Microsoft Intune Autopilot Hybrid Entra ID Join (Azure AD) – The Complete Guide for Deployment

 

Microsoft Intune Autopilot Hybrid Entra ID (Azure AD) Join – The Complete Guide

Welcome to our comprehensive guide on setting up Microsoft Intune Autopilot Hybrid Entra ID (Azure AD) Join. This guide will walk you through each step to ensure a smooth and efficient deployment.

Table of Contents

1. Prerequisites
2. Configure the Server Stuff for Microsoft Intune Autopilot Hybrid Entra ID
3. Setup and Configure AD Connect
   • Setup AD Connect
   • Configure AD Connect for Microsoft Intune Autopilot Hybrid Entra ID
4. Setup and Configure the Intune Connector
5. Configure Local AD OU Delegate Control for Microsoft Intune Autopilot Hybrid Entra ID
6. Configure the Intune Stuff
   • Create an Autopilot Hybrid Deployment Profile
   • Create an Intune Hybrid Domain Join Configuration Profile
   • Create the ESP (Enrollment Status Page) – Not to be used in an Autopilot Hybrid Entra ID join! See Breakpoint 5
   • Create Dynamic Device Groups Based on Group Tags
7. Clarifying
   • Group Tags
   • Creating Dynamic Groups
8. Things That Can Go Wrong
   • Breakpoint 1 – No Branded Sign-In Screen
   • Breakpoint 2 – Windows Autopilot Hybrid Azure AD Join
   • Breakpoint 3 – Skip Connectivity Check
   • Breakpoint 4 – Enrollment Status Page Issue
   • Breakpoint 5 – The Device Won’t Fetch the Required User Token (Azure AD PRT)
   • Breakpoint 6 – Duplicate Devices with Different Enrollment Status (Not Really a Breakpoint)
9. Enrolling a Device
10. Conclusion

Prerequisites

Before you begin, ensure you have:

• An active Azure subscription.
• Azure AD and on-premises AD configured.
• Azure AD Connect installed and configured.
• Microsoft Intune subscription.
• Appropriate licenses for Windows 10/11 Enterprise.

Configure the Server Stuff for Microsoft Intune Autopilot Hybrid Entra ID

Ensure your server environment is ready for hybrid Azure AD join. This includes configuring DNS, network settings, and ensuring connectivity between your on-premises environment and Azure.

Setup and Configure AD Connect

Setup AD Connect

1. Download and Install AD Connect:

   • Download the latest version of Azure AD Connect from the Microsoft website.
   • Install it on a server that meets the system requirements.
     
     
     

2. Run the AD Connect Wizard:

• Follow the wizard to configure synchronization between your on-premises AD and Azure AD.
  

  

  
  

Configure AD Connect for Microsoft Intune Autopilot Hybrid Entra ID

1. Configure Hybrid Azure AD Join:
   • In the AD Connect wizard, select the option to configure hybrid Azure AD join.
   • Ensure the correct domains are selected for synchronization.
     
     
     
     
     
     

Setup and Configure the Intune Connector

1. Install the Intune Connector:
   • Download and install the Intune Connector for Active Directory on a server in your on-premises environment.
   • Register the connector with your Intune tenant.
     

     

     
     
     
     

Configure Local AD OU Delegate Control for Microsoft Intune Autopilot Hybrid Entra ID

1. Delegate Control:
   • In Active Directory Users and Computers, delegate control of the OU where your devices will be created to the Intune Connector service account.
     

     
     

     

     

     

     

     
     

     
     

     
     

     
     
     
     

Configure the Intune Stuff

Create an Autopilot Hybrid Deployment Profile

1. Navigate to Intune:
   • Go to the Microsoft Endpoint Manager admin center.
   • Create a new Windows Autopilot deployment profile and select Hybrid Azure AD join.

Create an Intune Hybrid Domain Join Configuration Profile

1. Create Configuration Profile:
   • In Intune, create a new configuration profile for Windows 10/11.
   • Configure the profile for hybrid Azure AD join.

Create the ESP (Enrollment Status Page) – Not to be used in an Autopilot Hybrid Entra ID join! See Breakpoint 5

1. Create ESP:
   • Create an Enrollment Status Page profile in Intune, but note that it should not be used for hybrid Azure AD join scenarios.

Create Dynamic Device Groups Based on Group Tags

Group Tags

1. Define Group Tags:
   • Use group tags to organize devices in Intune.

Creating Dynamic Groups

1. Create Dynamic Groups:
   • In Azure AD, create dynamic device groups based on the group tags assigned to your devices.

Things That Can Go Wrong

Breakpoint 1 – No Branded Sign-In Screen

• Ensure branding is configured correctly in Azure AD.

Breakpoint 2 – Windows Autopilot Hybrid Azure AD Join

• Verify network connectivity and AD Connect configuration.

Breakpoint 3 – Skip Connectivity Check

• Ensure devices can reach the necessary endpoints.

Breakpoint 4 – Enrollment Status Page Issue

• Do not use ESP for hybrid Azure AD join scenarios.

Breakpoint 5 – The Device Won’t Fetch the Required User Token (Azure AD PRT)

• Check device registration and synchronization status.

Breakpoint 6 – Duplicate Devices with Different Enrollment Status (Not Really a Breakpoint)

• Clean up duplicate device entries in Intune and Azure AD.

Enrolling a Device

1. Enroll Device:
   • Follow the standard Windows Autopilot enrollment process for hybrid Azure AD join.

Conclusion

By following this guide, you can successfully configure Microsoft Intune Autopilot Hybrid Entra ID join. This setup ensures seamless device management and security for your organization.

---