Hybrid join devices - no line of sight

Michael Lawson 0 Reputation points

Hi all,

We have a hybrid active directory set up between our servers held in a DC and our Azure AD.

I am currently working on the configuration of our Autopilot and Intune deployment. At the moment we deploy new laptops manually, so I am looking at our configuration to make it more of a white glove experience.  

The devices will have line of sight access to a DC via a point to site VPN connection, but at the time of onboarding, they will not have line of sight access to the DC.

Am I better off just joining these devices to Azure AD rather than Hybrid joining them?  I understand that as we have AAD Connect setup, devices that are Azure AD joined should be able to access all resources in our "on prem" domain, is this correct?

Or should I still try and hybrid join the devices?  Will the devices pick up on prem GPO or will I need to move GPOs into Intune?


Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
440 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,314 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,716 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,520 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Lu Dai-MSFT 28,366 Reputation points

    @Michael Lawson Thanks for posting in our Q&A.

    From intune's point of view, you can still use hybrid Azure AD joined devices. For group policies, don't try to translate all of your existing GPOs to Intune policies. For a cloud-managed device, there are some group policies that don't apply to the scenario.

    Use Microsoft policy analytics to help you understand if there are critical settings in your GPOs that you need to migrate to Intune.


    Hope it will give you some ideas.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.