Hey everyone! I've been working with on-prem setups for years, but I'm pretty new to Azure and Entra. I'm trying to set up a group of users with Windows 11 Enterprise E3, but I'm running into some issues with syncing and GPOs (Group Policy Objects). I created a test Active Directory and DNS server and got Entra ID P1 licensed for the endpoints. After assigning licenses, I configured cloud sync with Entra Connect, which works for getting AD to sync with Microsoft Entra ID, but not the other way around—it seems I have different problems with that, likely related to scoping filters.
So, here's the kicker: I freshly installed Windows 11 on a test laptop, created a local account, and joined it to my AD domain. While GPOs apply, when I sign in through "Access work or school," it signs me into the test account that has an Enterprise license, but the OS doesn't upgrade. Entra shows that the device is "Microsoft Entra registered" instead of "joined."
I tried reinstalling Windows 11 and signing in with a Microsoft account during setup. This allowed the OS to upgrade to Enterprise, and the device showed as "joined" in Entra, but now it won't sync back to my local AD, which means local GPOs won't apply because it's connected to Azure AD.
Am I missing something crucial here? I'm not expecting on-prem GPOs to sync directly to Entra, but how can I effectively manage these endpoints while using Entra? Should I ditch my local AD and switch to solely using Intune MDM? It feels like the licensing situation is making this unnecessarily complicated, and I would rather not have a hybrid setup. Appreciate any help!
3 Answers
It sounds like you're running into hybrid join issues. You need the devices joined to on-prem Active Directory first, then they can be synced with Entra Connect. Make sure you've set up Hybrid Device Join properly and enabled the Service Control Point. After all that's done, a scheduled task will handle the registration to Entra automatically. But honestly, if you can avoid the hybrid setup, I'd recommend it. Intune is generally easier to manage and these days, you can get a lot of the same features as GPOs with it. Hybrid environments are becoming less common since Intune is catching up.
Just a heads up, Entra Connect only syncs one way—from on-prem to Entra, not the other way around. If you want to discuss more, I’m also stuck in a similar situation. Maybe we can chat a bit?
Sure thing, feel free to message me! I'd be happy to share what I know.
I haven't worked with Intune directly, but I hear it's pretty much in line with other MDMs. For your first scenario, did you install the Company Portal app? You may need to configure an Intune profile to upgrade the Windows license to Enterprise as well. That could be a key step you might be missing.
Thanks for the insights! I'll definitely check the hybrid join setup more carefully.