Autopilot HyridAAD scenario - how can we assign Deployment Profiles to users

Michal Zyzak 31 Reputation points
2022-07-22T09:28:17.9+00:00

Hello

We want to use Autopilot in Hybrid-AAD-Join scenario. We have several on-prem domains split geographically.
Our goal is to configure the machine based on which user is triggering the Autopilot (who is providing credentials during OOBE).
However we have users in different on-prem domains. Said domains are domains split geographically and functionally.
Therefore we don't know the target domain until a user start the process and provides his credentials. But we must know the target domain before that to assign the machine to proper Deployment Profile.

How can we resolve this chicken-and-egg scenario? Ideal solution would be linking these Deployment Profiles to user groups (example: UK users have linked DP with UK.local.net domain). But this is not supported as far as I know.

Thanks in advance.
MZ

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
460 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,346 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 47,701 Reputation points Microsoft Vendor
    2022-07-25T00:49:00.303+00:00

    @Michal Zyzak , For Autopilot profile, it is downloaded before the device is enrolled into Intune. And the domain join profile is received before user get the login page. And the device group is only supported during these profile assignment.
    https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid#create-and-assign-an-autopilot-deployment-profile

    Here is a link describe the process of Autopilot Hybrid Azure AD join for your reference:
    https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet-using-a-vpn/
    Note: Non-Microsoft link, just for the reference.

    For our situation, we can assign different Group tag to the devices in different domains when register Autopilot devices. Then create different dynamic groups according to the group tag. Group Tag field maps to the OrderID attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices with a specific Group Tag (OrderID), type: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881"). We can see more details in the first article we provided.

    Then we can assign different Autopilot profiles and domain profiles to the specific dynamic group to make them work well.

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Thiago Beier 1 Reputation point MVP
    2022-09-17T05:40:23.387+00:00

    hi MichalZyzak-PL
    you could the following:

    1. import all hardware serial to windows autopilot devices, then have windows autopilot for hybrid ad joined ready (currently supporting pre-provisioning), then add group tag to devices based on business unit/location/site
    2. the group tag is used for dynamic device groups assigned to the hybrid ad joined
    3. when a new device is dispatched assign the target user to the device
    4. if you need to pre-provision the device do it, have it reseal mode and ship/hand out to the user
    5. user initiates its setup after reseal mode and wrap the process
    6. device is shown in ADDS, synced over to azure ad, show in azure ad as hybrid and azure ad (known behavior)
    7. device is shown in Intune portal
    8. if you need to leverage / delegate intune access to local IT (globally), leverage scope tags and intune custom role for that

    limitation: conflicting gpos between ADDS and intune, intune does not support GPO inheritance blockage as in ADDS)

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.