Thinking about Intune Autopilot ? Do NOT Domain Join!

I have AD Connect and SSO works flawlessly, in addition you can now use cloud Kerberos to allow for using windows hello to access domain resources.

justjava

There are some IT admin tasks that can only be accessed/managed via on-prem joined like editing Certificate Services templates and editing GPO WMI filters. Also the user experience for AD management isn't as nice as domain joined (always need to specify domain, auto discovery of things like DHCP servers, DNS, CS doesn't work). For end users, definitely this is a great experience (unless you have on-prem printers that need to be deployed). Universal Print is a solution it can be costly as it's per print.

MrMarcLaflamme

Very nice. Can you show printing demo too? Also can you show what happens to local admin group right after you aad join the pc?

jktification

So my only question for this that seems to be left out is what is configured on the local server that allows it to speak to the AzureAD joined machines? I'm assuming you've configured AzureAD connect so that authentication is happening to identify your cloud user with onprem domain.

tbrown

Hi, no it did not, I assume the domain is the same as the fqdn of the tenant, it then used the <password> you entered which will have come from ADconnect sync. However you setup hello for business next time you log in using hello pin it will prompt for credentials. Which you can enter and store. Another way is to setup a key share trust and it will allow you access to local resources however you will need to wait up to 30 minutes before the resources are available as the workflow relies on adsync to occur

bjorntheviking

(1) - Can you do this test again, but more detailed:
1. is the file server AAD joined or just local AD join ?
2. What's the shared setup & security, please remove everyone group or any other group those users in ?
3. Try a different VM per user

(2) - Can you make all device AAD joined, no local AD, and still create shares and access them ????

fbifido

Thanks for the information. I was expecting a prompt to login for the second user.
I'm guessing that the only thing the client computer won't get is on premises GPOs.

eyadabu-khiran

What dns are you utilizing to resolve onprem devices?

qbansir

Recently had this problem where a number of users were created on the domain to be given E2 email license in a hybrid setup. The problem is when disabling inactive onprem users those E2 users are also disabled.

KefashWhite

Thanks for the Video. Me myself was lately looking in to authenticating to a ad domain from a aad joined machine by using Certificates and WHfB KDC Authentication and it works great. But you don't use any certificates do you?

What i'm curious of what build of windows 10 client do you use in your video.
Is it a 21H2 client and is this a example of the new Windows Hello Cloud Connect. What let you seamlessly authenticate to ad from AAD joined devices.

I'm just asking because i'm very interesting in the new WhfB Cloud connect. And so far I can see in you video there is no way your marketing users could just jump to the file share without any type of authentication prompt. So I thought is the the new Whfb Cloud Connect.

BasdeKoningDH

Do you always have to use that \\cm1\ to access the file shares ? What about the printers… l am actually having the issue where my autopilot devices cannot connect to my on Orem printers for the same reason… 😢

rayanthonymorris

Great video, but I am not sure how you had connectivity to your DC without a VPN since the autopilot device is not in direct line of sight with the DC?. Can you advise how you did this?

generalemmaeze

My biggest issue is I use PDQ Inventory and Deploy to install and keep applications up to date as well as keeping an inventory of devices. So, as far as I am aware, I have to keep them domain joined if I want to keep these features, yeah?

bretthopkins

Great video. I planning on moving my file server with a sql database on same server from on-prem environment to Azure. Do I also need to move my domain controller to cloud? Then do i use Azure Ad join machines only or do I use Hybrid AD Join. I just need some direction on how to proceed. I want be able to access my network shares from cloud only. This will only be cloud solution.

genovjillella

Mind blown! Thank you sir....more great stuff...new follower!

jeffhaley

Please can you advise how this actually works? Is this done via a V-Net in Azure that is linked to on-prem network? Thanks

Athrs

In a bigger company there might be more services than SMB. Some of them rely on on-prem characteristics, like OUs, custom fields and such.
The movement of implementing a new technology and pushing everyone to change everything around is just proof of a company that does not care about the long-term customers.

hobetto

Very interesting video. Thanks.
But now I'm comfuse. The share is a local resource, not it the cloud. So the ACLs are set locally and your user gets access in theory as per the token than the local DC should be giving to that user.
So, ok the computer does not need to be replicated into AD and Azure AD, but the user yes. Isn't it?
And who is authenticating on your test to the user, the local AD or your Azure AD. Did you have connectivity to the local DC when doing the test?

Thank you so much in advance.

GuillermoVelezEgea

Are there any pre requisites for this scenario to work? The pc doesn't need to hybrid joined but is AAD connect with password hash sync a requirement with devices object being synced to the DC??

niranmanandhar

Hi, can Azure AD joined devices access PKI certificates from an on-premises CA Server? Our corporate wireless requires a user and device certificate.

JulioJMendez