Muokkaa

Jaa


Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot

Important

Microsoft recommends deploying new devices as cloud-native using Microsoft Entra join. Deploying new devices as Microsoft Entra hybrid join devices isn't recommended, including through Autopilot. For more information, see Microsoft Entra joined vs. Microsoft Entra hybrid joined in cloud-native endpoints: Which option is right for your organization.

Intune and Windows Autopilot can be used to set up Microsoft Entra hybrid joined devices. To do so, follow the steps in this article. For more information about Microsoft Entra hybrid join, see Understanding Microsoft Entra hybrid join and co-management.

Requirements

Device enrollment requirements

The device to be enrolled must follow these requirements:

  • Use a currently supported version of Windows.
  • Have access to the internet following Windows Autopilot network requirements.
  • Have access to an Active Directory domain controller.
  • Successfully ping the domain controller of the domain being joined.
  • If using Proxy, Web Proxy Auto-Discovery Protocol (WPAD) Proxy settings option must be enabled and configured.
  • Undergo the out-of-box experience (OOBE).
  • Use an authorization type that Microsoft Entra ID supports in OOBE.

Although not required, configuring Microsoft Entra hybrid join for Active Directory Federated Services (ADFS) enables a faster Windows Autopilot Microsoft Entra registration process during deployments. Federated customers that aren't supporting the use of passwords and using AD FS need to follow the steps in the article Active Directory Federation Services prompt=login parameter support to properly configure the authentication experience.

Intune connector server requirements

  • The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.

  • The server hosting the Intune Connector must have access to the Internet and Active Directory.

    Note

    The Intune Connector server requires standard domain client access to domain controllers, which includes the RPC port requirements it needs to communicate with Active Directory. For more information, see the following articles:

  • To increase scale and availability, multiple connectors can be installed in the environment. We recommend installing the Connector on a server that's not running any other Intune connectors. Each connector must be able to create computer objects in any domain that needs to be supported.

Set up Windows automatic MDM enrollment

  1. Sign in to the Azure portal and select Microsoft Entra ID.

  2. In the left hand pane, select Manage | Mobility (MDM and WIP) > Microsoft Intune.

  3. Make sure users who deploy Microsoft Entra joined devices by using Intune and Windows are members of a group included in MDM User scope.

  4. Use the default values in the MDM Terms of use URL, MDM Discovery URL, and MDM Compliance URL boxes, and then select Save.

Increase the computer account limit in the Organizational Unit

The Intune Connector for Active Directory creates autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain.

In some domains, computers aren't granted the rights to create computers. Additionally, domains have a built-in limit (default of 10) that applies to all users and computers that aren't delegated rights to create computer objects. The rights must be delegated to computers that host the Intune Connector on the organizational unit where Microsoft Entra hybrid joined devices are created.

The organizational unit that has the rights to create computers must match:

  • The organizational unit entered in the Domain Join profile.
  • If no profile is selected, the computer's domain name for the organization's domain.
  1. Open Active Directory Users and Computers (DSA.msc).

  2. Right-click the organizational unit to use to create Microsoft Entra hybrid joined computers > Delegate Control.

    Screenshot of the Delegate Control command.

  3. In the Delegation of Control wizard, select Next > Add > Object Types.

  4. In the Object Types pane, select the Computers > OK.

    Screenshot of the Object Types pane.

  5. In the Select Users, Computers, or Groups pane, in the Enter the object names to select box, enter the name of the computer where the Connector is installed.

    Screenshot of the Select Users, Computers, or Groups pane.

  6. Select Check Names to validate the entry > OK > Next.

  7. Select Create a custom task to delegate > Next.

  8. Select Only the following objects in the folder > Computer objects.

  9. Select Create selected objects in this folder and Delete selected objects in this folder.

    Screenshot of the Active Directory Object Type pane.

  10. Select Next.

  11. Under Permissions, select the Full Control check box. This action selects all the other options.

    Screenshot of the Permissions pane.

  12. Select Next > Finish.

Install the Intune Connector

Before beginning the installation, make sure that all of the Intune connector server requirements are met.

Install steps

  1. By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. Internet Explorer Enhanced Security Configuration might cause problems signing into the Intune Connector for Active Directory. Since Internet Explorer is deprecated and in most instances, not even installed on Windows Server, Microsoft recommends to turn off Internet Explorer Enhanced Security Configuration. To turn off Internet Explorer Enhanced Security Configuration:

    1. On the server where the Intune Connector is being installed, open Server Manager.

    2. In the left pane of Server Manager, select Local Server.

    3. In the right PROPERTIES pane of Server Manager, select the On or Off link next to IE Enhanced Security Configuration.

    4. In the Internet Explorer Enhanced Security Configuration window, select Off under Administrators:, and then select OK.

  2. Sign into the Microsoft Intune admin center.

  3. In the Home screen, select Devices in the left hand pane.

  4. In the Devices | Overview screen, under By platform, select Windows.

  5. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.

  6. In the Windows | Windows enrollment screen, under Windows Autopilot, select Intune Connector for Active Directory.

  7. In the Intune Connector for Active Directory screen, select Add.

  8. Follow the instructions to download the Connector.

  9. Open the downloaded Connector setup file, ODJConnectorBootstrapper.exe, to install the Connector.

  10. At the end of the setup, select Configure Now.

  11. Select Sign In.

  12. Enter the credentials of an Intune administrator role. The user account must have an assigned Intune license.

Note

The Intune administrator role is a temporary requirement at the time of installation.

After authenticating, the Intune Connector for Active Directory finishes installing. Once it finishes installing, verify that it is active in Intune by following these steps:

  1. Sign into the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left hand pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.

  5. In the Windows | Windows enrollment screen, under Windows Autopilot, select Intune Connector for Active Directory.

  6. Confirm that the connection status in the Status column is Active.

Note

  • After signing into the Connector, it can take several minutes to appear in the Microsoft Intune admin center. It appears only if it can successfully communicate with the Intune service.

  • Inactive Intune connectors still appear in the Intune Connectors page and will automatically be cleaned up after 30 days.

After the Intune Connector for Active Directory is installed, it will start logging in the Event Viewer under the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService. Under this path, Admin and Operational logs can be found.

Note

The Intune Connector originally logged in the Event Viewer directly under Applications and Services Logs in a log called ODJ Connector Service. However, logging for the Intune Connector has since moved to the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService. If the ODJ Connector Service log at the original location is empty or not updating, check the new path location instead.

Configure web proxy settings

If there is a web proxy in the networking environment, ensure that the Intune Connector for Active Directory works properly by referring to Work with existing on-premises proxy servers.

Create a device group

  1. In the Microsoft Intune admin center, select Groups > New group.

  2. In the Group pane, select the following options:

    1. For Group type, select Security.

    2. Enter a Group name and Group description.

    3. Select a Membership type.

  3. If Dynamic Devices is selected for the membership type, in the Group pane, select Dynamic device members.

  4. Select Edit in the Rule syntax box and enter one of the following code lines:

    • To create a group that includes all Autopilot devices, enter:

      (device.devicePhysicalIDs -any _ -startsWith "[ZTDId]")

    • Intune's Group Tag field maps to the OrderID attribute on Microsoft Entra devices. To create a group that includes all of Autopilot devices with a specific Group Tag (OrderID), enter:

      (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")

    • To create a group that includes all Autopilot devices with a specific Purchase Order ID, enter:

      (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")

  5. Select Save > Create.

Register Autopilot devices

Select one of the following ways to enroll Autopilot devices.

Register Autopilot devices that are already enrolled

  1. Create an Autopilot deployment profile with the setting Convert all targeted devices to Autopilot set to Yes.

  2. Assign the profile to a group that contains the members that need to be automatically registered with Autopilot.

For more information, see Create an Autopilot deployment profile.

Register Autopilot devices that aren't enrolled

Devices that aren't yet enrolled into Windows Autopilot can be manually registered. For more information, see Manual registration.

Register devices from an OEM

If purchasing new devices, some OEMs can register the devices on behalf of the organization. For more information, see OEM registration.

Display registered Autopilot device

Before devices enroll in Intune, registered Windows Autopilot devices are displayed in three places (with names set to their serial numbers):

  • The Windows Autopilot Devices pane in the Microsoft Intune admin center. Select Devices > By platform | Windows > Device onboarding | Enrollment. Under Windows Autopilot, select Devices.
  • The Devices | All devices pane in the Azure portal. Select Devices > All Devices.
  • The Autopilot pane in Microsoft 365 admin center. Select Devices > Autopilot.

After the Windows Autopilot devices are enrolled, the devices are displayed in four places:

Note

After devices are enrolled, the devices are still displayed in the Windows Autopilot Devices pane in the Microsoft Intune admin center and in the Autopilot pane in Microsoft 365 admin center, but those objects are the Windows Autopilot registered objects.

A device object is pre-created in Microsoft Entra ID once a device is registered in Autopilot. When a device goes through a hybrid Microsoft Entra deployment, by design, another device object is created resulting in duplicate entries.

VPNs

The following VPN clients are tested and validated:

  • In-box Windows VPN client
  • Cisco AnyConnect (Win32 client)
  • Pulse Secure (Win32 client)
  • GlobalProtect (Win32 client)
  • Checkpoint (Win32 client)
  • Citrix NetScaler (Win32 client)
  • SonicWall (Win32 client)
  • FortiClient VPN (Win32 client)

When using VPNs, select Yes for the Skip AD connectivity check option in the Windows Autopilot deployment profile. Always-On VPNs shouldn't require this option since it connects automatically.

Note

This list of VPN clients isn't a comprehensive list of all VPN clients that work with Windows Autopilot. Contact the respective VPN vendor regarding compatibility and supportability with Windows Autopilot or regarding any issues with using a VPN solution with Windows Autopilot.

Unsupported VPN clients

The following VPN solutions are known not to work with Windows Autopilot and therefore aren't supported for use with Windows Autopilot:

  • UWP-based VPN plug-ins
  • Anything that requires a user cert
  • DirectAccess

Note

Omission of a specific VPN client from this list doesn't automatically mean it's supported or that it works with Windows Autopilot. This list only lists the VPN clients that are known not to work with Windows Autopilot.

Create and assign an Autopilot deployment profile

Autopilot deployment profiles are used to configure the Autopilot devices.

  1. Sign into the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left hand pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.

  5. In the Windows | Windows enrollment screen, under Windows Autopilot, select Deployment Profiles.

  6. In the Windows Autopilot deployment profiles screen, select the Create Profile drop down menu and then select Windows PC.

  7. In the Create profile screen, on the Basics page, enter a Name and optional Description.

  8. If all devices in the assigned groups should automatically register to Windows Autopilot, set Convert all targeted devices to Autopilot to Yes. All corporate owned, non-Autopilot devices in assigned groups register with the Autopilot deployment service. Personally owned devices aren't registered to Autopilot. Allow 48 hours for the registration to be processed. When the device is unenrolled and reset, Autopilot enrolls it again. After a device is registered in this way, disabling this setting or removing the profile assignment won't remove the device from the Autopilot deployment service. Instead the devices need to be directly deleted. For more information, see Delete Autopilot devices.

  9. Select Next.

  10. On the Out-of-box experience (OOBE) page, for Deployment mode, select User-driven.

  11. In the Join to Microsoft Entra ID as box, select Microsoft Entra hybrid joined.

  12. If deploying devices off of the organization's network using VPN support, set the Skip Domain Connectivity Check option to Yes. For more information, see User-driven mode for Microsoft Entra hybrid join with VPN support.

  13. Configure the remaining options on the Out-of-box experience (OOBE) page as needed.

  14. Select Next.

  15. On the Scope tags page, select scope tags for this profile.

  16. Select Next.

  17. On the Assignments page, select Select groups to include > search for and select the device group > Select.

  18. Select Next > Create.

Note

Intune periodically checks for new devices in the assigned groups, and then begin the process of assigning profiles to those devices. Due to several different factors involved in the process of Autopilot profile assignment, an estimated time for the assignment can vary from scenario to scenario. These factors can include Microsoft Entra groups, membership rules, hash of a device, Intune and Autopilot service, and internet connection. The assignment time varies depending on all the factors and variables involved in a specific scenario.

(Optional) Turn on the enrollment status page

  1. Sign into the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left hand pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.

  5. In the Windows | Windows enrollment screen, under Windows Autopilot, select Enrollment Status Page.

  6. In the Enrollment Status Page pane, select Default > Settings.

  7. In the Show app and profile installation progress box, select Yes.

  8. Configure the other options as needed.

  9. Select Save.

Create and assign a Domain Join profile

  1. In the Microsoft Intune admin center, select Devices > Manage devices | Configuration > Policies >Create > New Policy.

  2. In the create a profile window that opens, enter the following properties:

    • Name: Enter a descriptive name for the new profile.
    • Description: Enter a description for the profile.
    • Platform: Select Windows 10 and later.
    • Profile type: Select Templates, select the template name Domain Join, and select Create.
  3. Enter the Name and Description and select Next.

  4. Provide a Computer name prefix and Domain name.

  5. (Optional) Provide an Organizational unit (OU) in DN format. The options include:

    • Provide an OU in which control is delegated to the Windows device that is running the Intune Connector.
    • Provide an OU in which control is delegated to the root computers in organization's on-premises Active Directory.
    • If this field is left blank, the computer object is created in the Active Directory default container. The default container is normally the CN=Computers container. For more information, see Redirect the users and computers containers in Active Directory domains.

    Valid examples:

    • OU=SubOU,OU=TopLevelOU,DC=contoso,DC=com
    • OU=Mine,DC=contoso,DC=com

    Invalid examples:

    • CN=Computers,DC=contoso,DC=com - a container can't be specified. Instead, leave the value blank to use the default for the domain.
    • OU=Mine - the domain must be specified via the DC= attributes.

    Make sure not to use quotation marks around the value in Organizational unit.

  6. Select OK > Create. The profile is created and displayed in the list.

  7. Assign a device profile to the same group used at the step Create a device group. Different groups can be used if there's a need to join devices to different domains or OUs.

Note

The naming capability for Windows Autopilot for Microsoft Entra hybrid join doesn't support variables such as %SERIAL%. It only supports prefixes for the computer name.

Uninstall the ODJ Connector

The ODJ connector is installed locally on a computer via an executable file. If the ODJ connector needs to be uninstalled from a computer, it needs to also be done locally on the computer. The ODJ connector can't be removed through the Intune portal or through a graph API call.

To uninstall the ODJ Connector from the computer, follow these steps:

  1. Sign into the computer hosting the ODJ connector.
  2. Right-click on the Start menu and select Settings.
  3. In the Windows Settings window, select Apps.
  4. Under Apps & features, find and select Intune Connector for Active Directory.
  5. Under Intune Connector for Active Directory, select the Uninstall button, and then select the Uninstall button again.
  6. The ODJ connector proceeds to uninstall.

Next steps

After Windows Autopilot is configured, learn how to manage those devices. For more information, see What is Microsoft Intune device management?.