K223
Enthusiast
Enthusiast

AD and WS1 joined devices.

Would there be any difference or problem enrolling a Windows machine in WS1 before or after already joining the machine to AD?  Only reason to enroll these particular machines to WS1 is for inventory management/tracking purposes.  Otherwise they will be domain managed through SCCM.  I realize GPO's on the AD side would be a consideration or can cause restrictions.  I would be using a local generic account to enroll these machines into WS1.  

Labels (1)
0 Kudos
1 Reply
AlexAskin
Enthusiast
Enthusiast

WS1 is issuing a authentication certificate to the current windows user during enrollment - if using a staging account WS1 will re-assign the device to the first domain user logged on. Therefore a local user owning the cert which later will not be used will very likely not work.

In regard to GPOs: If there are conflicting directives from MDM and AD GPOs you can choose who should win: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict

In addition: Be aware that Microsoft decided to not support any 3rd Party MDM provider beside SCCM. When the Configuration Manager client detects that a third-party MDM service is also managing the device, it automatically deactivates the following workloads in Configuration Manager:

  • Resource access policies for VPN, Wi-Fi, email, and certificate settings
  • Application management, including legacy packages
  • Software update scanning and installation
  • Endpoint protection, the Windows Defender suite of antimalware protection features
  • Compliance policy for conditional access
  • Device configuration
  • Office Click-to-Run management

Source: https://docs.microsoft.com/en-us/mem/configmgr/comanage/coexistence

- Alex

0 Kudos