Windows 10 Autopilot Hybrid Join

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys my name is Nick I'm a Microsoft certified expert administrator I create a lot of content for Emma's piece and in today's video I'm gonna be showing you guys Windows 10 autopilot hybrid join so I've created another video specifically going around the fundamentals of Windows 10 autopilot and the basic configuration mostly encompassing naturaiiy employment but for the MSP space in the SMB market I feel like hybrid join is is a very powerful component that you would want to implement across many of your customers as you transition to the cloud so here's a basic diagram of what this looks like from an architecture standpoint but basically we have the ability to join devices both to Azure ad and push them down into our local environment as well too so this way while you're transitioning to the cloud you could still use the local environment for group policy objects that you want to push out but also slowly start to move into Intune for device management so a couple of different scenarios which this encompass which would be when you order the devices from a supported OEM provider you can upload the hardware IDs and when you put those up you've pre-configured the things that we're going to go through as far as the demo in this video for hybrid join you can immediately push those down to the local domain the other of which is if you have existing devices that you've joined to in tune you can additionally push those down in vice-versa so you can push up devices into Azure Active Directory only problem with the hybrid from the local environment up to the cloud is the fact that you still do have to grab the hardware IDs from those existing devices in order to enroll them into autopilot what we go in through all this here today so basically what I wanted to get into here for agenda standpoint we're to go over some of the requirements for hybrid Ezzor and you join we're to go through all the local steps that you need to take in your local DC and then all the cloud steps within the endpoint manager portal and that's all going to be encompassed within the demo so to give you guys a better picture common scenario of an MSP you guys have you know let's say you know handful of customers eighteen hundred and users across your customer environment with about two to three percent employee churn you have customer applications at each customer location most of those locations have a local Active Directory environment with group policies set up use connect lies for your RM software use della GOM provider and use web root for your any virus so with autopilot you have the ability to pre configure all your policies your applications your settings everything like that and immediately push those down to the devices themselves so it's a pretty powerful powerful set up that you can have from an IP IT perspective and also a end user perspective but one of these big things that I consider right now while you perform change management tasks and work your way from your local environment to moving fully to the cloud is the ability to hybrid join these devices down to the local directory so not only are you slowly transitioning versus having to do a holistic deployment you can have this hybrid scenario where the the computer is still going to have all the policies pushed out from the local domain but you can begin to slowly manage it from maybe an application standpoint or some of the policies within in tune you can start to push down and things of that nature so some of the requirements that you'll need to have set up before you can do this that I'm not going to be showing this video one is just having Active Directory Connect in place so the basic thing has already been done we'll be running through the wizard again to configure additional settings where that is something that you have to have going in the environment the DC itself has to be Windows Server 2016 or higher and then the device is enrolled into autopilot need to be on version windows 10 version 1809 or later so let's go ahead and pop into the test tenant that I have here and so this is the 365 portal I have Microsoft 365 business set up here and this is on the cloud side of things that we'll need to come in and configure I actually do want to start in the local environment though to show you some of the settings that we'll need to configure here so this is my DC of which is already sinking the users up to the 365 portal and what I've done here and what you want to plan out is the oh you that you want to be syncing for this autopilot service and and also the hybrid join computers so whenever you think about this you know you've got to think about GPO inheritance and things of that nature that you want to customize it may not just be the default it computers oh you hear that you want to use for the service and maybe one that you want to pre-populate if you have certain users you want to run it in hybrid or ones that you want to keep slowly in the local environment there so I've gone ahead and already created this new ou4 autopilot and this is where we're going to be doing the hybrid join and also pushing devices down that do join the autopilot service the one thing that we need to do here is just add some delegated permissions to allow user or computer creation in this particular oh you so you go through this wizard here and here to click on add under users and groups under object types make sure you check box computers and in here I'm just going to type the name of my DC it's going to pull it up here and it's giving me permission to go ahead as a scope for this particular DC to create computers will want to create a custom task delegation here or test a delegate and then we're going to say computer objects under the objects in this folder I'm going to say create and delete click Next you'll leave this top part how it is here if you check box full control little checkbox everything else for you you'll click on next and you'll click on finish so that I'll give us permission to write down to this particular of you so that's what you need to do in the users and computers section again plan out how your architectures got to look if there's any special considerations with which oh ye you want this to join and then perform those tests there so that's everything that we needed to do here the next thing we need to do is install the in tune connector so I've launched the 365 admin Center here and I've gone ahead and opened up the endpoint manager portal and what you'll want to do is go under the devices section and then go to Windows 10 and here we're to click on Windows enrollment and we're going to click on the into connector for Active Directory now I'd already pre-installed this on this one and uninstalled it which is why I have the error status here but you can click on add and this is what we're already doing here so we just want to download the actual executable here and this will launch as soon as that's done and we'll just run through this wizard and just click on install so we need to install actual directory by signing in with a license account at the global administrator looks a little janky but I want to pick my global administrator for this tenant okay and then I think because I already did this that it or I picked up on my credentials which you just have to put in your password therefore the global administrator to finish that up and this takes a couple of minutes but we should see this pop up here with a green status here in a minute so we'll come back to this Lexington 935 yeah we'll come back to this here in a few minutes the other piece that you need to do is go into your group policy editor and what we're going to do you can create a new GPO or use the default domain policy but basically we need to target all the domain computers within the Active Directory environment encompassing also our oh you that we created to just make sure all that exists there but you'll click on edit on whatever group policy that you have scoped out appropriately under computer configuration here to go under preferences I'm sorry hundred policies yuo under administrative templates and under windows components you'll scroll to see device registration and then registered domain join computers as devices you can double click on that I've already got it enabled here but you'll want to make sure you turn this on and this is just you know talking about getting a registered devices with Azure Active Directory as well so you want to turn that on there the next thing that you want to do really is open up let me see if this is updated at all yeah there we go all right so we got this active as well now too and it's got the new date but that's good that's what I wanted to see there so one of the last pieces you need to do in the portal here is go and open up as your edy connect there's a couple different settings that we're going to need to configure here the first of which what I like to do is if you've created the new uou that you're not sinking go ahead and do that so we'll go ahead and sign in here I'll get my MFA code British notification all right and then you've got our directory here and then I'll expand and I want to make sure that I grab that oh you that I created click on next and we'll let this go through and we're going to start that it's process yes so this will run through here and the big thing we have multiple tasks that we need to do within this wizard I would wait like five ten minutes in between each one just to be safe because otherwise it'll tell you that the synchronization service is still running I mean you just need to let it complete fully before you do that so we'll click on exit here I'm gonna pause for a brief second and come back in just a few minutes okay so we're back here and we've reopened the wizard I'm going to go ahead and click on configure this time we're going to click on configure device options and click on next so you see here we have two options here hybrid as ready join and then device right back as well too so what we want to do is click on next here again we're gonna have to authenticate with our global credentials and again it's going to prompt me for mfa proof that's alright and then here what we're going to want to do is configure hybrid Azure ad joint first and here we're going to leave this checkbox at Windows 10 or later domain device devices and we're going to check box our forest here that we have for this environment we're going to click on add and we're simply going to put in our enterprise admin credentials for this forest alright and this is just telling you if you don't have the enterprise admin credentials you can run this script but we're not going to worry about that because we do all right then we'll select configure all right so that's done now as well and we'll briefly pause the very last thing I want to do here is configure device right back so again this is going to be so that we can one join devices that are in our local domain we just configure the hybrid join so devices that our local will now be pushed up into Azure ad for the hybrid join but when I think about autopilot and I getting I'm getting new devices from my own provider registering them in the auto pilot service when we complete the auto box experience I want to register that device not only with Azure Active Directory but I want that to write back down into this environment as well too that's the overall goal so again one more time here click on Azure ad connect and we'll go back into the device options and click Next in authenticate again here all right and then I'll get my prom for mfa prove that and then we'll configure device right back select your forest and location from the available drop-down environments and then once again providing the enterprise admin credentials and then we'll wait for this o load here all right and it's just giving us a list of things that it's going to do so we can click on configure all right so now that is complete so those are the basic steps that we need is completed in the local environment and now we're going to switch to the cloud environment here to finish things up so what we want to do here is a couple of different things so one of which we're gonna need to create a profile here for the domain join so what we'll do is go under the windows section here and we're going to go under compliance our configuration profiles and we're going to go ahead and add a new one here and we're just going to call it hybrid join and under platform we'll select Windows 10 in later and under profile type we're going to select my domain join so the settings that come up here you can define what you want the computer name prefix to be you can define the domain name and it this has to match the fully qualified domain name in your local environment and the organizational unit you need to grab the path there so if you don't know what this is I would click on View under active directory users computers and look at advanced features and then you can right click on this and click on properties and by doing so I remember which one it's in here it's under attribute editor so the distinguished name is what you can copy click on OK and I'll just minimize this and we'll paste this in here and it looks good so we'll click on OK scope tags clickable rules anything for for additional filtering me I'm not going to go over that in this video most cases you're just gonna leave the settings there so you'll create this and now we need to assign it so what I've done behind the scenes here is I've created a group called hybrid join and I've added a device that I've uploaded from the Windows hard or Hardware ID section of there so I went under and I'll show you that here in a second actually so I'll go under and I'll select assigned to a certain group actually I can't assign it to these scopes but I want this to be a particular subset so I'm going to look for hybrid join and that's where I've got my devices that I do want to hybrid join and click on save and I'll go back here and I see like if I need to review the properties or not or anything like that and now this is configure there's one group assigned and that's good so just to show you guys what I did here is under groups I went under the hybrid I created one security group and I made it a member here this particular device that I've uploaded from grabbing its hardware ID and pushing it into the autopilot service I could have made this a dynamic group and I could have tagged a certain group ID from the device itself if you want to make this even more automated for your deployment you can look at that but if you go under Windows enrollment here and look at devices this is where I uploaded the hardware ID here for this particular device and I've got it listed here and this is what I'm talking where you could apply a group tag and it could have been dynamically joined I manually assigned it to that group of hybrid join but it doesn't have to be gonna be more automated than that so I just wanted to show you guys that one of the other things that we need to do here is create our hyper join deployment profile so we'll go under here I'll click on create profile and we're just gonna call it hybrid join and for this setting we do want to convert all target devices to autopilot and good use case for that like I just showed you I uploaded the hardware ID from an existing device and it's not yet in the outer pilot service because I haven't enrolled it into Intune or anything like that so I do want to convert it whenever I assign it so here we're going to leave the planet mode at user driven I'm going to select hybrid Azure ad join we're gonna hide these settings here really this we're gonna allow the UB experience for white glove and underneath here I'm just going to find United States I guess I can't say English is what I'm looking for and will say yes automatically apply that and then it's telling you here that for the hybrid join you can't apply device name template because it's going to take the one from the profile which makes sense so here I'll select my group and I'll select hybrid join it's got my device in there and just a summary of what we're including here got a hybrid Ezzor ad join you got our user driven mode we're allowing like love I've got a right group in there looks good so we'll create the profile and this will load up here and you'll just have to refresh your gonna fully see it and it populated there before I hit refresh so I'll go back to the ployment profiles again and it does have it a sign so that's good and you've got the assigned device in there already that's pretty quick so sometimes this does take some time to propagate from what I've seen that that was relatively fast just from the deployment perspective to show this in here if this device doesn't show up right away that's part of that group be patient I would say wait five ten minutes from my experience it's it's usually not that fast but that was that was good so what we're gonna do now is we're going to test all this out so we have a device here that I've this is the device of the hardware ID that you just saw in there so we're going to boot it up here and we're going to go through the autopilot experience oh and one more thing and I forgot to do here if i refresh this is updating I go back in here I just want to create a more white-gloved experience for the user so what I'll do is go under enrollments I'll click on devices and this is still updating I should give it a few minutes here but I want to assign it to a particular user and that is me and then I want to just customize the name here so when they boot up the device or when it boots up it's just going to say hey Nick let's get things ready for you type in your password so we'll save and let's refresh this is good to take let me just I'm just going to give this some time but it did capture my name it saved that correctly so I would recommend waiting til this says assigned before actually going through the out of box experience or maybe just in general we're just waiting like 10 minutes or so just for things to propagate fully I'd like to do that for my testing just to make sure that it's not just me so I'm going to briefly pause well that happens and be right back back here and now we have it as assigned so that looks good and if I click here I've got my name listed as well to assign to the user who's licensed within tune and now I'm gonna pop into this device and just start it up so it'll go through the out of box experience here as soon as it connects to the internet so either if you have an Ethernet connection or if you're running off the switch or device or Wi-Fi network or something like that it'll run through and go through this experience so we'll see it pop up here in just a minute so now we're prompted with our company branding and our directory ID there and we're just asked to type in our password so we'll go ahead and do that and if you've enabled mfa for your sign in or to register a device you'll get the MFA prompt here and you'll need to approve that it's a good security concern if you are doing this if you're pushing out access to corporate data and things of that nature to have the user enroll when MFA because again if that users password is compromised they could technically enroll their credentials than any device and have the company apps and policies and data push down and have access to that on any device itself not just the computer that is supposed to be for the end-user so we're going to let this load here so the device is still setting up here but I want to show you a couple of different things that are going on behind the scenes and this will load up and push down all the policies apps everything like that but a couple of different pieces there if we pop back into our DC here you'll notice that in our oh you that we configured the device has shown up here it's got our custom naming convention so I took our name and applied an appended random number and letters on the end of it there you again could change this up from the domain profile that we created within this portal but this is something where it's already joined now and it's getting the group policies pushed down to it as well to when it fully boots up and back in the 365 endpoint manager if we go under all devices you'll notice here one sometimes it pops up like this at first as well too or it has MDM config min as your agent and this is just thinking about it doing a hybrid deployment or if we also go under Windows this is showing it here as well - and this will fully load up and it should grab the full device name there and then like I said if we have anything that we've up - this devices well - or the particular user such as our arm software or office suite that will begin to install as well - so a couple different pieces will begin to flow down after it's being configured here and it fully fully pushes down completely so this again should be switching to MDM pretty soon here with the full device name but the main thing that I wanted to see was that it was successfully joined to our oh you there as well so that's everything I wanted to show you guys if you guys have any questions or comments feel free to put them on the video below thanks
Info
Channel: T-Minus 365
Views: 24,654
Rating: undefined out of 5
Keywords: hybrid, intune, windows, windows10, windows autopilot, autopilot, microsoft, MDM, MSP, managed services, device management, hybrid join
Id: F_2qEjN-9ko
Channel Id: undefined
Length: 28min 10sec (1690 seconds)
Published: Sun Jan 19 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.