User-driven Microsoft Entra hybrid join: Create and assign a domain join profile
Autopilot user-driven Microsoft Entra hybrid join steps:
- Step 1: Set up Windows automatic Intune enrollment
- Step 2: Install the Intune Connector
- Step 3: Increase the computer account limit in the Organizational Unit (OU)
- Step 4: Register devices as Autopilot devices
- Step 5: Create a device group
- Step 6: Configure and assign Autopilot Enrollment Status Page (ESP)
- Step 7: Create and assign Microsoft Entra hybrid join Autopilot profile
- Step 8: Configure and assign domain join profile
- Step 9: Assign Autopilot device to a user (optional)
- Step 10: Deploy the device
For an overview of the Windows Autopilot user-driven Microsoft Entra hybrid join workflow, see Windows Autopilot user-driven Microsoft Entra hybrid join overview.
Note
If a domain join profile is already created with the desired settings and assignments, move on to the Next step: Assign Autopilot device to a user (optional) section.
Create and assign a domain join profile
Sign into the Microsoft Intune admin center.
In the Home screen, select Devices in the left pane.
In the Devices | Overview screen, under Manage devices, select Configuration.
In the Devices | Configuration screen:
At the top, make sure Policies is selected.
Select the Create drop down menu and then select New Policy.
In the Create a profile window that opens:
Under Platform, select Windows 10 and later.
Under Profile type, select Templates.
When the templates appear, under Template name, select Domain join. If Domain join isn't visible, scroll through the Template name list until Domain join is visible or search for Domain join in the Search by profile name box.
Select Create to close the Create a profile window.
The Domain Join screen opens. In the Basics page:
Next to Name, enter a name for the domain join profile.
Next to Description, enter a description for the domain join profile.
Select Next.
In the Configuration settings page:
Next to computer name prefix, enter a prefix for computer names. This field is required. This prefix is used on all computer names. The rest of the computer name after the prefix is randomly generated up to 15 characters.
Note
This field doesn't support the %SERIAL% or %RAND:x% variables that can be used with the Apply device name template in the Microsoft Entra join scenario.
Next to Domain name, enter the FQDN of the domain that devices should join. This field is required. Make sure to specify the FQDN of the domain and not the NETBIOS name of the domain. For example, enter in contoso.com and not just CONTOSO.
Next to Organizational unit, enter the full path to the Organizational Unit (OU) in the domain that the computer accounts should be created in. For example, OU=OU-Name,DC=contoso,DC=com. This field is optional. If the OU isn't specified, the computer accounts are created in the Computer container.
Note
The OU specified in this step should be the same OU that permissions were set for and computer account limits increased in the step Increase the computer account limit in the Organizational Unit (OU). Make sure that the step Increase the computer account limit in the Organizational Unit (OU) is followed for the OU specified in this field. Skipping the step that sets permissions correctly on the OU results in computers failing to join the domain.
Important
If computers are joining the Computers container, leave this field blank. Don't specify the Computers container in this field via CN=Computers,DC=contoso,DC=com. The Computers container is a container and not an OU. When no OU is specified in this field and the field is left blank, devices automatically join the Computers container. If the Computers container is specified, it causes domain joins to fail.
Once the settings in the Configuration settings page are complete, select Next.
In the Assignments page:
Under Included groups, select Add all devices.
Note
Microsoft recommends selecting and assigning to Add all devices instead of selecting and assigning to the device group created in the Create device group step. Assigning to all devices ensures that the domain join profile works when using:
- Windows Autopilot deployment for existing devices scenario.
- A Windows Autopilot deployment that utilizes Microsoft Entra hybrid join and runs after the Windows Autopilot deployment for existing devices deployment.
Make sure to add the correct device groups under Included groups and not under Excluded groups. Accidentally adding the desired device groups under Excluded groups results in those devices being excluded and they don't receive the configuration profile.
Under Included groups > Groups, ensure that All devices is selected, and then select Next.
In the Applicability Rules page, select Next. For this tutorial, applicability rules are being skipped. However if applicability rules are needed, do so at this screen. For more information about scope tags, see Applicability rules.
In the Review + Create page, review and verify that all of the settings are set as desired, and then select Create to create the domain join profile.
Next step: Assign Autopilot device to a user (optional)
If a user isn't being assigned to the device, then skip to Step 10: Deploy the device.
Related content
For more information on domain join profiles, see the following article: