Configuration Domain Join settings for Microsoft Entra hybrid joined devices in Microsoft Intune
Many environments use on-premises Active Directory (AD). When AD domain-joined devices are also joined to Microsoft Entra ID, they're called Microsoft Entra hybrid joined devices. Using Windows Autopilot, you can enroll Microsoft Entra hybrid joined devices in Intune. To enroll, you also need a Domain Join configuration profile.
A Domain Join configuration profile includes on-premises Active Directory domain information. When devices are provisioning (and typically offline), this profile deploys the AD domain details so devices know which on-premises domain to join. If you don't create a domain join profile, these devices might fail to deploy.
This feature applies to:
- Windows 11
- Windows 10
- Microsoft Entra hybrid joined devices
- Hybrid deployment with Autopilot + Intune
This article shows you how to create a domain join profile for a hybrid Autopilot deployment. You can also see the available settings.
Create the profile
Sign in to the Microsoft Intune admin center.
Select Devices > Configuration > Create.
Enter the following properties:
- Platform: Select Windows 10 and later.
- Profile type: Select Templates > Domain Join.
Select Create.
In Basics, enter the following properties:
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is Windows 10/11: Windows Autopilot domain join.
- Description: Enter a description for the policy. This setting is optional, but recommended. For example, enter Windows 10/11: Domain join profile that includes on-premises domain information to enroll hybrid AD joined devices with Windows Autopilot.
Select Next.
In Configuration settings, enter the following properties:
Computer name prefix: Enter a prefix for the device name. Computer names are 15 characters long. After the prefix, the remaining 15 characters are randomly generated.
Domain name: Enter the Fully Qualified Domain Name (FQDN) the devices are to join. For example, enter
americas.corp.contoso.com.Organizational unit (optional): Enter the full path (distinguished name) to the organizational unit (OU) the computer accounts are to be created. For example, enter
OU=Mine,DC=Contoso,DC=com. Don't enter quotation marks. To use the well-known computer object container (CN=Computers, DC=Contoso, DC=Com), leave this property blank.For more information and advice on this setting, go to Deploy Microsoft Entra hybrid joined devices.
Select Next.
In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as
US-NC IT TeamorJohnGlenn_ITDepartment. For more information about scope tags, go to Use RBAC and scope tags for distributed IT.Select Next.
In Assignments, select the device groups that will receive your profile. For more information about assigning profiles, go to Assign user and device profiles.
If you need to join devices to different domains or OUs, create different device groups.
Select Next.
In Applicability rules, use the Rule, Property, and Value options to define how this profile applies within assigned groups. For more information on applicability rules, go to Applicability rules.
Select Next.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
It's now ready for you to deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot.
Next steps
After the profile is assigned, monitor its status.
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for