Since the release in 2017 of Windows Autopilot we’ve been able to provision devices using cloud technologies and joining them to Azure Active Directory. Organizations have shown great interest in Autopilot but one of the deployment blockers have been that they can’t perform a traditional Active Directory join. This is now changing when Microsoft is introducing a new capability for Autopilot that was announced at Microsoft Ignite 2018, configuring devices to join Azure Active Directory as Hybrid Azure AD joined devices. This means that Microsoft Intune and Autopilot now supports joining devices to an on-premise Active Directory and also registering the devices in Azure Active Directory enabling the benefits of the cloud along with traditional management capabilities.
NOTE: This blog post contains features that are currently in public preview and may be subject to change in a future release of Microsoft Intune.
In order to successfully perform an Hybrid Azure AD join for a Windows Autopilot device using Intune, the following infrastructure requirements have to be setup and configured:
- Hybrid Azure AD join configured in your environment
- See this URL for more details: https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-managed-domains
- Automatic enrollment for Microsoft Intune enabled in Azure AD
- On-premise Active Directory and a Windows Server joined to the domain running the Intune Connector software
- Windows Autopilot enabled devices with a deployment profile assigned
- Domain Join device configuration profile configured in Microsoft Intune
In addition, these requirements must be met on the device:
- Windows 10 version 1809 and above
- Access to the internet
- Access to Active Directory (access through a VPN connection supported from Intune service release 2006 and onwards)
- Go through the Out-of-Box Experience (OOBE)
Prepare Active Directory
In order to deliver an offline domain join blob file from Microsoft Intune down to the devices after they’ve been enrolled, there needs to be a way for that traffic to go through. The Intune Connector for Active Directory enables this functionality and is required to be installed locally in your on-premise infrastructure on a Windows Server.
Permissions for the computer account where the connector is installed needs to be delegated to a specific organizational unit in Active Directory to allow it to create computer accounts for the enrolling Windows Autopilot devices that’s configured for Hybrid Azure AD join. In this scenario I’ve created a specific Autopilot organizational unit to make it easier to differentiate where the computers are coming from. However, depending on your current design and structure, this might not be the ideal configuration.
- Open the Active Directory Users and Computer management console.
- Right-click a desired organizational unit in your directory where you want the Autopilot devices to be placed when they join the domain and select Delegate permissions.
- Click Next in the wizard that appears.
- Select Create a custom task to delegate and click Next.
- Choose Only the following objects in the folder and select Computer object from the list. Check both the Create and Delete selected objects in the folder and click Next.
- Select the Full control permissions to ensure the computer account gets all the access it requires and click Next.
- Click Finish in the wizard to complete the delegation of permissions.
Active Directory has now been prepared for joining Windows Autopilot devices to the chosen organizational unit.
Azure AD Dynamic Group for all Autopilot devices
There are various dynamic query rules that can be used to create groups containing the Autopilot enabled devices. In order to assign an deployment profile for Autopilot, you’ll need at least one group that for instance collects all devices enabled for Autopilot. This can be accomplished by creating a simple dynamic group in Azure AD using the following query:
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
Below is a screenshot of the query is used:
There’s additional ways that you can narrow down more specific devices, for instance a group containing all of your Autopilot devices with a specific order ID:
(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
Another group could contain all of your Autopilot devices with a specific Purchase Order ID:
(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")
However you choose to create a dynamic group, it’s important to highlight that there needs to be at least one group containing the Autopilot devices for assignment of the deployment profile.
Configure the Intune Connector for Active Directory
With Active Directory prepared and a dynamic group created for Autopilot enabled devices, we can go ahead and install the Intune Connector for Active Directory.
- Log in to the Azure portal using a Global Admin or Intune Service Administrator account.
- Go to the Device Enrollment blade and select Windows Enrollment.
- Click on Intune Connector for Active Directory.
- Click Add.
- Click on the link to download the on-premise Intune Connector for Active Directory.
- On the Windows Server that has been delegated permissions to create computer accounts in Active Directory in accordance to the preparation steps mentioned above in this post, install the connector.
- When the installation has completed, click Configure Now.
- In the Enrollment tab that appears in the new application that opens up, click Sign In. Global Administrator or Intune Administrator roles are required for the user signing in for the connector enrollment to successfully complete.
- Once the enrollment of the connector has successfully completed, click OK in the prompt that appears.
- The Intune Connector for Active Directory has now successfully been installed.
- Back in the Azure portal, we can now see the connector showing up. The connector name shows the name of the Windows Server where it was installed. In the image below the name has been redacted.
With the connect setup successfully what’s left to configure is a Windows Autopilot deployment profile.
Create Windows Autopilot deployment profile
A Windows Autopilot deployment profile is used to configure the devices enabled for Autopilot. In this profile the option to select how the devices will be joined, either to Azure Active Directory or through a Hybrid Azure AD join among other configuration settings. This part of the post will not go through all the different configuration options for a Windows Autopilot deployment profile, only the required configuration for successfully configuring devices for a Hybrid Azure AD join.
- In the Azure portal, go to Device Enrollment – Windows Enrollment. Select Deployment Profiles and click Create profile.
- Name the profile accordingly and ensure that you select Hybrid Azure AD join under the Join Azure AD as.
- Configure the remaining settings for the deployment profile and finally click Create.
- Finally, assign the deployment profile to the group created earlier to assign it to devices.
Create a Domain Join profile
The last piece of the puzzle is to create a Domain Join profile. In this profile we specify the device naming prefix, the domain the devices will be joined to and optionally the desired organizational unit where the devices will be placed into inside Active Directory.
- In the Azure portal, go to Device Configuration – Profiles and click Create profile.
- Name the profile accordingly and select Windows 10 and later under Platform. As for the Profile type select Domain Join. Under the Settings blade, configure the required settings. In this example I’ve configured the computer name prefix to be CL and also specified the fully qualified domain name of the domain that the devices will be joined to. Optionally, the distinguished name of the organizational unit has been specified as well. Click Create.
- Assign the profile the same way you have assigned the Windows Autopilot deployment profile, to the dynamic group created earlier.
- Before you continue to attempt to provision a device using Autopilot, ensure that the device has been assigned the desired deployment profile in Device Enrollment – Windows Enrollment – Devices, like shown in the picture below.
Results and summary
With all of the configuration pieces in place, an organization can now provision devices with Windows Autopilot that’s not joined to the on-premise Active Directory and registered in Azure Active Directory. For the testing purposes of this new capability, I’ve been using a Windows 10 Insider Preview build 10.0.18272 since the Windows 10 version 1809 release was postponed.
The first difference that you’ll notice during OOBE is that the device is taking a while longer spinning at the step where it used to perform an Azure Active Directory join. At this point the offline domain join blob is sent down to the device and it’s being joined to the on-premise Active Directory. We can see that because during this step the device appears in the desired organization unit configured in the domain join profile:
After the successful domain join, the device needs to be restarted, which is shown by the following screen during OOBE:
Once rebooted, the Enrollment Status page appears and the remaining device specific configuration is performed. At the end, when everything has completed successfully, we are presented with the login screen where it’s quite obvious that we’re now domain joined:
When a user signs in at this point, user specific configuration is performed on the device which is shown again through the Enrollment Status page:
That’s all, I hope you’re as excited about this new capability with Windows Autopilot and Intune as I am.