Hybrid Domain Join via Workspace ONE UEM
June 23, 2021 | by bgarmon
Last Updated 7/13/2021 to include more details within each component
If you want to use VMware Workspace ONE UEM + AutoPilot to achieve Hybrid Domain join this post is for you. If you don’t know what Hybrid Domain Join is, here’s my primer on it: https://www.aftersixcomputers.com/hybrid-domain-join/
Visual Learners: Here’s the 30-minute video recorded by a co-worker that shows you what we are talking about below.
Pretty sweet video huh? So let’s break this down in a bit of a cheat-sheet format:
- Need access to AD Users and Computers, ADSI Edit,
- Need admin access to Azure AD Connect,
- Need admin access to Azure AD (portal.azure.com)
- Need admin access to Microsoft Endpoint Manager Admin Console (endpoint.microsoft.com)
- Need admin access to Airwatch Cloud Connector (ACC) server
- Need admin access to VMware Workspace ONE UEM Console
- Need 1 or more test Windows 10 devices, prefer VM’s
As of UEM Console 2105, there is no support for domain join activities that involve sub-OGs. For this process to work all of this configuration is expected to occur in the top-most root Customer OG. This includes the UEM Console User account, the UEM Console Device Registration record , and all of the UEM Console domain configurations.
In Active Directory do this:
Note: If you don’t know how to complete the following items, the step-by-step instructions can be located on Step 6 of my previous blog about this topic found by clicking here: Part 1 of 2: Domain Join via Workspace ONE Tunnel.
- Define an OU in AD for devices to join.
- Create an AD service account that will be used to create computer objects in the OU. The account does not need admin roles in AD, standard user account is fine but Delegate control to create computer objects
- Launch ADSI Edit > msDS-MachineAccountQuota – set to 0
- Open Group Policy Management Console and enable the setting:
Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration > Register domain joined computers as device”
On the Azure AD Connect server:
- Validate Azure AD Connect configuration:
- Configure device options must have Hybrid domain join enabled.
- SCP must be configured and enabled.
In the Azure Admin Portal (https://portal.azure.com):
- Under the Mobility (MDM and MAM) blade, make sure the two applications “Airwatch by VMware” and On-Premises MDM application” have been added and are properly configured.
- Under the Mobility (MDM and MAM) blade, validate the Microsoft Intune app is excluded from the scope used in the previous step
- Create a new Azure AD Group which will be used to assign computer objects an AutoPilot profile. Groups can be created directly in Azure Admin Portal, or they can be created in the Endpoint Manager Admin Console. Name the group something like HybridJoin_devices so that it is abundantly clear exactly what this group is for.
On the Windows 10 test device, register the device with AutoPilot:
The following steps walk through registering the Windows 10 device with AutoPilot which means the person running through this step must have permissions in the Azure tenant to register devices. If you are not an Azure Admin, have one available to be able to complete Step 4 below:
- Boot the computer into the Out-of-Box-Experience (OOBE).
- From the blue OOBE “Login to Microsoft screen”, bring up the Command Prompt by pressing
Ctrl + F10 or Shift+F10 for HyperV
- From the Command Prompt type in
powershelland press enter to launch Powershell
- From powershell run the following commands, pressing Enter after each line:
Install-Script Get-WindowsAutoPilotInfo -Force
- This will prompt for an admin login to Intune / MEM Admin Console
- When previous step finishes, copy the Serial Number for user later on
- Power Off the Windows 10 test device using the command
Testing shows that if you try and continue OOBE without powering off the device it will not pick up the AutoPilot profile and fail miserably.
Microsoft Endpoint Manager Admin Console (https://endpoint.microsoft.com)
- Create AutoPilot Profile by navigating to:
Devices > By Platform Windows > Windows Enrollment > Windows AutoPilot Deployment Program Deployment Profiles > Create Profile > Windows PC >
Make sure Deployment Mode is User-Driven,
Join to Azure AD as HYBRID Azure AD joined.
This profile can’t be changed post Save, so make sure you choose your options wisely
- Assign AutoPilot Profile to Device by navigating to:
Devices > By Platform Windows > Windows Enrollment > Windows AutoPilot Deployment Program Deployment DEVICES >
- Optional step instead of step 2: You could choose to add the Device Serial Number to the Azure Group then add the Azure Group to the AutoPilot preview
Note that Endpoint Manager may take a few minutes to assign the AutoPilot Profile to the device. In testing we’ve seen device assignment take 1 minute, we’ve seen it take 30 minutes. Be patient!!!! Do not proceed until this is completed, indicated by the “Profile Status” changing to Assigned. But if you just can’t bring yourself to be patient you can log into https://businessstore.microsoft.com and assign the AutoPilot profile there as well, it’s a bit of a hack but seems to work ok
Connect to Airwatch Cloud Connector (ACC):
- Confirm ACC is running version 22.214.171.124 or higher.
- Add the AD Service Account created back in the beginning of this blog to the local Windows administrators group on the ACC
- Change ACC Service Logon As to the AD Service Account, restart the ACC Service
Launch Workspace ONE UEM Console:
- Settings > All Settings > Validate domain name show up properly in Enterprise Integration
- Create Devices & Users > Advanced > Tag > tag named ODJ
- Create Smart Group for Assignment based on Tags and assign ODJ tag
- Devices & Users > General > Enrollment > Optional Prompt > Windows > DISABLE EnrollmentStatus Page. Due to bug in UEM Console prior to 2105
- Domain Join Configuration – Pick a Machine name format
- For Assignment, Organization Units is the OU defined above. type in common name and UEM will search for full distinguished name.
- Pre-register the Device in UEM Console > Devices > Lifecycle > Enrollment Status > Add > register device
- Make sure user matches what you assigned in AutoPilot
- Make sure you add Serial number and Tag
- If users will not be on same network as Domain Controller, configure Prelogin VPN Client
If you need help with this step see my previous blog:
- Configure UAG + Tunnel App + Device Traffic Rules for NETLOGON, Explorer, svhost, System and for Device Traffic Rule make sure you have *.domain.online and domain.online
- Configure Profile to apply Tunnel