Hi all. Hoping the experts can help me out here. I have several hundered machines that are joined to one of 3 On-Premise active directorys. These machines are now deployed into the field and many of them rarely connect to the VPN or touch the corportate LAN again. I have the GPO in place for the ones that do hit the domain and they join Intune just fine. What is the best way to get the GPO to the machines that are NOT hitting the LAN to get the policy? I do have ManageEngine on them so I can push configs to them, just not in the GPO format. Should I look into setting registry keys using Managengine to get them into Intune?
Thanks!!!
IIRC You also need them to write data into their machine objects in AD. These need to hit the VPN.
Onboard your new things to EntraID instead of AD, since whatever benefits this get from AD clearly aren’t being had for these machines.
I would look into using your RMM tool to get these machines into Entra entirely rather than going hybrid with them, which is what it sounds like you’re doing. If they’re never touching the DCs, why have them on the domain? Just go to entirely cloud-based authentication.
This might be a good option for you:
Bulk enrollment for Windows devices - Microsoft Intune.
You might be able to push a bulk enrollment package with ManageEngine. I have seen it be unreliable at times related to existing Workplace Join accounts which you might need to clear ahead of time. This might be the path of least resistance.
Another option could be the hammer approach to require “compliant devices” to access Office 365 and require your users to complete Intune enrollment by a certain date and get compliant. Maybe push for something called “VPN Fridays” to get all your users on the VPN to get the necessary configs down to them.
That is the end game for this project but our AD is an absolute mess. We’re trying to clean that up first.