How-To Configure Hybrid Azure AD Join

Complete Step-by-Step guide setting up Co-Management (SCCM with Intune)

Enable Co-Management for Existing ConfigMgr Clients

Co-Management, is a term used to represent the integration of Configuration Manager with Intune – to manage PCs in your organization and making use of the cloud for security and modern provisioning.

In this post, you will set-up co-management of your Windows 10 or later devices that are already existing in your on-premise environment and are already enrolled in Configuration Manager.

Tasks to complete

1. Install Azure AD connect
2. Configure AD connect for Hybrid Azure AD join
3. Configure a GPO in AD to auto Enable MDM
4. Configure a Domain Trust UPN suffix in AD
5. Configure Intune to auto-enroll devices
6. Create collections: (Device collection and auto-enroll or Pilot) in ConfigMgr
7. Configure ConfigMgr client agents to register with Azure AD
8. Configure the Co-Management in ConfigMgr

Prerequisites

1. On premise Domain controller, with existing AD clients (windows 10 and later)
2. A supported version of Configuration Manager (current branch)
3. Azure account, with Azure Active Directory Premium license (I am using free trial)
4. Microsoft Intune subscription

PART 1: Install Azure AD connect Step-By-Step Instructions

It is highly recommended to install Azure AD Connect on a separate server that is domain joined. In this tutorial, we use Microsoft server 2019, which is already domain joined. 

1- Log in to the server and download the Azure AD connect installation package from Microsoft website using this link.

2- Right-click the AzureADConnect.msi that you downloaded in the previous step, and select install.

3- In the Microsoft Azure Active Directory Connect wizard, Check the license agreement box, then click Continue.

4- If you have enough experience, then you can use the customer button to specify a customer installation location or SQL server. For this tutorial I we’ll use the default option. Click Use Express Settings

5- Enter your Azure AD global administrator username and password then click Next

6- In the dialogue box, Sign in to your account, enter your Azure AD global administrator username, click Next then enter your Azure AD global administrator password and click Sign in.

7- In the Microsoft Azure Active Directory Connect wizard, enter your Active Directory local enterprise administrator username and password, then click Next

8- The screen Azure AD Sign-in configuration, Check the box for Continue without matching all UPN suffixes to verified domains, then click Next.

Note: In this step, the Active Directory UPN suffix, has no match with a custom domain in Azure AD. Why? because, I do not have a custom domain registered or added to Azure AD.

If you have a registered or a verified custom domain in Azure AD ensure it is matched to your Active Directory UPN suffix. If you do not have a verified custom domain in Azure AD, the default .onmicrosoft.com suffix will be appended to your on-premise users.

9- This Step is ready to configure all required features for Azure AD connect. Leave checked, the box Start the synchronization process when configuration completes, then click Install.

10- In the configuration Complete screen, click Exit

PART 2: Configure Azure AD connect, for Azure AD Hybrid join

In the following steps, you are going to enable Hybrid Azure AD join for your on-premises devices with Azure AD connect you just installed.

11- Right-click and select Open to launch the Azure AD Connect configuration wizard

12- In the wizard click Configure and move to the next page.

13- In the wizard page that says Additional tasks, select Configure device options, then click Next.

14- In the overview page, click Next.

15- Provide your Azure AD global administrator password (username is populated automatically), then click Next.

16- Select the first option; Configure Hybrid Azure AD join and then click Next.

17- Again, Check the first option for Windows 10 or later domain-joined devices and click Next.

18- In the SCP Configuration screen, Check the box next to your domain name. Then click Add. This will prompt for your Local domain Enterprise administrator credentials – provide the credential, then click OK to login. In the same screen click Next.

19- Azure AD connect is now ready to begin configuring SCP for Hybrid Azure AD join.  If you are happy, click Configure.

20- Once completed, click Exit

PART 3: Configure a GPO in AD to Auto enable MDM

In this section, we’ll configure to enable auto enrollment into Intune. The group policy will be created on your local AD. This configuration is supported for operating  system starting in Windows 10, version 1709.

Prerequisites

1. AD-joined PC running Windows 10, version 1709 or later
2. Enterprise has MDM service already configured (with Intune or a third-party service provider)
3. Enterprise AD must be integrated with Azure AD.
4. Ensure that PCs belong to same computer group.

1- In your domain controller open Server Manager

2- While in server manager console, click Tools and then select Group Policy Management

3- In Group Management Console, Right-Click, on the OU (Workstations)where you want this policy to apply then select Create a GPO in this domain, and Link it here…. In this tutorial we use the Workstations OU.
Note that, you can also create and link the GPO at the root level of your domain.

4- New the box New GPO, give the Name for your group policy, and then click OK.

5- Right-click the new group policy you just created the select Edit.

6- Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > MDM.

7- Now you should then select MDM, then right click Enable automatic MDM enrollment using default Azure AD credentials and choose Edit

8- While in the configuration, choose the radio button Enabled then click Apply and then OK.

9- Add the security group that your workstations are member of. To do this, click the GPO we created earlier, under Security Filtering click Add. Search for the Workstations Security group and then click OK.

NB: You MUST have created a Security Group for the client systems, inside your local Active Directory. Also, delete the group ‘Authenticated Users’ pre-existing under Security Filtering.

10- Your policy is now ready to be used. Close all the group policy windows. On the local workstation computer, you can force the policy to take effect with the command; >gpupdate /force then hit ENTER on your keyboard, then reboot your system.

PART 4: Configure a Domain Trust UPN suffix in AD

Move on to configure domain trust UPN. This is to be performed on your local active directory domain controller.

11- While in server manager console, click Tools then select Active Directory Domains and Trusts.

12- Right-click Active Directory Domains and Trusts ,and choose Properties.

13- Inside Active Directory Domains and Trusts configuration window, type your UPN suffix, click Add then Apply and finally OK.

For this tutorial we are using Azure AD trial, thus UPN is provided by Microsoft, which are subset of my Azure directory name and onmicrosoft.com

If you have a custom UPN registered in Azure AD, you should consider using it here, else use Microsoft provided UPN.

14- You can now apply the UPN to a ConfigMgr admin user. (This is the same user I’ll use to auto enroll all devices to Intune. Optionally, you can assign the Intune license to a selected/all your users, to enable them auto enroll their devices). Click Apply then OK.

| You have now officially configured your domain controller to auto enroll device in Intune |

PART 5: Configure Intune to Auto Enroll Devices

In this section you will configure Intune to auto enroll your device(s).

1- Login your Azure portal using your credentials, then select Azure Active directory.

2- Under Azure AD blade choose Mobility (MDM and MAM), then select Microsoft Intune

3- In Microsoft Intune, toggle/enable MDM user scope to All and hen click Save

4- Also, login to https://endpoint.microsoft.com then navigate to All services > Devices > Device Enroll devices. Ensure you have the settings as in image below.

| You have now officially configured Intune to auto enroll devices that are Azure Hybrid AD joined|

PART 6: Create Device Collections in ConfigMgr

In this section you will create two collections;

1. All Clients collection: This collection holds all client systems
2. Pilot or auto-enroll: Devices added here will auto-enroll in Intune (these devices are from the device collection created earlier)

I’ll Explain later, in this tutorial why we need to create the above two collections.

Considering you already have Configuration Manager running in your premise, you will now set up co-management within ConfigMgr for your Windows 10 or later devices already enrolled in Configuration Manager. You start by creating a device collection that you’ll use.

1. All Clients Collection: You can name it as ‘Windows Desktops’

1- Launch your Configuration Manager and right click Device Collections and choose Create Device Collection.

2- In specify details for this collection. Give the Name for the collection, click Browse and select All Systems. Now click Next.

3- In the Membership Rules, click Add Rule, then select Direct Rule.

4- In the next wizard click Next.

5- Configure parameter for searching for resources. Leave Resource class as System Resource. Leave unchanged Attribute name as Name. In Value field type the % sign and then click Next.

6- Select the resource(s) that will be member (s) in this collection then click Next.

7- In the Progress item, click Next and in the Completion, item click Close

8- Back in the create Device collection Wizard, review Membership Rules (member clients for the rule) and then click Next.

9- Review the Summary, if all looks good, click Next then Next again in Progress section item and finally click Close to complete this action.

2. Pilot or auto-enroll Collection: You can name it as ‘Intune Auto Enroll’ or ‘Pilot

Follow the exact same steps (Part 6) above for creating ‘All device collections’.

The Intune Auto-Enroll collection that you will create, in the section Select Resources, include only the device(s) that you want them to auto-enroll in Intune.

At the end you need to have both collections ready, as shown below;

PART 7: Configure ConfigMgr client agents to register with Azure AD

Now we need to configure ConfigMgr client for cloud services.

10- In Configuration Manager Console, choose Administration then right-click on Client Settings then select Create Custom Device Client Settings

11- Give a Name to the Custom Device Settings and a description if you like. Check the box that says Cloud Services and click OK

12- Back to Client Settings, right-click Cloud Services you just created and choose Properties.

13- In Cloud Services wizard, set to Yes, Allow Access to cloud distribution Point and Automatically register new Windows 10…

Enable clients to use a cloud management gateway, leave as No. I discuss this in another topic.

14- Deploy your custom Cloud Services. In Client Settings under Administration, on Cloud Services and right-click and select Deploy. Choose the device collection for deploying this service. In this tutorial we choose the Intune Auto Enroll collection.

PART 8: Configure Co-management in ConfigMgr

Here you configure how your devices will be joined to Azure AD in a Hybrid Azure AD join scenario.

15- While in Configuration Manager console under Administration, unfold the folder Cloud Services, then right-click co-management. Select Configure co-management.

16- In Co-management configuration wizard, you create a cloud attach.

Azure environment; select: AzurePublicCloud

Click Sign In, and then provide your Azure AD global administrator credentials

Leave all other settings untouched, click Next

17- For Configure upload choose Specific collection, then click Browse and choose the device collection we created earlier, then click Next

18- You need to enable automatic enrollment in Intune.  We don’t want to auto enroll all devices, so choose Pilot, then Browse and choose the second device collection we created earlier, click Next.

Before moving to the next step, remember I said I’ll explain why we created two device collections. This is because we do not want all devices found in Configuration Manager to be uploaded to Microsoft Endpoint Manager (except specific business requirements exist).

Windows Desktops collection include ONLY client systems, which is a subset of all devices (including servers) existing within your on premise ConfigMgr. Thus, to upload only client devices, this collection was created.

 Intune Auto Enroll collection. Now that all client systems have been uploaded to Microsoft Endpoint Manager, we only want some (pilot badge) to auto enroll in Intune, so this collection was created.

19- In the workloads tab, move the workloads as per your need and then click Next.

20- Specify Intune Pilot device collection (in this case; Intune Auto Enroll), and click Next.

21- Confirm your setting and click Next.

22- Wait for the validation process to finish. If no errors are found, click Close.

Validating Your Configuration

Before validating your configuration, remember that it might take up to 24 hours before you can start seeing your device in Azure AD under the column Join Type indicating Hybrid Azure AD Join.

On your client system, log in with an account that is authorized to enroll devices in Intune.

Run the command >dsregcmd.exe /status then hit ENTER on your keyboard. Your result should show AzureAdJoined: Yes.

Log in to your online Azure AD and Microsoft Endpoint manager. Make sure you can see your device(s) indicating as Hybrid Azure AD Joined and co-managed, respectively.

Following this tutorial your device doesn’t enroll verify if you have any errors;

Check Task Scheduler for the enrollment service process

The auto-enrollment process is triggered by a task, which runs every 5 minutes for the duration of 1 day (navigate to Task Scheduler Library>Microsoft > Windows > EnterpriseMgmt) within the task-scheduler. This task appears if the Enable automatic MDM enrollment using default Azure AD credentials group policy (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is successfully deployed to the target machine.

Auto Enrollment Errors

If you are faced with the error message displayed in ConfigMgr such as, MDM enrollment hasn’t been configured yet on AAD, or the enrollment url isn’t expected. You can verify this error in ConfigMgr console.

Troubleshooting

• Ensure you have correctly configured UPN and GPO for MDM auto enrollment are correctly configured.
• Connect to your Active Directory and check the registry entries. We frequently see errors related to some outdated enrollment entries in the registry on the target client device (HKLM > Software > Microsoft > Enrollments). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:

• For a solution, if you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in screen capture below;

If for any reason you are still unable to validate your configuration, or your devices do not auto enroll in Intune read the official guide by Microsoft the section; troubleshoot auto-enrollment of devices.

As a final Word of caution: Remember that it takes time for your devices to Hybrid Azure AD Joined. So, wait several minutes or hours to find out if a solution fixed your issue.

Thanks for using this guide.