🤔

!11:21 - ok, I see why now.🤨

All my demos for Windows 11 24H2 were domain VMs, PCs, or Laptops. Everything in my lab is on the domain, even my Linux hosts. My wife's devices are exempted. : )

By default I have the local account called "Homeboss" in Rufus options but all of these examples I removed "Homeboss" and used the local account called "john" Homeboss is my domain admin username. Sorry for the confusion

Thanks for your support! I think if they get the security right, and it sounds like they have now, it will be fine. They will use Bitlocker to encrypt your data and even a Admin will not be able to access the files in Windows Recall. You will only be able to use Windows Recall if you have Windows Hello enabled. It will encrypt you data using your Windows Hello credentials. Only when it rolls out again will we be able to test drive to see if it really has value.

Thanks for the great feedback and comments!

Joining a device that is managed by Intune to an on-premises Active Directory (AD) domain involves a series of steps that allow you to integrate cloud-managed devices with your on-prem infrastructure. This approach is useful in hybrid environments where devices need to access resources from both Azure AD and Active Directory. Here is a step-by-step guide on how to achieve this: Step 1: Ensure Intune & Hybrid Azure AD Join Setup Explanation: Before proceeding, you need to make sure that the environment supports hybrid Azure AD join. This means devices will be joined to both Azure AD (via Intune) and Active Directory (on-prem). Prerequisites: A working Azure AD Connect sync between Azure AD and on-premises AD. Hybrid Azure AD Join must be configured for the domain. Devices should be either Windows 10 or Windows 11. Open the Azure AD Connect setup and confirm that the Device Sync options are enabled for hybrid Azure AD join. Ensure that the domain the device will join is part of your Azure AD Connect sync. Step 2: Configure Group Policy for Hybrid Join Explanation: Devices managed by Intune must be able to authenticate with the on-prem domain controller. This involves configuring Group Policy to enable hybrid domain join. Open the Group Policy Management console on your AD server. Create or edit an existing Group Policy Object (GPO) linked to the Organizational Unit (OU) containing your Intune-managed devices. Navigate to Computer Configuration > Administrative Templates > Windows Components > Device Registration. Set the policy Register domain-joined computers as devices to Enabled. Ensure that the correct Azure AD tenant information is populated in the Group Policy settings. Step 3: Prepare Device for Domain Join Explanation: The device must be part of your Azure AD and managed by Intune, and should have a line of sight to the on-premises AD domain controller. Verify network access to the domain controller from the device. Ensure that the device can connect to the corporate network either via VPN or physically inside the network. Make sure that the device can resolve the domain controller using DNS and that firewall rules allow domain communication (e.g., ports 53, 389, 445). Step 4: Unenroll the Device from Azure AD (Optional) Explanation: If the device is already enrolled in Azure AD (Azure AD Join) and needs to be joined to an on-prem domain, you might need to unenroll it from Azure AD first. Open Settings on the device. Go to Accounts > Access work or school. Select the Azure AD account and click Disconnect. This will unenroll the device from Azure AD but won’t remove it from Intune management. Step 5: Join the Device to the On-Premises Domain Explanation: After the device has a line of sight to the domain controller, you can now join it to the on-prem domain. Open Settings on the device. Navigate to Accounts > Access work or school. Click on Connect and then select Join this device to a local Active Directory domain. Enter the domain name (e.g., domain.local). When prompted, enter the credentials of a domain user who has permission to join devices to the domain. Restart the device once prompted to apply the changes. Step 6: Verify the Device Domain Join Explanation: After restarting the device, confirm that it successfully joined the domain and can authenticate to both Azure AD and on-premises AD. Log in with an on-prem AD account and verify that domain policies are applied. Ensure the device appears under Active Directory Users and Computers in the appropriate OU. Check that the device is still visible in Intune and that policies are being applied properly. Step 7: Re-enroll Device to Intune (if needed) Explanation: After joining the domain, if the device was unenrolled earlier, you can re-enroll it back to Intune for management. Go to Settings > Accounts > Access work or school. Click on Connect, select Set up a work or school account. Enter the appropriate Azure AD credentials and complete the enrollment process. Step 8: Verify Hybrid Azure AD Join Explanation: Now the device should be joined to both the on-premises AD and Azure AD, managed by Intune. Run the following command in PowerShell on the device to verify the hybrid Azure AD join status: dsregcmd /status Check the output under Device State. Ensure that both AzureAdJoined and DomainJoined are YES. Confirm that the device appears in Azure AD under Azure AD Devices as hybrid joined.

Back to civilization when internet returns!