none
Question on Autopilot behavior RRS feed

  • Question

  • We've been using Autopilot for a while now, and have a question on the expected behavior. When we add a device to the business store, that process creates an AAD computer object with the name being the serial number. This has the ZTDID entry so gets added to our dynamic group. We associate a profile for a hybrid join and the machine is available to build. When we build the machine, it creates an Intune account in the XYZZY-<random> name we have defined in the deployment profile. This also renames the AAD account from the serial number to XYZZY-<random> and this process also creates a duplicate AAD record with the same name. The Windows Enrollment - Device record now points to the original AAD record which is now renamed.

    My question is whether or not these dual AAD accounts are intended or not. I know one is linked to the Windows Device Enrollment device and we can't lose that linkage in order to keep the ability to Autopilot the device.

    Since this is a hybrid join, we also have an on-prem account with the same name.

    Any pointers to info on this would be appreciated.

    Thanks.

    • Moved by Joy-Qiao Wednesday, November 13, 2019 7:01 AM
    Tuesday, November 12, 2019 7:32 PM

Answers

  • Yes its intended, and you shouldn't delete them. One object is from registration of the device with the serial, and the other is from the hybrid azure ad joined object.

    See Michael Niehaus's blog https://oofhours.com/2019/07/15/inside-windows-autopilot-user-driven-hybrid-azure-ad-join/ where he says:

    "You will end up seeing two devices in Azure AD when this process completes:  The pre-created Azure AD Join device objects (which ends up getting enabled and renamed as part of this process) and the synced Hybrid Azure AD Join device object.  Keep both of these objects around – never delete the original pre-created Azure AD device object."

    Wednesday, November 13, 2019 11:44 PM

All replies

  • Hello,

    For the two device items in the Azure AD, please check the Join Type for two items.

    Please make sure the item with Hybrid Azure AD joined type is keep. For the item with registered type, you can either keep it or delete it. 

    Please refer to the following thread.

    https://social.technet.microsoft.com/Forums/en-US/e73235c5-62db-4912-a86e-3da204ca8046/azure-ad-connect-hybrid-join-questions?forum=microsoftintuneprod

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 9:05 AM
  • The issue i have with this, is that the "registered" type AAD record is the one associated with the Autopilot device. If we delete that object, then we cannot redeploy the machine unless we remove/re-add the computer to the business store.

    I think you confirmed that what we are seeing, the creation of a duplicate (type hybrid join) and the rename of the original <SerialNumber> record is expected.

    Let me know if that is not the case.

    We are working on a reuse/recycle program so want to be able to redeploy with Autopilot without rebuilding the business store each time we reuse a device.

    Thanks.

    Wednesday, November 13, 2019 11:23 PM
  • Yes its intended, and you shouldn't delete them. One object is from registration of the device with the serial, and the other is from the hybrid azure ad joined object.

    See Michael Niehaus's blog https://oofhours.com/2019/07/15/inside-windows-autopilot-user-driven-hybrid-azure-ad-join/ where he says:

    "You will end up seeing two devices in Azure AD when this process completes:  The pre-created Azure AD Join device objects (which ends up getting enabled and renamed as part of this process) and the synced Hybrid Azure AD Join device object.  Keep both of these objects around – never delete the original pre-created Azure AD device object."

    Wednesday, November 13, 2019 11:44 PM
  • Awesome! Thanks for the link and the follow-up. Exactly what I was looking for.
    Tuesday, November 19, 2019 7:06 PM