Windows 10 Azure AD Join build 1607

This is going to be a short blogpost on the updated experience on what it looks like for a user doing a out of the box Azure AD Join in the Anniversary Edition of Windows 10. There is a few and cool new things giving the user a much better experience.

One thing to notice is that Convenience Pin is disabled by default for Domain Joined or Azure AD Joined machines. Read on to learn how this affects the users.

I am having automatic enrollment Intune and I have setup a upgrade policy for upgrade to Enterprise Edition. I have setup integration with Windows Store for Business and deployed the Company Portal app from there. I also have Passport for Work, or Windows Hello for Business enabled through policies in Intune and are using Enterprise Roaming of user settings through Azure AD.


To be able to see this option you need to have Windows 10 Pro on your device. As you can see already here it explains better to the user what is going on. Windows is telling the user that the PC will be setup either as the Company’s PC or as a private PC.


Before marking your choice there is not much for the user to understand what is what here.


This is still a page where the user can get confused. A lot of normal users does not know the difference between Azure Active Directory and a local AD Domain. But just tell your users to choose Join AAD and they should be good to go.


Because I do have Multi-Factor Authentication required to join devices to Azure AD, I need to answer the challence on my phone to be able to continue. My user is already setup, but if not the user will here be prompted to provide the required information for MFA to work.


As before,, this can take some time to complete, but it “feels faster” 🙂


Now it is time to setup my PIN. This is also as before. Or is it?
This took some time to complete earlier, because we are actually setting up Windows Hello for Business (Passport for Work) it need to verify that you are in compliance with the policies.


Now, instead of you having to wait for this background processing to complete Windows 10 now allows you to move on to the desktop really quick and you can start to work.

The only reason the user is asked to set up a Pin is that I have enabled Windows Hello for Business (Passport for Work) in Intune Policies. If I disable that policy you will not be asked and the option to set a Pin is removed. (Grayed out in settings)


So what else happens in the background?

  1. My user settings have been pulled down from Azure AD giving me my preferred Windows 10 background picture.
  2. The PC has been upgraded to Windows 10 Enterprise without any user action or reboot. This is really cool.
  3. The Company Portal app has been pulled down from the Windows Store for Business and are ready for use. See earlier blogpost on this if interrested.


I hope you liked my little update on the user experience during OOBE for Azure AD Join on the Aniversary Edition of Windows 10.

3 thoughts on “Windows 10 Azure AD Join build 1607”

  1. Thanks for the write up. Have you tried doing this on a machine that already has a local account, i.e. you choose local domain instead of Azure domain, which of course requires that you setup a local account on the computer, gets you to the desktop, then you can join your local domain.

    But let’s assuming someone just skipped joining the local domain, and now decides they want to join an AAD. I found instructions for this on 1511, but not that work for 1607.
    The instructions I did find allow that local user to add the AAD account to the computer, but you’re still logging in as that local user, not as the AAD user.

    1. You are still going into Settings-System-About and connect to work or School. But when you have that first page up, dont just log in, there is a few choices at the bottom of that windows that allows you to join device to active directory and not only do a workplace join. I will update this article with that info, but that will have to wait a bit because I am leaving for Ignite in Atlanta tomorrow.

  2. Hi there, I’m struggling a bit with this. I’ve tried a few different things and mostly have it working the way I expect but not quite. Hope you can help please ?

    So I have a company Laptop. Laptop1
    I enrol into azure AD with it

    all good

    Automatic MDM enrolment happens (I’ve got this setup, it’s SCCM /Intune Hybrid)
    Laptop1 shows up as a mobile device in SCCM, I can then wipe etc it if I like.

    Still all good.

    I also domain join the PC, so it shows up as a computer for various other reports / inventories.
    Also fine, 2 objects show up in SCCM , one unmanaged computer laptop1, one managed mobile device lapop1.

    Happy with all that

    Off domain and on wifi I can sign in as fine via Azure AD
    Still on Wifi, I can hand the laptop to Eddie to use, he signs in, it authenticates via Azure AD.
    All good He’s in.

    On the domain, NOT azure. I can reset Eddie’s password.
    It then syncs to Azure AD.
    Eddie tries to log into laptop but it’s not his new password.
    It’s his old password he first signed in with.
    i.e. It’s not authenticating and updating from Azure AD.
    I’d be expecting it to sync up and want him to use the new password to authenticate ?
    I can’t find any info about how it works and would really appreciate the help thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Tags: , , , , , , , , ,