Overview
This article outlines the steps to configure Microsoft Entra hybrid join for devices using Windows Autopilot. This method is suitable for units that want to leverage cloud provisioning while maintaining domain-joined device management. Additionally, it supports scenarios where a vendor registers a Windows Autopilot device on behalf of the unit using a group tag, enabling streamlined device grouping and policy assignment during provisioning.
Step 1: Capture Hardware Hashes (if not vendor registered)
To register devices with Autopilot, and if a device wasn't already registered by a preferred vendor, obtain the hardware hashes using the following PowerShell commands:
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo.ps1 -OutputFile c:\AutopilotHWID.csv
Upload the CSV file to Intune under Devices > Windows > Windows Enrollment > Devices > Import
Optionally, you can provide the -Online parameter, instead of -Outputfile, to upload the hardware hash directly to Intune.
Step 2: Assign a Group Tag
Assign a Group Tag to the imported devices to associate them with a specific Autopilot profile. This tag is used to dynamically group devices in EntraID. The tag doesn’t already have to exist but should be unique to your unit and used to group devices for your use case.
Step 3: Create a Dynamic Device Group
Create a device group in Microsoft Entra ID and keep the Membership type as assigned.
Submit a request and provide the name of the group and the group tag that you would like us to use. We will then change the Membership type to “Dynamic device” using the Group Tag as a filter.
Step 4: Create and Assign a Deployment Profile
Create a Windows Autopilot deployment profile:
- Navigate to Intune > Devices > Enrollment > Deployment Profiles
- Set Deployment Mode to 'User-Driven'
- Configure settings “Join to Microsoft Entra ID as" to "Microsoft Entra hybrid joined"
- Assign the profile to the group created earlier
Step 5: Create and Assign a Configuration Profile
Create a configuration profile to apply device settings:
- Navigate to Intune > Devices > Configuration > Create Profile
- Choose platform: Windows 10 and later
- Choose profile type: Templates > Domain Join
- Configure domain join settings
- add the Distinguished Name (DN) of the OU where your computer objects reside.
- Assign to the dynamic device group
This article shows how to obtain the DN of an OU: https://support.xink.io/support/solutions/articles/1000246165-how-to-find-ou-distinguished-name-in-active-directory
Step 6: Provide the Hybrid Join Distinguished Name (DN)
Once your OU is configured for automatic enrollment via GPO, submit a ticket to the Endpoint Management Team and provide the DN of your OU. If you have sub-OUs that will contain objects that need to be registered, please provide them as well; the permissions from the parent OU won’t propagate