update for 2209 ODJ .net

Author: aczechowski

memdocs/autopilot/windows-autopilot-hybrid.md

@@ -1,37 +1,20 @@
 ---
-# required metadata
-
-title: Enrollment for hybrid Azure AD-joined devices - Windows Autopilot
-titleSuffix: 
+title: Enrollment for hybrid Azure AD-joined devices
+titleSuffix: Windows Autopilot
 description: Use Windows Autopilot to enroll hybrid Azure AD-joined devices in Microsoft Intune.
-keywords:
-author: ErikjeMS
-ms.author: erikje
+author: aczechowski
+ms.author: aaroncz
 manager: dougeby
-ms.date: 06/22/2021
+ms.reviewer: jubaptis
+ms.date: 08/03/2022
 ms.topic: how-to
-ms.service: microsoft-intune
-ms.subservice: enrollment
-ms.localizationpriority: high
-ms.technology:
-ms.assetid: 8518d8fa-a0de-449d-89b6-8a33fad7b3eb
- 
-# optional metadata
- 
-#ROBOTS:
-#audience:
-
-ms.reviewer: priyar
-ms.suite: ems
-search.appverid: MET150
-#ms.tgt_pltfrm:
-ms.custom: seodec18
+ms.prod: w10
+ms.localizationpriority: medium
 ms.collection:
   - M365-identity-device-management
   - highpri
 ---
 
-
 # Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot
 
 **Applies to**
@@ -43,7 +26,7 @@ You can use Intune and Windows Autopilot to set up hybrid Azure Active Directory
 
 ## Prerequisites
 
-Successfully configure your [hybrid Azure AD-joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan). Be sure to [verify your device registration](/azure/active-directory/devices/hybrid-azuread-join-managed-domains#verify-the-registration) by using the Get-MsolDevice cmdlet.
+Successfully configure your [hybrid Azure AD-joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan). Be sure to [verify your device registration](/azure/active-directory/devices/howto-hybrid-join-verify) by using the Get-MsolDevice cmdlet.
 
 The device to be enrolled must follow these requirements:
 
@@ -115,60 +98,62 @@ The organizational unit that's granted the rights to create computers must match
 
 ### Before you begin
 
-- The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later. 
-- The computer must have access to the internet and your Active Directory. 
+- The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
+
+- The computer must have access to the internet and your Active Directory.
+
 - To increase scale and availability, you can install multiple connectors in your environment. We recommend installing the Connector on a server that's not running any other Intune connectors. Each connector must be able to create computer objects in any domain that you want to support.
 
 - If your organization has multiple domains and you install multiple Intune Connectors, you must use a service account that can create computer objects in all domains, even if you plan to implement hybrid Azure AD join only for a specific domain. If these are untrusted domains, you must uninstall the connectors from domains in which you don't want to use Windows Autopilot. Otherwise, with multiple connectors across multiple domains, all connectors must be able to create computer objects in all domains.
 
   This connector service account must have the following permissions:
 
-  - **[Log on as a service](/system-center/scsm/enable-service-log-on-sm)**
+  - [**Log on as a service**](/windows/security/threat-protection/security-policy-settings/log-on-as-a-service)
   - Must be part of the **Domain user** group
   - Must be a member of the local **Administrators** group on the Windows server that hosts the connector
 
 - The Intune Connector requires the [same endpoints as Intune](../intune/fundamentals/intune-endpoints.md).
 
 ### Install steps
 
-1. Turn off IE Enhanced Security Configuration. By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. If you're unable to sign in to the Intune Connector for Active Directory, then turn off IE Enhanced Security Configuration for the Administrator. [How To Turn Off Internet Explorer Enhanced Security Configuration](/archive/blogs/chenley/how-to-turn-off-internet-explorer-enhanced-security-configuration). 
-2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Windows** > **Windows enrollment** > **Intune Connector for Active Directory** > **Add**. 
+1. Turn off IE Enhanced Security Configuration. By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. If you're unable to sign in to the Intune Connector for Active Directory, then turn off IE Enhanced Security Configuration for the Administrator. [How to turn off Internet Explorer enhanced security configuration](/archive/blogs/chenley/how-to-turn-off-internet-explorer-enhanced-security-configuration).
+2. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), select **Devices** > **Windows** > **Windows enrollment** > **Intune Connector for Active Directory** > **Add**.
 3. Follow the instructions to download the Connector.
 4. Open the downloaded Connector setup file, *ODJConnectorBootstrapper.exe*, to install the Connector.
 5. At the end of the setup, select **Configure**.
 6. Select **Sign In**.
-7. Enter the Global administrator or Intune administrator role credentials. 
+7. Enter the Global administrator or Intune administrator role credentials.
  The user account must have an assigned Intune license.
 8. Go to **Devices** > **Windows** > **Windows enrollment** > **Intune Connector for Active Directory**, and then confirm that the connection status is **Active**.
 
 > [!NOTE]
-> 
+>
 > - The Global administrator role is a temporary requirement at the time of installation.
-> - After you sign in to the Connector, it can take several minutes to appear in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). It appears only if it can successfully communicate with the Intune service.
+> - After you sign in to the Connector, it can take several minutes to appear in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). It appears only if it can successfully communicate with the Intune service.
 > - Inactive Intune connectors still appear in the Intune Connectors blade and will automatically be cleaned up after 30 days.
 
 ### Configure web proxy settings
 
 If you have a web proxy in your networking environment, ensure that the Intune Connector for Active Directory works properly by referring to [Work with existing on-premises proxy servers](../intune/enrollment/autopilot-hybrid-connector-proxy.md).
 
-
 ## Create a device group
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Groups** > **New group**.
+
+1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), select **Groups** > **New group**.
 
 1. In the **Group** pane, choose the following options:
 
     1. For **Group type**, select **Security**.
     2. Enter a **Group name** and **Group description**.
     3. Select a **Membership type**.
 
-4. If you selected **Dynamic Devices** for the membership type, in the **Group** pane, select **Dynamic device members**.
+1. If you selected **Dynamic Devices** for the membership type, in the **Group** pane, select **Dynamic device members**.
 
-5. Select **Edit** in the **Rule syntax** box and enter one of the following code lines:
+1. Select **Edit** in the **Rule syntax** box and enter one of the following code lines:
     - To create a group that includes all your Autopilot devices, enter `(device.devicePhysicalIDs -any _ -contains "[ZTDId]")`.
     - Intune's Group Tag field maps to the OrderID attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices with a specific Group Tag (OrderID), type: `(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")`.
     - To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter `(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")`.
- 
-6. Select **Save** > **Create**. 
+
+1. Select **Save** > **Create**.
 
 ## Register your Autopilot devices
 
@@ -190,24 +175,27 @@ If your devices aren't yet enrolled, you can register them yourself. For more in
 If you're buying new devices, some OEMs can register the devices for you. For more information, see [OEM registration](oem-registration.md).
 
 Before they're enrolled in Intune, *registered* Autopilot devices are displayed in three places (with names set to their serial numbers):
+
 - The **Autopilot Devices** pane in the Intune in the Azure portal. Select **Device enrollment** > **Windows enrollment** > **Devices**.
 - The **Azure AD devices** pane in the Intune in the Azure portal. Select **Devices** > **Azure AD Devices**.
 - The **Azure AD All Devices** pane in Azure Active Directory in the Azure portal by selecting **Devices** > **All Devices**.
 
 After your Autopilot devices are *enrolled*, they're displayed in four places:
+
 - The **Autopilot Devices** pane in the Intune in the Azure portal. Select **Device enrollment** > **Windows enrollment** > **Devices**.
 - The **Azure AD devices** pane in the Intune in the Azure portal. Select **Devices** > **Azure AD Devices**.
 - The **Azure AD All Devices** pane in Azure Active Directory in the Azure portal. Select **Devices** > **All Devices**.
 - The **All Devices** pane in the Intune in the Azure portal. Select **Devices** > **All Devices**.
 
 After your Autopilot devices are enrolled, their names become the hostname of the device. By default, the hostname begins with *DESKTOP-*.
-A device object is pre-created in Azure AD once a device is registered in Autopilot. When a device goes through a hybrid Azure AD deployment, by design, another device object is created resulting in duplicate entries. 
+A device object is pre-created in Azure AD once a device is registered in Autopilot. When a device goes through a hybrid Azure AD deployment, by design, another device object is created resulting in duplicate entries.
 
-## Supported BYO VPNs 
+## Supported BYO VPNs
 
-Here is a list of VPN clients that are known to be tested and validated:
+Here's a list of VPN clients that are known to be tested and validated:
+
+### Supported clients
 
-**Supported clients:**
 - In-box Windows VPN client
 - Cisco AnyConnect (Win32 client)
 - Pulse Secure (Win32 client)
@@ -217,17 +205,17 @@ Here is a list of VPN clients that are known to be tested and validated:
 - SonicWall (Win32 client)
 - FortiClient VPN (Win32 client)
 
-**Not supported clients:**
+### Not supported clients
+
 - UWP-based VPN plug-ins
 - Anything that requires a user cert
 - DirectAccess
- 
-
 
 ## Create and assign an Autopilot deployment profile
+
 Autopilot deployment profiles are used to configure the Autopilot devices.
 
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Windows** > **Windows enrollment** > **Deployment Profiles** > **Create Profile**.
+1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), select **Devices** > **Windows** > **Windows enrollment** > **Deployment Profiles** > **Create Profile**.
 2. On the **Basics** page, type a **Name** and optional **Description**.
 3. If you want all devices in the assigned groups to automatically convert to Autopilot, set **Convert all targeted devices to Autopilot** to **Yes**. All corporate owned, non-Autopilot devices in assigned groups will register with the Autopilot deployment service. Personally owned devices won't be converted to Autopilot. Allow 48 hours for the registration to be processed. When the device is unenrolled and reset, Autopilot will enroll it. After a device is registered in this way, disabling this option or removing the profile assignment won't remove the device from the Autopilot deployment service. You must instead [remove the device directly](add-devices.md#delete-autopilot-devices).
 4. Select **Next**.
@@ -245,43 +233,43 @@ It takes about 15 minutes for the device profile status to change from *Not assi
 
 ## (Optional) Turn on the enrollment status page
 
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Windows** > **Windows enrollment** > **Enrollment Status Page**.
+1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), select **Devices** > **Windows** > **Windows enrollment** > **Enrollment Status Page**.
 2. In the **Enrollment Status Page** pane, select **Default** > **Settings**.
 3. In the **Show app and profile installation progress** box, select **Yes**.
 4. Configure the other options as needed.
 5. Select **Save**.
 
 ## Create and assign a Domain Join profile
 
-1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration profiles** > **Create Profile**.
-2. Enter the following properties:
+1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), select **Devices** > **Configuration profiles** > **Create Profile**.
+1. Enter the following properties:
     - **Name**: Enter a descriptive name for the new profile.
     - **Description**: Enter a description for the profile.
     - **Platform**: Select **Windows 10 and later**.
     - **Profile type**: Select **Templates**, choose the template name **Domain Join**, and select **Create**.
-3. Enter the **Name** and **Description** and select **Next**. 
-5. Provide a **Computer name prefix** and **Domain name**.
-6. (Optional) Provide an **Organizational unit** (OU) in [DN format](/windows/desktop/ad/object-names-and-identities#distinguished-name). Your options include:
+1. Enter the **Name** and **Description** and select **Next**.
+1. Provide a **Computer name prefix** and **Domain name**.
+1. (Optional) Provide an **Organizational unit** (OU) in [DN format](/windows/desktop/ad/object-names-and-identities#distinguished-name). Your options include:
     - Provide an OU in which you've delegated control to your Windows 2016 device that is running the Intune Connector.
-    - Provide an OU in which you've delegated control to the root computers in your on-prem Active Directory.
-    - If you leave this blank, the computer object will be created in the Active Directory default container (CN=Computers if you never [changed it](https://support.microsoft.com/help/324949/redirecting-the-users-and-computers-containers-in-active-directory-dom)).
- 
+    - Provide an OU in which you've delegated control to the root computers in your on-premises Active Directory.
+    - If you leave this blank, the computer object will be created in the Active Directory default container (`CN=Computers` if you never [changed it](/troubleshoot/windows-server/identity/redirect-users-computers-containers)).
+
     Here are some valid examples:
-      - OU=Sub OU,OU=TopLevel OU,DC=contoso,DC=com
-      - OU=Mine,DC=contoso,DC=com
- 
+      - `OU=Sub OU,OU=TopLevel OU,DC=contoso,DC=com`
+      - `OU=Mine,DC=contoso,DC=com`
+
     Here are some examples that aren't valid:
-      - CN=Computers,DC=contoso,DC=com (you can't specify a container, instead leave the value blank to use the default for the domain)
-      - OU=Mine (you must specify the domain via the DC= attributes)
- 
+      - `CN=Computers,DC=contoso,DC=com` (you can't specify a container, instead leave the value blank to use the default for the domain)
+      - `OU=Mine` (you must specify the domain via the `DC=` attributes)
+
     > [!NOTE]
     > Don't use quotation marks around the value in **Organizational unit**.
 
-5. Select **OK** > **Create**. The profile is created and displayed in the list.
-6. [Assign a device profile](../intune/configuration/device-profile-assign.md#assign-a-device-profile) to the same group used at the step [Create a device group](windows-autopilot-hybrid.md#create-a-device-group). Different groups can be used if there's a need to join devices to different domains or OUs.
+1. Select **OK** > **Create**. The profile is created and displayed in the list.
+1. [Assign a device profile](../intune/configuration/device-profile-assign.md#assign-a-device-profile) to the same group used at the step [Create a device group](windows-autopilot-hybrid.md#create-a-device-group). Different groups can be used if there's a need to join devices to different domains or OUs.
 
 > [!NOTE]
-> The naming capabilities for Windows Autopilot for Hybrid Azure AD Join do not support variables such as %SERIAL% and only support prefixes for the computer name.
+> The naming capabilities for Windows Autopilot for Hybrid Azure AD Join don't support variables such as %SERIAL% and only support prefixes for the computer name.
 
 ## Next steps