As of late, I have continued to watch the meteoric attack on Entra hybrid environments. Obviously Microsoft has shifted focus on Entra joined devices and that’s okay. Entra join is the future, but it doesn’t mean we throw hybrid in the trash. Many people try to manipulate customers and companies into doing a big bang straight to Entra join (my focus on this article today).
Complicating things is the shift on MDT. Now that MDT is no longer supported on Windows 11, VBScript is being sent to the retirement home, and a few other reasons people are now at a crossroads. You can read more in Johans article here on MDT as one of the true experts on that side of the fence.
So, you are either going to SCCM or Intune. Many of those companies are moving in the direction of Intune. Luckily, most companies have done most of the foundational work being on Office 365 for a while. With that emphasis, I’ve been seeing some interesting strategies and methodologies in the Intune consulting industry.
It’s 100% not okay to do things for the wrong reasons. If you’re a customer that’s on SCCM or MDT, you don’t just need to BURN IT ALL DOWN. Today, we are going to talk about some fun stuff:
- What is Microsoft Entra Hybrid Join
- Current Microsoft Entra Hybrid Use Cases
- Technologies That Are Fun on Hybrid!
- Developing a Strategy Starting with Hybrid and Ending with Cloud Native
- Thoughts on Hybrid Entra Strategy
What is Microsoft Entra Hybrid Join?
The question is a fairly easy one to answer. Entra Hybrid Join is where you’re still Domain Joined and Entra Joined. Most companies are doing it without even realizing it.
From a requirement perspective, we need the following:
- Windows 10/11, Windows Server 2016/2019
- Entra Connect 1.1.819.0 or later
- OUs the computers exist in need to be sync’d to Entra
These features you cannot use in single forest, multiple Microsoft Entra tenants setups:
- Device Writeback
- Group Writeback
- Seamless SSO (you shouldn’t be using it anymore anyways)
- On-Prem Entra Password Protection
Of course there’s other stuff/considerations, but I’m presuming you have a decent understanding of Hybrid already. Now, we move onto current use cases for Hybrid.
Current Microsoft Entra Hybrid Use Cases
We have primarily three main use cases for hybrid today:
- Still want to leverage group policy.
- You LOVE images and I mean LOVE images (why? I don’t know but you DO!)
- Leveraging on things like Windows apps that need AD machine authentication.
Inevitably, you should be seeing hybrid as a bridge. Sure, these are “valid”-ish use cases, but they really should be short-term use cases. I get why people still want these things, but they’re also concepts/desires that don’t mesh with a long-term scalable strategy. We’ll discuss that more later, but we should identify that Hybrid has its limits today.
The Fun of Microsoft Entra Hybrid Join
One of the main reasons that I wrote this article is pure hatred of hybrid join across the industry especially fellow MVPs and consultants. As someone who has built his career on being good at scary tech like SSL, Kerberos, certificates, etc., I believe Entra Hybrid Join is a blast. People in general aren’t very good at it so that is something to be celebrated.
Now, a few of the technologies that can be challenging in Entra Hybrid Join are:
We’re going to focus on these two, because people do struggle with them quite a bit, which likely leads to people “convincing” customers that Cloud Native IS THE WAY and the ONLY WAY. Let’s be clear, Cloud Native is the long-term strategy, but it’s also highly illogical to take someone from OSD –> Intune with Cloud Native. I focus on setting people up for success, which involves a multi-step approach. We’ll discuss that later, but for now let’s talk about these two technologies.
Windows Hello with Cloud Kerberos Trust (CKT)
Earlier this year, I wrote all about CKT here in what is one of my most popular articles I’ve written in 2024. The great thing about CKT is its simplicity as seen below:
What makes it amazing is it’s so easy to do. Literally run this command:
# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN
# Enter a UPN of an Azure Active Directory global administrator
$userPrincipalName = "[email protected]"
# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Azure AD.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalNameBeyond that, just make sure your domain controllers are being synchronized up to Entra and it’s really that simple. It creates a cool little RODC-esque DC that syncs up to Entra to power Windows Hello for Business on Hybrid devices. No certs, or ADFS, or stupid settings that freak out your InfoSec team. It’s super special and even relatively easy to troubleshoot. Typically, these are already there, but just as a reminder it needs one of these 3 enabled:
- Password Hash Sync (PHS)
- Passthrough Authentication
- 3rd party IDP or ADFS
Here’s a short video that shows you how to configure the WH4B policy in Intune, but for more info you can check out my other blog article:
Remember how I said it’s easy to troubleshoot? You can just check out event viewer and see that CKT is being used in the “User Device Registration” logs. Typically, as long as it can see a Kerberos server for your domain, it will work like a charm. The only real issue I’ve seen is when it can’t find the Azure AD Kerberos server, which you can usually prove with VPN.
Windows Autopilot for Entra Hybrid Join
Windows Autopilot is something I covered in detail not too long ago here. Autopilot is the bridge to Intune for devices, which delivers that great user experience coupled with technologies like that Enrollment Status Page (ESP) that people seeing during the Out of Box Experience (OOBE).
When you do Hybrid, things get a bit more challenging as you have to rely on the magic of the Intune Domain Join profile. That Autopilot story itself as well, which you can see below:
n hybrid environments, you need the Intune Connector for Active Directory. This service creates autopilot-enrolled computers in the on-prem AD domain. The Intune Connector for Active Directory creates the ODJ (Offline Domain Join Blob) in Active Directory. You can think of the ODJ Blob as a “stub.” Looks like this, which I’m borrowing from the great Michael Niehaus:
Once that user logs into the domain (with line of sight), the computer object is completed, and it is officially domain-joined. So, that sounds pretty easy right? So, what can go wrong?
Troubleshooting Windows Autopilot for Hybrid Join
Now, I’m no Niehaus, but I know a little bit about Hybrid Join. The typical issues you run into with the Intune Connector are:
- Need to grant delegate control to either the Intune Connector computer object or the service account with the create and delete computer objects in the AD container where the computer objects will live. (You can confirm this in the ODJ logs in Event Viewer (the ODJ Connector Service event logs are located under Event Viewer > Application and Services Logs > Microsoft > Intune > ODJConnectorService. Select Microsoft-Intune-ODJConnectorService/Admin or Microsoft-Intune-ODJConnectorService/Operational.)
- Your domain join naming convention must only be a prefix e.g. MOBILEJON (no hyphens or any of that nonsense)
- The OU must be a distinguished name aka DN e.g.: OU=Computers,DC=MobileJon,DC=com
- The Intune AD Connector must have the say firewall rules as the Intune service itself. That is something that people commonly overlook.
Overall, the best tool you can find is Get-AutopilotDiagnosticsCommunity PS module, which will provide you great insight into how your Autopilot is running for your device. This will often help get you to a good point.
One other point, when you work on Hybrid Autopilot and do your own testing, you should remember that any Reset PC may force you to wait 24 hours before you can re-provision an Autopilot device, which is expected behavior.
For fun, here’s a demo of what pre-provisioning on Hybrid looks like:
Developing a Strategy Starting with Hybrid and Ending with Cloud Native
The main focus around this blog article is how you don’t just jump to Cloud Native (Entra Join) in most environments. Sure, we all want to be on Cloud Native, but that’s just how the real-world works. Some of the reasons that is incredibly hard:
- Companies aren’t THAT progressive.
- The supported workflow to move to Cloud Native is a device wipe.
- Moving from OSD/SCCM to Intune is already incredibly challenging without going 0 to Cloud Native.
- A successful approach isn’t about what is easy for you. It’s about what’s best for your company/customer.
- Setting yourself up for success is the difference between success and failure.
Typically, my strategy in a multi-phased approach:
Phase 1: The New Intune World
Typically, I will introduce two standard workflows:
- Windows Autopilot pre-provisioning (For net new devices)
- SCCM co-management (for existing devices)
Obviously, this includes all of the basics like MDM automatic enrollment and all of that jazz. We will hit on the key notes around Windows Management like LAPS, Windows Autopatch, BitLocker, and the policies that make up our Windows 11 Best Practices that I have highlighted in the past:
We also build apps into that part of the strategy as the goal is to shift all of SCCM’s magic into Intune and modernization while retiring stuff like imaging, crazy logon scripts, etc. Phase 1 has a simple goal: Build trust and show people the tech can work properly (especially Cloud Kerberos Trust).
Phase 2: GPO Migration
The title says it all. My focus in phase 2 is on shifting GPO items to Intune policies and trying to eliminate as much of the GPOs as humanly possible. This also includes a health check of the GPOs in general to see what actually matters still.
The reason we space things out is to establish a foundation and build on that trust to power the art of the possible. Most companies that are still imaging and not in Intune need to understand the value. I’m a major advocate of showing what can be done.
“Trust Me, I’m a Doctor” doesn’t fly when it comes to device management.
Phase 3: The New Normal
Now, at this point we will start to introduce Cloud Native. In Phase 1, we introduced CKT, but I don’t tell them what it can do. Now at this point, I remind them we’ve been using CKT for a while to power Windows Hello for Business, but guess what? There’s MORE!
We start to introduce Cloud Native as a net new strategy and show them how CKT can bridge their legacy auth for things like file shares and legacy apps, which brings the entire thing full circle. People don’t unequivocally trust that it can work, but we show them that those tent stakes we established in Phase 1 will light the way to the future.
Everything in these 3 phases were done in a specific methodical way to build on trust and help realize the full vision. The point is that slapping everything together all at once is scary, but if we have a proper plan, we show our organizations how special these technologies can be.
Overall Thoughts on Hybrid Strategy
I’ve watched a ton of people trash on Hybrid everywhere from discord servers to Twitter to whatever (keeping that pretty vague). People just aren’t realistic about how the real-world works at times. Hybrid IS a bridge to the future.
We know that the path to Cloud Native is paved with good intentions, but it also needs a dash of realism. Companies need to have their hands held on the journey. This isn’t a fling it’s a marriage. Being pragmatic will pay dividends if you’re smart about it. There are 3 stories:
- Microsoft’s Story
- Your Story
- The Customer’s Reality
The actual reality is somewhere in the middle. People will take some chances, but first prove them that you “know Kung Fu.” In the Matrix, even Neo needed some time to get to where he needed to be.
As I said a few minutes ago, Hybrid is the bridge you will take to establishing Intune and Cloud Native in your environment. Don’t be afraid of hybrid! Yes, I know it’s a PITA and it has its challenges, but when you actually achieve hybrid capabilities like CKT and Hybrid Windows Autopilot it’s really awesome. They’re literal achievements vs. the simplicity (thankfully) of Cloud Native.
