Manually hybrid join a device
Specific scenario explained.
On this blog
Prerequisites
Hybrid join explained
Procedure
On this blog
On this page we talk about manually hybrid join a device to Microsoft Entra ID. In this scenario we already use Windows Autopilot to enroll new devices for office personas. It’s working fine and we skip the details of the Windows Autopilot deployment profiles. We do talk about devices that we want to manage via Microsoft Intune for device compliance and update management. For example devices that are connected to machines in the factory and pre-installed with special software by the supplier. We’ve been told by the supplier that we’re able to join these devices to an Active Directory domain.
Prerequisites
Windows Autopilot is used to hybrid join devices to Microsoft Entra ID. Windows Autopilot is working fine and this is confirmed by device enrollment.
Download and extract PsTools to use psexec.exe later on.
Hybrid join explained
This blog is not about “hybrid joins are the best” (not at all). The goal is to share knowledge about the procedure to manually hybrid join a device and trigger the Intune Management Extension installation.
The concept of a hybrid join is explained in this article on Microsoft Learn concept hybrid join.
Procedure
- Add the device to Active Directory.
Make sure the device name is correct. Reboot if needed.
Use the powershell command below to perform the domain join and to store the computer object in the same Organizational Unit (OU) that you use in the Windows Autopilot deployment profile.
Use a domain admin account to join the device into the Active Directory domain.
PS C:\>Add-Computer -DomainName "yourDomain.com" -OUPath "OU=autopilot,DC=yourDomain,DC=com"
- Confirm the device is synced to Microsoft Entra ID.
Wait until the computer object is synced to Microsoft Entra ID.
Confirm the device is in Microsoft Entra ID before you continue to the next step.
- Confirm that the device is Hybrid Joined
Go to Microsoft Entra ID and check the Registered column of the device. It’s “pending” at first.
Wait for 15 mins and reboot the device if it is still on “pending” after 15 minutes.
Confirm that the registered colomn has a “date and time” before you continue to the next step. Confirm the Join type column is “Microsoft Entra hybrid joined”.
- Add the device to Microsoft Intune.
Most likely the Microsoft Intune registration doesn’t happen. Follow the steps below when you don’t see the device in Microsoft Intune.
We’re going to use PsExec.exe on the device to trigger the Intune Enrollment. Open powershell as admin and browse to the psexec.exe location. Enter the command below to start a powershell session in the SYSTEM context.
PS C:\PsTools\> .\PsExec.exe -i -s powershell
A new window will open in the SYSTEM context.
Use the command below to trigger the Intune enrollment.
PS C:\Windows\System32> DeviceEnroller /c /AutoEnrollMDM
Close both windows.