Hybrid Device join off-premise

Question

We setup ADConnect to begin syncing devices. This setup a SCP record in AD. We are testing the setup, so following the controlled validation setup, we cleared the SCP record property, and used a GPO. We also use ADFS.

Can someone please provide insight into whether what we are seeing is normal/expected, or abnormal.

On-premise devices with the GPO link to the device OU and ADFS server, will perform an autoenrollment in Azure and appear as hybrid device joined. ADConnect does not initially sync any computer objects to Azure. If I create a computer object in an OU which is synced, AD Connect will not add the device to Azure. It appears that device must perform the enrollment action to be added to Azure. This occurs via the scheduled task \Microsoft\Windows\Workplace Join\Automatic-Device-Join and is only triggered at logon. Only after the devices self-enrolls will ADConnect begin managing it.

While this is great and seamless to any on-premise clients, this isn't working for off-premise hosts. If i VPN connect in i can pick up the GPO configuration bits, my client is ready to go but the task doesn't trigger unless I login. If i reboot and am disconnected from the VPN, the schedule task runs but does NOT enroll, as it seems to need a line of sight to AD.

On my test client i perform the "Access Work or School" connection, but the device now only appears as registered not hybrid even after any adconnect sync job ran.

1. Should AD Connect be syncing computer objects regardless of the clients self-enrollment? (maybe our admin did something wrong)
2. Should off-premise clients be able to auto-enroll seamlessly like on-prem clients? (the gpo has the settings that would normal only be in AD, what else is at play?)
3. Are there other methods for off-prem clients to complete the hybrid join setup?

These existing clients are sccm managed, we are looking to setup hybrid so that they can begin to leverage intune to pick up windows updates. While registered devices can potentially do this, I feel like this is the wrong approach and may present future issues in which we can't do windows hello or take advantage of other services/features.

Answer 1

We are actually on the same boat... we have implemented Cloud Management Gateway (CMG) and also Windows Autopilot (with Intune management).

We are finding Windows Autopilot will be the answer, but while we are migrating everyone to it, we will use CMG for the current devices.

https://learn.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway
https://learn.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

Answer 2

Hey so I think I'm on a similar situation:
I want hybrid AD join via autopilot but for clients without being on the company network (at home.. covid...).
Is there any way to do hybrid join via autopilot? It seems to be a requirement to be able to contact the domain controller... What about something like this:
Device gets Azure AD autopilot.
User signs in with azure credentials.
Script to automate vpn connect and kick off bind to ad, user signs with local ad credentials etc. - so the Hybrid part is here after the vpn is connected automatically.

I think Microsoft is working on supporting vpn but until they implement it, how can we automate zero touch for hybrid ad needs?

Answer 3

This feature is what's really needed to make AutoPilot viable for organizations still using GPO and on-prem domains. The feature has had a UserVoice entry since February 2019. Please upvote if you need this functionality. https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/36857593-support-vpn-connectivity-for-autopilot-hybrid-enro.

Reset Windows 10 is huge improvement and time saver over OSD with SCCM, but if device has to be unboxed and connected to network with domain controller prior to shipping device to end user, the biggest potential of AutoPilot is lost.