Autopilot enrollment with Offline Domain Join service

Read this page to learn the ODJ architecture in MCM and the high-level process flow for enrolling Autopilot enabled Windows devices with ODJ service.

ODJ service is an "Add-on" service and is installed through WebUI after completing the initial MDM server installation. For complete information on installing and configuring ODJ service, refer to Domain join installation and configuration.

Windows Autopilot Hybrid Domain Join Setup Architecture

  1. AAD connector establishes a sync between the On premises active directory and the Azure AD.
  2. BigFix Operator creates a Domain Join Profile through WebUI to configure it as part of a Windows Policy Group that can be tailored with a specific blob of data that contains everything necessary for a Windows laptop to join to an AD domain, even if there is no direct access to the AD server at the time of enrollment. This profile becomes available in the MCM server.
  3. As per the Azure AD autopilot setup, at the time of enrolment, the devices contacts the MCM server for information.
  4. MCM server communicates with Azure AD and gets the identification information.
  5. The blob in the Domain Join Profile gets updated with the identify information.
  6. Plugin Portal contacts On Premises Active Directory and performs DJoin command.
  7. The Domain Join Profile is deployed on the enrolling device as per the group policy.

High-level ODJ Autopilot enrollment flow

  • Before enrolling, ensure that the windows endpoint is ready for first time use or perform factory reset.

  • Sign-in to the windows endpoint device using Azure AD user credentials, synchronized from on-premises AD.

  • Wait for the domain join to complete and for the device to automatically restart; it takes several minutes.

  • After successful domain join, use on-premises AD credentials to sign-in to the device.

  • After successful sign-in:
    • The device joins to the on-premises AD domain, connected to on-premises MDM
    • The Azure work account is automatically provisioned.
    • The device is listed in Azure portal as Hybrid Azure AD joined.