intune-in-a-hybrid-ad-environment,-joining-computers-only-to-cloud.

Intune in a hybrid AD environment, joining computers only to cloud.

Currently in the planning and testing phase of deploying intune to our facility. Some quick pertinent facts:

  • Hybrid AD
  • manufacturing
  • 300ish users, 20 remote users included
  • Split win10 and win11
  • Archaic LOB software that requires hand configuration each time
  • Getting intune+autopilot ready so we can roll out win11 laptops to office workers as easily as possible.
  • going full cloud AD is on the roadmap, but not imminent. 

I’ve consulted with some other sys-admins, and they’ve recommended making sure that the laptops are only entra joined, as there are limits as to what you can do with autopilot for hybrid devices.

 

I’ve been reading through the documentation, and have been getting dead links everywhere, as well as no clear path forward. I’ve gotten some test devices, set up during OOBE by logging in with a domain account, that when prompted with the dsregcmd I get the following results.

 

+———————————————————————-+
| Device State |
+———————————————————————-+

AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES
DomainName : [DOMAIN NAME]
Device Name : [DEVICE NAME]

+———————————————————————-+
| User State |
+———————————————————————-+

NgcSet : NO
WorkplaceJoined : YES
WorkAccountCount : 1
WamDefaultSet : NO

+———————————————————————-+
| SSO State |
+———————————————————————-+

AzureAdPrt : NO
AzureAdPrtAuthority : NO
EnterprisePrt : NO
EnterprisePrtAuthority : NO

+———————————————————————-+
| Work Account 1 |
+———————————————————————-+

WorkplaceDeviceId : 7d32ce6a-d808-40e1-9b62-364cfe721c4a
WorkplaceThumbprint : D154009D6F6BEF2F1BE65CDCFCC3ACAD1ED9E560
DeviceCertificateValidity : [ 2023-11-09 17:08:45.000 UTC — 2033-11-09 17:38:45.000 UTC ]
KeyContainerId : ebbd8f5a-ce98-4859-a071-6d46811a17f1
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
WorkplaceIdp : login.windows.net
WorkplaceTenantId : 1bb841c5-79dd-4f6f-8ffa-1c73e03e5ab1
WorkplaceTenantName : ~
WorkplaceMdmUrl :
WorkplaceSettingsUrl :
NgcSet : NO

+———————————————————————-+
| Diagnostic Data |
+———————————————————————-+

Diagnostics Reference : www.microsoft.com/aadjerrors
User Context : UN-ELEVATED User
Client Time : 2023-11-09 19:00:10.000 UTC
AD Connectivity Test : PASS
AD Configuration Test : FAIL [0x80070002]
DRS Discovery Test : SKIPPED
DRS Connectivity Test : SKIPPED
Token acquisition Test : SKIPPED
Fallback to Sync-Join : ENABLED

Previous Registration : 2023-11-09 18:59:50.000 UTC
Error Phase : discover
Client ErrorCode : 0x801c001d
Executing Account Name : [domain account, domain account]

+———————————————————————-+
| IE Proxy Config for Current User |
+———————————————————————-+

Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :

+———————————————————————-+
| WinHttp Default Proxy Config |
+———————————————————————-+

Access Type : DIRECT

+———————————————————————-+
| Ngc Prerequisite Check |
+———————————————————————-+

IsDeviceJoined : NO
IsUserAzureAD : NO
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors

 

Similar Posts