Introduction
Good news everyone! The feature was introduced at Ignite earlier this year and now it’s finally here. Windows AutoPilot now allows you to join your Windows 10 v1809 devices to your on-premises Active Directory (Hybrid Azure AD Join). All the magic lies in a new Intune connector for Active Directory. Sounds exciting, right? This will be everything you need to know, on how to get started with this new amazing feature.
Prerequisites
- Minimum Windows 10 v1809
- Internet access for the device being deployed
- Hybrid Azure AD join configured in the environment
Install the Intune Connector
- First things first. Log into the Microsoft 365 Device Management portal: https://devicemanagement.microsoft.com
- Browse your way to Device enrollment and Windows enrollment. See below illustration:
- Select the new Intune Connector for Active Directory (Preview)
- Click on Add
- Click on Download the on-premises Intune Connector for Active Directory
- You will be downloading a file called: ODJConnectorBootstrapper.exe
- Install the newly downloaded Intune connector and run through the enrollment
- This needs to be done on a server running Windows Server 2016 that has access to the Internet and your Active Directory
- The enrollment requires you to sign in with either a Global Administrator or an Intune Administrator
- Once signed in, the enrollment completes automatically with a message as shown below:
- Give the Intune Connector a few minutes to show up in the portal
- Notice mine is called METROPOLIS
A few steps in your on-premises Active Directory
- Create an new OU (Organizational Unit) in your Active Directory for your new Windows AutoPilot devices
- Select to Delegate Control on the new OU. See below:
- Select the computer hosting the new Intune connector
- Notice that this again is the server METROPOLIS
- Select to Create a custom task to delegate
- Select Computer objects and Create/Delete selected objects in this folder as shown below
- Select Full Control and notice all permissions are being selected. Finish the wizard when done
Back in the Microsoft 365 Device Management portal
- Create a new Windows AutoPilot Deployment Profile. Browse your way through Device enrollment -> Windows enrollment -> Deployment Profiles
- User-Driven
- Join to Azure AD as: Hybrid Azure AD joined (preview)
- Fill out the Settings as it suits you
- Now, create a new Dynamic Group in Azure AD
- This is done in your favorite Azure AD portal: https://portal.azure.com/
- Note: This is optional, but I will be using this group for assignment of the Deployment Profile created in the previous step. You will be needing at least one group for assignment, and you can obviously use existing AutoPilot device groups if you have any
- Membership rule in my scenario: (device.devicePhysicalIds -any _ -eq “[OrderID]:AADHybridJoin“)
- This will specifically create a group only consisting of devices I import for the purpose
- Above is based on the export made by the Windows AutoPilot Powershell script where the OrderId is added to the exported .csv: https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.3
- OrderId is manually added to the header of the .csv file
- As well as the identifier in the end of the .csv file
- Assign the Windows AutoPilot Deployment Profile to the Dynamic Group we created earlier. In this scenario, mine is called Intune_AutoPilot_AADHybridJoin
- Import the modified .csv file generated by the Powershell script in the previous step. When the device shows up, you will notice that the Deployment Group is set to the identifier we manually added to the .csv file: AADHybridJoin
One final step to configure
- Now, the last thing we need to configure is the Domain Join configuration profile in Microsoft Intune
- In the Microsoft 365 Device Management portal, go to Device configuration -> Profiles and click Create profile
- Give the configuration profile a suitable name. For your inspiration, mine is called MDM – Hybrid ADD Join
- Select Windows 10 and later and choose Domain Join (Preview) in the drop down menu
- Configure the Computer name prefix as it suits your environment. I have chosen to prefix all the computers with AUTOPILOT-
- Fill out Domain name and Organizational Unit as it suits your environment
- Now, assign the Domain Join configuration profile to the same Dynamic Azure AD group we created earlier
Finally done configuring
- Now, when resetting my virtual machine (the one that was imported into the AADHybridJoin Deployment Group), I’m being presented with the usual Windows AutoPilot screens. Everything as expected. Now in the end of everything, you will see that the device is being joined to the On-premise Active Directory. In my scenario with the prefix i selected earlier.
- And when finally signing into the newly deployed Windows AutoPilot device, the final steps of the deployment is being done
Happy deployment everyone 🙂
I keep attempting to use the query syntax above: (device.devicePhysicalIds -any _ -eq “[OrderID]:AADHybridJoin“) but Azure does not like it. Am I doing something wrong? How do I get this to behave?
Hey, try copy/paste into notepad and copy/paste into the query in Azure from there. Alternatively, try writing it manually. I have seen something similar when copy/pasting 🙂
If you don’t have Order ID then the above query doesn’t fit your requirement
Hi,
do anyone know how to sign out of the Intune Connector for AD?
I connected with the Azure AD Admin which is not rechable in my On Prem AD so I am not able to ODJ my client :/
Uninstall an reinstall didn´t helped :/
Many thanks
Is there a way of adding some onprem group memberships to the domain joined machines during the setup with the connector? Or how can I do that automatically?