined to and optionally the desired organizational unit where the devices will be placed into inside Active Directory.

  • In the Azure portal, go to Device Configuration – Profiles and click Create profile.
  • Name the profile accordingly and select Windows 10 and later under Platform. As for the Profile type select Domain Join. Under the Settings blade, configure the required settings. In this example I’ve configured the computer name prefix to be CL and also specified the fully qualified domain name of the domain that the devices will be joined to. Optionally, the distinguished name of the organizational unit has been specified as well. Click Create.

  • Assign the profile the same way you have assigned the Windows Autopilot deployment profile, to the dynamic group created earlier.

  • Before you continue to attempt to provision a device using Autopilot, ensure that the device has been assigned the desired deployment profile in Device Enrollment – Windows Enrollment – Devices, like shown in the picture below.

Results and summary

With all of the configuration pieces in place, an organization can now provision devices with Windows Autopilot that’s not joined to the on-premise Active Directory and registered in Azure Active Directory. For the testing purposes of this new capability, I’ve been using a Windows 10 Insider Preview build 10.0.18272 since the Windows 10 version 1809 release was postponed.

The first difference that you’ll notice during OOBE is that the device is taking a while longer spinning at the step where it used to perform an Azure Active Directory join. At this point the offline domain join blob is sent down to the device and it’s being joined to the on-premise Active Directory. We can see that because during this step the device appears in the desired organization unit configured in the domain join profile:

After the successful domain join, the device needs to be restarted, which is shown by the following screen during OOBE:

Once rebooted, the Enrollment Status page appears and the remaining device specific configuration is performed. At the end, when everything has completed successfully, we are presented with the login screen where it’s quite obvious that we’re now domain joined:

When a user signs in at this point, user specific configuration is performed on the device which is shown again through the Enrollment Status page:

That’s all, I hope you’re as excited about this new capability with Windows Autopilot and Intune as I am.

(1960)

Nickolaj Andersen

Principal Consultant and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Currently working for TrueSec as a Principal Consultant. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences and user groups.

comments
  • Goat Shadow
    Posted at 18:00 November 7, 2018
    Goat Shadow
    Reply
    Author

    In the Delegation of Control Wizard at the beginning, it asks to select users and groups to whom we want to delegate control. Should this be a service account for Intune or..?

    • Nickolaj Andersen
      Posted at 18:14 November 7, 2018
      Nickolaj Andersen
      Reply
      Author

      Hi, like it states in the text for that section it should be the computer account of the server where the connector is installed. Hope this helps!

      Regards,
      Nickolaj

  • Victor Karlsson
    Posted at 00:14 November 10, 2018
    Victor Karlsson
    Reply
    Author

    Hey! I’ve set this up with AD FS with several federated domains. During the update of Azure AD Connect the AD FS Claim rule: “Issue issuerid when it is not a computer account” got changed, and I had to change it back to get the federation and sso working again.

    Computers are synced up (windows 10) automatically to Azure AD. But when I try to Auto-Pilot roll computers i get error message:

    “Confirm you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with he error code 80004005”

    If i use Auto Pilot without the preview, it works fine. Maybe its the AD FS Claim rules?
    Do you guys have any idea, there is no error in AD FS log.

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.