join Domain and sync Group policy in Workspace one UEM

Hussam Rabaya

workspace one one can fit many use cases based on customer platforms and usage , and one of these use cases is to manage to external Windows laptops , especially the corporate laptops as these devices by requirements it have to join domain and comply with organization polices , one of customer asked me to add this use cases and the requirements was to join these desktops to domain initially and then to sync Group policy through Tunnel , in this post i will explain the offline join domain, and in another post i will explain how to manage group policy sync through workspace one tunnel

Deploying PCs to remote users, especially when domain joining is involved, can pose significant challenges. However, there is a solution that simplifies and streamlines this process. In this blog post, we will explore the concept of offline domain join and its role in easing PC deployment for remote users.

Modernizing PC Deployment: As organizations increasingly transition to remote workforces, the demand for shipping PCs directly to end users is growing. Offline domain join, while not a new technology, has gained popularity and integration with MDM (Mobile Device Management) platforms like Intune or Workspace ONE. This approach enables cloud-powered deployment while still supporting traditional domain join, providing a modern solution for organizations that are yet to fully embrace cloud technologies.

Benefits of Offline Domain Join: Although Azure AD join with out-of-the-box experience, Autopilot, and Windows Hello for Business are ideal for remote PC deployment in a fully modernized environment, not all organizations are ready to adopt these cloud-based technologies. Offline domain join serves as an excellent initial step towards a more dynamic and modern PC deployment approach. It acts as a bridge between traditional domain join and cloud-powered deployment, enhancing efficiency and manageability.

Requirements
  • AirWatch Cloud Connector (ACC): Use ACC to configure domain join for on-premises Active Directory.
  • Active Directory Users and Computers (ADUC): You need the MMC snap-in called ADUC to configure on-premises domain join. This snap-in is part of Remote Server Administration Tools (RSAT).
Assumptions
  • You have domains and Organization Units set in your domain in Azure.
  • You have configured Directory Services in the Workspace ONE UEM console if you are using Active Directory. For details on how to configure Directory Services, access

The process involves several key steps:

  1. Creating a service account and an offline domain join OU: Set up a dedicated service account for creating offline domain join objects and create a specific OU to store these objects.
  2. configure the user account with Windows Server delegate permissions on specific OU (where the computer account will be created )
  3. create a custom delegate task, and configure permissions.(select Only the following objects in the folder:, Computer Objects, and Create selected objects in this folder)
  4. Modifying the AirWatch Cloud Connector (ACC): Add the service account to the local administrator group and configure the ACC service to use the service account.
  5. Creating the offline domain join profile: Configure the offline domain join profile in Workspace ONE UEM, specifying the domain information and machine name format. (follow this URL for details steps )
  6. Creating a staging or provisioning account: Establish a special account to assign the domain join profile.
  7. Creating a smart group for assignment: Create a smart group (or assignment group) to assign the offline domain join profile to the desired devices.
  8. Enrolling and testing the deployment: Enroll a device and run the Workspace ONE provisioning tool to track the progress of application installs and the offline domain join process.

with the above we have created computer account and

Remember, offline domain join requires domain connectivity for the initial user login. To ensure a seamless user experience, consider utilizing a VPN appliance that supports pre-logon network connections, such as VMware Tunnel.

to make successful windows Offline Domain Join through VMware VPN/Tunnel , we can do it through :

1- Full Device VPN : where all the apps and utilizing the tunnel to specific URLs\serves\IPs (in this case Domain Servers will be part of target servers in the Tunnel profiles )

2- Per-app Tunnel : where we need to specify the EXE files in the VPN profile for Windows devices, the below EXE files i tested and completed successful Join group policy sync

c:\Windows\System32\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\slui.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
c:\Windows\explorer.exe
c:\Windows\System32\gpupdate.exe
c:\Windows\System32\lsass.exe
c:\Windows\System32\djoin.exe
system
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\SysWOW64\gpupdate.exe

adding the above in windows DTR roles and consider;

  • in windows device tunnel profile:
    • donot enable enhance name resolution unless its required
    • be sure to map the right VPN-DTR profile with windows profile
    • in custome configuration XML file add: <StartTunnelPreLogon>true</StartTunnelPreLogon>
  • be sure to add domain *.domain in the target of the above exes file DTR roles
  • be sure we have reachability from tunnel servers to domain servers
  • save and publish the profile

I successfully tested the aforementioned settings with my client, and they performed adequately. Nevertheless, if given the option, I would prefer to utilize a full-device VPN instead. This preference arises from the fact that per-app VPN with domain synchronization, Group Policy Objects (GPO), and update functionalities can be rather delicate and reliant on the specific group policy configurations in place.

Leave a Reply

Your email address will not be published. Required fields are marked *