Deploying Domain Join Configurations for Windows
Windows domain join enables your users to remotely connect to a work domain using active directory credentials or local device credentials. Use Workspace ONE UEM to deploy your domain join configurations for on-premises, workgroups, and hybrid domain joins for your Windows (Windows Desktop) devices.
Integration with Microsoft Autopilot (Hybrid Domain Join)
If you manage users in the cloud and on-premises, you can use Workspace ONE UEM to assign your hybrid domain join configurations to Windows devices leveraging Windows Autopilot + OOBE (Out of Box Experience).
Use a Windows Autopilot Profile for OOBE Enrollments
Windows Autopilot allows you to configure a profile that specifies the Domain Join type for devices going through OOBE. You must configure and assign an Autopilot profile with the hybrid domain join setting in Azure. The devices assigned this profile will go through the OOBE process and be Hybrid Azure AD joined.
Important: If you do not assign an Autopilot profile with the Hybrid Join specification in Azure, your Windows devices will go through OOBE and be Azure AD joined. Once devices are Azure AD joined, you cannot initiate a Hybrid domain join without completely resetting the devices.
For details on Autopilot, access the topics on Microsoft | Docs, Configure Autopilot profiles.
- If your users use a third-party VPN client to access resources (for example, users work from home), configure the Autopilot profile menu item Skip AD connectivity check (preview) as Yes.
- If your users do not use a third-party VPN client to access resources (for example, users are on the corporate network), configure the Autopilot profile menu item Skip AD connectivity check (preview) as No.
Requirements
- Windows Automatic Enrollment: Configure automatic enrollment in Azure with Workspace ONE UEM as the mobile device management (MDM) system. Access Configure Workspace ONE UEM to Use Azure AD as an Identity Service for details.
- Workspace ONE UEM: Disable the Status Tracking Page for OOBE.
- In Workspace ONE UEM, go to Groups & Settings > All Settings > Device & Users > General > Enrollment.
- Select the Optional Prompt tab.
- Go to the Windows section and disable Enable the Status Tracking Page for OOBE.
- Microsoft Subscription: Use one of the Microsoft subscriptions that support Windows Autopilot licensing. Access the article in Microsoft | Docs titled Windows Autopilot licensing requirements.
- Windows Autopilot Profile: Configure this profile in Azure so that your Windows devices are assigned the hybrid domain join setting. For details, access the topics on Microsoft | Docs, Configure Autopilot profiles.
- Register Devices with the Autopilot Profile: For details on how to setup Autopilot devices, access the article in Microsoft | Docs titled Manually register devices with Windows Autopilot.
- AirWatch Cloud Connector (ACC): Use ACC to enable domain join for On-premises Active Directory in Workspace ONE UEM.
- Active Directory Users and Computers (ADUC): You need the MMC snap-in called ADUC to configure on-premises domain join through Workspace ONE UEM.
Assumptions
- You have configured Windows automatic enrollment with Azure in Workspace ONE UEM.
- You have configured and assigned an Autopilot profile in Azure so that devices join to Azure AD as Hybrid Azure AD joined.
- You have registered your Windows devices in Azure and assigned the relevant Hybrid Join Autopilot profile.
- You have domains and Organization Units in Active Directory.
- You have configured Directory Services in the Workspace ONE UEM console if you are using Active Directory.
- You have configured and assigned a Domain Join configuration in Workspace ONE UEM console.
Order of Tasks
- In Azure, set up your Autopilot devices according to Microsoft | Docs. Currently, this process includes the following steps.
- Register your Autopilot devices.
- Create a device group.
- Create and assign an Autopilot deployment profile.
- Configure on-premises domain join in ADUC, ACC, and Workspace ONE UEM.
- In ADUC, configure a user account with Windows Server delegate permissions, create a custom delegate task, and configure permissions.
- In ACC, update the Airwatch Cloud Connector service to login with the user account created in ADUC and add write permissions to the ACC folder.
- In Workspace ONE UEM, create a domain join configuration for on-premises Active Directory.
- In Workspace ONE UEM, specify the Organization Unit information by creating and deploying single or multiple assignments for the domain join configuration.
In Azure, set up your Autopilot devices according to Microsoft documentation. Currently, this process includes the following steps.
- Create a device group.
- Register your Autopilot devices.
- Create and assign an Autopilot deployment profile.
Step Two: Configure On-Premises Domain Join
The steps below outline how to configure and assign a domain join configuration in Workspace ONE UEM. These steps allow a device to join an on-premises domain on enrollment into Workspace ONE. When configured along with a Hybrid Join Autopilot profile, devices go through OOBE to join Azure AD as Hybrid Azure AD joined. If you met all the requirements and assumptions for hybrid domain join, you have met them all for on-premises domain join so you can move on to setting this up, starting with Step One: Configure ADUC in the On-Premises Domain Join section.
On-Premises Domain Join
If you use Active Directory to manage users, you can use Workspace ONE UEM to assign your on-premises domain join configurations.
Requirements
- AirWatch Cloud Connector (ACC): Use ACC to configure domain join for on-premises Active Directory.
- Active Directory Users and Computers (ADUC): You need the MMC snap-in called ADUC to configure on-premises domain join. This snap-in is part of Remote Server Administration Tools (RSAT). See Microsoft | Docs for the latest documentation on Windows Server.
Assumptions
- You have domains and Organization Units set in your domain in Azure.
- You have configured Directory Services in the Workspace ONE UEM console if you are using Active Directory. For details on how to configure Directory Services, access Integrating Workspace ONE UEM with your Directory Services
Order of Tasks
- In ADUC, configure a user account with Windows Server delegate permissions, create a custom delegate task, and configure permissions.
- In ACC, update the login with the user account created in ADUC and add write permissions. Ensure that the user also has local admin privileges on the ACC server so that they can successfully start the service.
- In Workspace ONE UEM, create a domain join configuration for on-premises Active Directory.
- In Workspace ONE UEM, specify the Organization Unit information by creating and deploying single or multiple assignments for the domain join configuration.
In ADUC, select the user with Windows Server delegate permissions, create a custom delegate task, and configure permissions.
Right-click the container or folder where you want to add devices and select Delegate Control. This selection displays the Delegation of Control Wizard.
Select Next in the Delegation of Control Wizard.
On the Users or Groups window, select the user with Windows Server delegate permissions from the list, select Add, and then select Next. If this user account is not a member of the Domain Administrators group, increase the computer account creation limit (ms-ds-machine-account-quota) from the default value of 10 to prevent failures after joining 10 devices to the domain.
On the Tasks to Delegate window, select Create a custom task to delegate and then select Next.
On the Active Directory Object Type window, select Only the following objects in the folder:, Computer Objects, and Create selected objects in this folder menu items, and then select Next.
On the Permissions window, select General, Creation/deletion of specific child objects, Write, and Create All Child Objects, and then select Next.
Update the login and add write permissions for ACC to the user edited in ADUC to delegate a custom task.
- Change the Log On As for the ACC to the user configured with Windows Server delegate permissions.
Note: Ensure that the user also has local admin privileges on the ACC server so that they can successfully start the service.
- In the ACC Advanced Security Settings area, give the user WRITE permissions for the ACC folder at
<Drive>:\VMware\AirWatch\CloudConnector
.
Step Three: Create an On-Premises Domain Join
Deploy a domain join configuration in Workspace ONE UEM to enrolled Windows devices that use Active Directory credentials to access resources.
- In the Workspace ONE UEM console, go to Groups & Setting > Configurations and select Domain Join from the list.
- Select Add.
- Enter a meaningful entry in the Name field so you can recognize the domain join. For example, if your users and computers in Active Directory follow a geographic pattern, you can enter
Acme - South America
. This entry does not have to match any settings in Active Directory but using similar patterns in both systems can help organize your devices in your domain joins.
- Select On-Premises Active Directory for the Domain Join Type.
- View the Domain Name. The domain join configuration page enters the name of the Server configured on the Directory Services page. The Workspace ONE UEM directory services configuration allows one server for directory services, so this field is autocompleted. Find Directory Services settings in Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
Note: If you want to change the Server entry on the Directory Services page, you have to Disable the DNS SRV menu item.
- Select the Domain Friendly Name. The domain join configuration page offers you a list of available friendly names added to the domain list for your directory services server on the Directory Services page. Find Directory Services in Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
- Enter your preferred machine name format in the Machine Name Format field. Use a supported format for your machine name. The tool tip specifies the accepted formats. Workspace ONE UEM uses a maximum of 15 characters from the
%SERIAL%
or %RAND:[#]%
formats.
- Save the domain join configuration to assign it later or select to Save & Assign now.
Step Four: Assign a Domain Join Configuration
- In the Workspace ONE UEM console, navigate to an assignment page by selecting Assign from the domain join list view at Groups & Setting > Configurations and select Domain Join. This configuration window displays if you select to Save & Assign your domain join configuration.
- Select the name of the domain join configuration unless the entry is prepopulated.
- Add an Assignment Name that has meaning for you and that helps you identify the assignment. The entry does not need to match any setting in Active Directory.
- Search for Organization Units configured in your ADUC settings, and select only one Organization Unit.
- Search and select smart groups that are configured in Workspace ONE UEM. You can assign a smart group to one Organization Unit and no more. If you try to select a smart group that is already assigned an Organization Unit, the console displays an error message with information so you can troubleshoot and decide which smart groups to use to fit your current deployment scenario.
- Create and save your assignment.
Computers Container in Active Directory (AD) and OU/Smart Groups Conflicts
You can add multiple assignments to domain join configurations but consider the flexibility of smart groups. Since smart groups are flexible, it is possible you might have a device in multiple assignments for a domain join configuration. This scenario means that the device is also assigned to multiple Organization Units, which is not allowed. When the console identifies that a device is in multiple assignments for a domain join configuration, it puts that device in the Computers container in Active Directory. You can go to ADUC and put the device in the desired Organization Unit. The device receives the domain join configuration that matches the assignment for the Organization Unit.
Domain Join Re-assignment
The domain join configuration for a device is evaluated and applied during the enrollment process. Once a device has received a domain join configuration, you cannot update it by changing the assigned smart groups in Workspace ONE UEM. Workspace ONE UEM only delivers a domain join configuration to the device one time upon enrollment.
Workgroup Join
If you have users that use a local account to access their Windows devices and resources, configure a workgroup join in Workspace ONE UEM.
Order of Tasks
- In Workspace ONE UEM, create a domain join configuration for Workgroup Join.
- In Workspace ONE UEM, specify the Workgroup Name, Machine Name format, and Local user settings, and then assign the configuration to a Smart Group.
Step One: Create a Domain Join for Workgroups
Deploy a domain join configuration in Workspace ONE UEM for enrolled Windows Desktop devices that use local accounts to access resources.
- In the Workspace ONE UEM console, go to Groups & Setting > Configurations and select Domain Join from the list.
- Select Add.
- Enter a meaningful entry in the Name field so you can recognize the domain join. For example, if your users and computers in Active Directory follow a geographic pattern, you can enter
Acme - South America
. This entry does not have to match any settings in Active Directory but using similar patterns in both systems can help organize your devices in your domain joins.
- Select Workgroup for the Domain Join Type.
- Enter a name for the Workgroup. The entry is to help you organize and identify the workgroup in the Workspace ONE UEM console.
- Enter the machine name format in the Machine Name Format field. Use a supported format for your machine name. The tool tip specifies supported formats in the UI. Use exactly 15 characters in a
%SERIAL%
or %RAND:[#]%
format.
- If you want to create the local user for domain join now, enable Create Local User.
- If you want to give the local user admin permissions, enable Make Administrator. Admins have permissions that include the ability to unenroll devices or they can uninstall system apps.
- Enter a Local Username and a Local User Password that the device user enters to access the device with this domain join configuration. Give the user name and password entry to your users.
- Save the domain join configuration to assign it later or select to Save & Assign now.
Step Two: Assign a Domain Join Configuration
- In the Workspace ONE UEM console, navigate to an assignment page by selecting Assign from the domain join list view at Groups & Setting > Configurations and select Domain Join. This configuration window displays if you select to Save & Assign your domain join configuration.
- Select the name of the domain join configuration unless the entry is prepopulated.
- Add an Assignment Name that has meaning for you and that helps you identify the assignment. The entry does not need to match any setting in Active Directory.
- Search and select smart groups that are configured in Workspace ONE UEM. You can assign a smart group to only one Workgroup configuration. If you try to select a smart group that is already assigned a Workgroup configuration, the console displays an error message with information so you can troubleshoot and decide which smart groups to use to fit your current deployment scenario.
- Create and save your assignment.