Disclaimer: This information is really old. Like pre-pandemic old, the before-before times. Microsoft has made a lot of improvements to the Windows OS since this material was pulled together. If your Windows device has a build older than 20H2, we strongly suggest that first you do a full upgrade to a recent build before moving forward with Hybrid Join, Intune, or MS365 subscription-based Windows 10 E3/E5 licenses.
If you need additional help after reviewing this material, please see our Support Page for info regarding how to contact us and schedule a consultation.
Summary Steps
These are Tom's notes from the field when trying to get Azure AD Join to work with machines that were already local AD joined to a domain where AD Connect is being used to sync accounts to the MS365 cloud.
The notes make references to our internal/lab domain controller (COLOSSUS) and some Liquid Mercury Staff (Bill Otremba). Where possible, these were highlighted for clarity. Note that some service accounts end in .local, but this doesn't mean the domain name ends in .local; it is just the name for the AD Sync account.
- Upgrade to the latest version of AD Connect
- Run the Initialize-ADSyncDomainJoinedComputerSync
- Confirm CN exists in Configuration schema
Detailed Walkthrough and Notes
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"
PS C:\Windows\system32> Initialize-ADSyncDomainJoinedComputerSync
cmdlet Initialize-ADSyncDomainJoinedComputerSync at command pipeline position 1
Supply values for the following parameters:
AdConnectorAccount: COLOSSUS\adsync.local
AzureADCredentials
Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.
Configuration Complete
10/1/2019 Bill says the wizard does this for you.
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup
In elevated cmd prompt:
Dsregcmd /status
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DeviceId : 028f190a-5024-406e-872d-1c6e7333ec8f
Thumbprint : 27A9CAE1F0D18844D9F4B8733D16A6350A4B5
KeyContainerId : e8f7ec32-2aa7-4825-8ce1-fec4c92a86a5
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
KeySignTest: : PASSED
Idp : login.windows.net
TenantId : f48e040a-d458-43a9-9f1c-4a0c9aad3b8b
TenantName :
AuthCodeUrl : https://login.microsoftonline.com/spliquidmercury.onmicrosoft.com/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/spliquidmercury.onmicrosoft.com/oauth2/token
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl :
JoinSrvVersion : 1.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
DomainJoined : YES
DomainName : COLOSSUS
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : YES
WorkplaceDeviceId : c64faf7c-7c38-44db-ae37-401abddc0b33
WorkplaceThumbprint : 7EF8603783E5B78BCCF30E6EAFEAE3D56A9272
WorkplaceIdp : login.windows.net
WorkplaceTenantId : f48e040a-d458-43a9-9f1c-4a0c9aad3b8b
WorkplaceTenantName : Liquid Mercury Solutions
WorkplaceMdmUrl :
WorkplaceSettingsUrl :
WamDefaultSet : NO
AzureAdPrt : NO
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsUserAzureAD : NO
PolicyEnabled : NO
DeviceEligible : YES
SessionIsNotRemote : YES
X509CertRequired : NO
PreReqResult : WillNotProvision
Eventually, after some time…
IsUserAzureAD : YES
PolicyEnabled : NO
DeviceEligible : YES
SessionIsNotRemote : YES
X509CertRequired : NO
PreReqResult : WillNotProvision
But, why does the PC still claim the policy is not enabled??
Note that at this time, my Azure AD Account is no longer shown in Settings > Accounts. More so, if I try to add one, I will get an error at this stage (What error? Tom never mentions it. Sorry.)
My credentials are now shown under Email and App Accounts.
https://connect.microsoft.com/site1164/content/content.aspx?ContentID=32016
http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
I have this working on my test PC now – though I am not 100% sure exactly what was the magic button that makes it work.
- Fussed around with Intune client for a while, uninstalled and re-installed the Intune Agent without any success. Very frustrating experience and lots of online chatter about conflicts between Windows 10 MDM and Intune makes me think these aren’t fully baked together yet.
- Applied all the latest updates to the PC from Intune management console. Maybe this helped, but I was not missing many updates.
- Ensure users are allowed to Azure AD Join devices:
- Changes Sync Your Settings option in Azure AD (Classic Management Portal) so it was enabled. I cannot find this setting in the new Azure Portal at all. (I believe this now shows up in Azure AD > Devices > Device Settings) We can certainly enable this in any tenant easily.
Note Bill says "don't turn this on": - On the domain controller, admin policy templates from Win 10 1607 were missing in Windows 2012 R2. Download them here. TODO - does this apply if DC is Windows 2016?
- https://www.microsoft.com/en-us/download/confirmation.aspx?id=53430
- Instructions on how to unpack it to work, in short copy them from install location to SYSVOL subfolder: https://www.niallbrady.com/2016/02/03/how-can-i-add-new-windows-10-admx-files-to-the-group-policy-central-store-and-then-deploy-them/
- Changed group policy settings to enable Device Registration, Windows Hello, and Sync Your Settings. Note that in Windows 8 is was called “Workplace Join” in 10 it is called “Device Registration”.
- Added enterpriseregistration and enterpriseenrollment to local AD DNS server.
- Also enabled domain services in Azure AD, so it can function as an LDAP server now. Note: this requires an Azure AD Premium plan, but Azure AD DS is now also an option for $150/mo.
- I moved the computer records in AD to an OU that is synced with Azure AD, because we have filtering enabled in our AD Connect so that not 100% of records will sync.
- Did another GPUPDATE /FORCE on the client. Was forced to logout, had to create a PIN which required MFA (these are configured in Hello under GPO). Note that next time that you log in, it will default to PIN but you can switch back to password login.
- Now, "dsregcmd /status" no longer has the NGC prerequisite check section at all. Seems to be fully joined in both AD and AAD. (Note, Get-MsolDevice still doesn't report the device having a "registered owner" but there seems to be no ill effect.) TODO - are additional commands needed to assign one?
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DeviceId : 028f190a-5024-406e-872d-1c6e7333ec8f
Thumbprint : 27A9CAE1F0D18844D9F4B8733D16A6350A4B5
KeyContainerId : e8f7ec32-2aa7-4825-8ce1-fec4c92a86a5
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
KeySignTest: : PASSED
Idp : login.windows.net
TenantId : f48e040a-d458-43a9-9f1c-4a0c9aad3b8b
TenantName : Liquid Mercury - SharePoint+Office 365+Azure
AuthCodeUrl : https://login.microsoftonline.com/spliquidmercury.onmicrosoft.com/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/spliquidmercury.onmicrosoft.com/oauth2/token
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl :
JoinSrvVersion : 1.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
DomainJoined : YES
DomainName : COLOSSUS
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : YES
NgcKeyId : {E8E52F45-B7B9-4514-B823-20B2A3274035}
WorkplaceJoined : YES
WorkplaceDeviceId : c64faf7c-7c38-44db-ae37-401abddc0b33
WorkplaceThumbprint : 7EF8603783E5B78BCCF30E6EAFEAE3D56A9272
WorkplaceIdp : login.windows.net
WorkplaceTenantId : f48e040a-d458-43a9-9f1c-4a0c9aad3b8b
WorkplaceTenantName : Liquid Mercury Solutions
WorkplaceMdmUrl :
WorkplaceSettingsUrl :
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)
AzureAdPrt : YES
Additional Resources
- UPDATE 25-Jun-2019:
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
- Tracking Version to Build numbers for Win 10:
https://docs.microsoft.com/en-us/windows/release-information/
- Advice on setting up AutoPilot - Intune/Domain Registration
https://www.anoopcnair.com/windows-autopilot-hybrid-domain-join-guide/
- Hybrid Azure AD Joined Step by Step
- https://blogs.technet.microsoft.com/configmgrdogs/2016/01/04/microsoft-intune-co-existence-with-mdm-for-office-365/
- https://support.office.com/en-us/article/Capabilities-of-built-in-Mobile-Device-Management-for-Office-365-a1da44e5-7475-4992-be91-9ccec25905b0?ui=en-US&rs=en-US&ad=US&fromAR=1
- http://simon-may.com/enable-office-365-built-in-mdm-mobile-device-management/
- http://configmgrblog.com/2015/05/14/hey-my-mdm-authority-is-set-to-office-365-in-microsoft-intune/
- https://blogs.technet.microsoft.com/canitpro/2015/03/25/step-by-step-app-deployment-via-microsoft-intune/
- https://support.office.com/en-us/article/Choose-between-MDM-for-Office-365-and-Microsoft-Intune-c93d9ab9-efb2-4349-9b93-30c30562ee22?ui=en-US&rs=en-US&ad=US
- http://stealthpuppy.com/windows-10-management-intune/
- http://tecfac.net/2013/11/25/intune/windows-intune-to-deploy-scripts/
- https://docs.microsoft.com/en-us/intune/deploy-use/enroll-corporate-owned-devices-with-the-device-enrollment-manager-in-microsoft-intune
- https://ronnydejong.com/2015/06/21/the-enterprise-management-suite-portal-survival-guide/
- https://blogs.msdn.microsoft.com/beanexpert/2015/07/27/create-custom-windows-10-policy-in-microsoft-intune-using-oma-uri/
- https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-10-uri-settings
- https://blogs.technet.microsoft.com/windowsintune/2010/11/10/using-group-policy-and-windows-intune-to-manage-policy/
- https://blogs.technet.microsoft.com/askpfeplat/2016/01/04/microsoft-intune-for-the-old-school-gpo-admin/
- https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune
- https://msdn.microsoft.com/it-it/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider