Share via

AutoPilot Azure Hybrid Join

berketjune2012 376 Reputation points
2022-03-14T15:29:10.957+00:00

Hi

I have a requirement where brand new laptops are automatically joined to the domain using autopilot. My question is around getting the machine joined to local ad without the use of vpn, if the user is outside the company network.

I wanted to confirm my understanding on this.

From what I read, the workstation can join Azure AAD over the internet (without vpn) and then with device writeback, be visible in local ad as a machine. This process can be done using the Intune connector without the use of VPN or network connectivity with the local domain controller

Can someone confirm if my understanding is correct?

If yes, can you then apply GPO to this machine that is written back to AD?

Thanks

Microsoft Security | Windows Autopilot
Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Other
0 comments
Accepted answer
  1. Jason Sandys 31,411 Reputation points Microsoft Employee Moderator
    2022-03-14T18:48:28.47+00:00

    Kind of on the document: see https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/planning-for-cloud-native-windows-endpoints-and-modern/ba-p/2834249 and https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353. We have some more formal documentation in the final phases of coordination right now.

    As for initiating the VPN, there are two ways to do this: an auto-connecting VPN or a user-initiated VPN. Either way, the VPN client must be deployed during the device phase of Autopilot. The second link above discussed this briefly and includes links to the relevant documentation. Exact details for each VPN client though are up to the VPN vendor.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,411 Reputation points Microsoft Employee Moderator
    2022-03-14T17:41:46.32+00:00

    From what I read, the workstation can join Azure AAD over the internet (without vpn) and then with device writeback, be visible in local ad as a machine. This process can be done using the Intune connector without the use of VPN or network connectivity with the local domain controller

    Yes, but this is unrelated to the device writeback functionality of AAD Connect.

    Joining the domain is only half the battle though. For the user to log on initially and for any group policies to be applied, line of site to a domain controller is required -- there is no way around this and this is the purpose of the VPN. Thus, without a VPN connection, the scenario does not fully work.

    I have a requirement where brand new laptops are automatically joined to the domain using autopilot.

    What's driving this requirement? We strongly encourage orgs to AADJ their new Windows endpoints and avoid HAADJ for new endpoints altogether (for a variety of reasons including complexity and reliability).

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.