In this environment, the present of proxy and VPN will become a very complex situation that had multiple proxies in play. From the diagram below, it is require to whitelist the URL to reach AAD endpoint of login.microsoftonline.com and enterpriseregistration.windows.net on firewall proxy. And also WinInet and WinHttp proxy to allow the service of device enrolment.
* Diagram will be useful for the environment that using the same concept.
Windows will have two kind of proxy settings:
1. WinInet proxy, which is the one we configured in windows settings, and it will be applied for browser access. Allow browser to reach an internet connection.
2. Winhttp proxy, which is the one we configured with netsh winhttp set proxy command, and it will apply to the service/task process. Allow task schedule service to register the computer automatically.
From the knowledge base that I found, I ran the join using command dsregcmd /status which provide the hint that shows the Error Phase in Discover mode that diagnostics tests are passing but the registration attempt failed with a directory error, which is expected for sync-join.
Run command with netsh winhttp set proxy x.x.x.x:port and monitor the error phase will changed to pre-check.
After a while, device will be hybrid device with the status per below.
To verify it, launch Task Scheduler and navigate to Task Scheduler Library>Microsoft>Windows>Workplace Join
You may use this solution if your environment:
1. Hybrid Azure AD Join with Auto Enrollment via GPO
2. SCCM Co-Managed enabled
3. Require Proxy to access the corporate resource while connected to corporate network
4. Require VPN with proxy to access the corporate resource while connected to external network
No comments:
Post a Comment