Intune Hybrid Azure AD join

Swati Arora 141 Reputation points
2021-09-21T08:14:59.233+00:00

Hi All,

We have to implement Intune enrolment for one of our clients in Hybrid Azure AD join and below are the challenges we are facing:

  1. How to enrol devices connected to domain but users working offline. Is there a way we can enrol those devices into Intune as Hybrid Azure AD join ?
  2. If we make devices Azure AD join, does users have to re-authenticate to access any file or printer servers.
  3. We are also looking for windows autopilot Hybrid join for new devices, for that shall we go for Hybrid join using VPN windows autopilot. Has anyone done that ? As per MS doc it says in preview.

Any advise on above scenarios would be really helpful.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
407 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,248 questions
0 comments
Accepted answer
  1. Swati Arora 141 Reputation points
    2021-09-21T22:50:57.48+00:00

    Hi @Jason Sandys

    Thanks for your response.

    For point 1, does GPO policy works well with VPN ? Also, is this applicable for new or existing devices and are you referring to autopilot VPN feature or normal VPN.

    For point 2, as per the document share it says once devices are azure ad joined, you can't access app and resource in AD. Does that mean print and file servers won't be accessible via azure ad joined devices?

    For point 3, if we don't use windows auto-pilot, what should we use for newly provisioning devices when all employees are working from home.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-09-21T15:05:40.57+00:00
    1. Connectivity to a domain controller is required to complete a hybrid AAD join (HAADJ). The most common way to provide this is with a VPN.
    2. No, SSO just works. See https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso. Keep in mind though that there is no currently supported way to automatically "convert" an existing on-prem joined or HAADJ device to AADJ or to preserve user profiles as the existing profiles are associated with the on-prem AD user account which won't be used to log on to the device if it is removed from the on-prem domain and joined to AAD.
    3. "We are also looking for windows autopilot Hybrid join for new devices". Please don't. While fully supported, this is not our preferred path for customers. See https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353. To answer the question though, yes, many orgs do this with varying levels of effort depending on the details. Preview features in MEM are fully supported for production use. As noted though, HAADJ should in general be avoided for newly provisioning devices.
    0 comments
  2. Crystal-MSFT 42,961 Reputation points Microsoft Vendor
    2021-09-22T01:37:11.64+00:00

    @Swati Arora , For your question, here are my answers for the reference:
    Q1: For point 1, does GPO policy works well with VPN ?
    A1: If the connectivity to Domain controller is good and the required ports are opening on Firewall when connecting with VPN, I think the GPO can be applied successfully without issue.

    Q2: For point 3, if we don't use windows auto-pilot, what should we use for newly provisioning devices when all employees are working from home.
    A2: For this situation, maybe we can consider Autopilot with Azure AD joined if devices don't need to be joined to an on-prem Active Directory domain. Or other enrollment like Auto-enroll BYOD according to your request. here is a link with the windows enrollment methods for the reference:
    https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods

    Hope it can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread..