User-driven Microsoft Entra hybrid join: Deploy the device

• Applies to:

  ✅ Windows 11, ✅ Windows 10

Autopilot user-driven Microsoft Entra hybrid join steps:

• Step 1: Set up Windows automatic Intune enrollment
• Step 2: Install the Intune Connector
• Step 3: Increase the computer account limit in the Organizational Unit (OU)
• Step 4: Register devices as Autopilot devices
• Step 5: Create a device group
• Step 6: Configure and assign Autopilot Enrollment Status Page (ESP)
• Step 7: Create and assign Microsoft Entra hybrid join Autopilot profile
• Step 8: Configure and assign domain join profile
• Step 9: Assign Autopilot device to a user (optional)

• Step 10: Deploy the device

For an overview of the Windows Autopilot user-driven Microsoft Entra hybrid join workflow, see Windows Autopilot user-driven Microsoft Entra hybrid join overview

Deploy the device

Once all of the configurations for the Windows Autopilot user-driven Microsoft Entra hybrid join deployment have been completed on the Intune and Microsoft Entra ID side, the next step is to start the Autopilot deployment process on the device. If desired, deploy any additional applications and policies that should run during the Autopilot deployment to a device group that the device is a member of.

Important

The Microsoft Entra hybrid join process requires connectivity to both the Internet and a domain controller. If the connected network doesn't have connectivity to a domain controller, a solution such as a VPN that has connectivity to a domain controller is required.

To start the Autopilot deployment process on the device, select a device that is part of the device group created in the previous Create a device group step and then follow these steps:

1. If a wired network connection is available, connect the device to the wired network connection.

2. Power on the device.

3. Once the device boots up, one of two things occurs depending on the state of network connectivity:

   • If the device is connected to a wired network and has network connectivity, the device may reboot to apply critical security updates (if available or applicable). After the reboot to apply critical security updates, the Autopilot process begins.

   • If the device isn't connected to a wired network or if it doesn't have network connectivity, it prompts to connect to a network. Connectivity to the Internet is required:

     1. OOBE (out of box experience) begins and a screen asking for a country or region appears. Select the appropriate country or region, and then select Yes.

     2. The keyboard screen appears to select a keyboard layout. Select the appropriate keyboard layout, and then select Yes.

     3. An additional keyboard layouts screen appears. If needed, select additional keyboard layouts via Add layout, or select Skip if no additional keyboard layouts are needed.

        Note

        When there's no network connectivity, the device can't downloaded the Autopilot profile to know what country/region and keyboard settings to use. For this reason, when there's no network connectivity, the country/region and keyboard screens appear even if these screens have been set to hidden in the Autopilot profile. These settings need to be specified in these screens in order for the network connectivity screens that follow to work properly.

     4. The Let's connect you to a network screen appears. At this screen, either plug the device into a wired network (if available), or select and connect to a wireless Wi-Fi network.

     5. Once network connectivity is established, the Next button should become available. Select Next.

     6. At this point, the device may reboot to apply critical security updates (if available or applicable). After the reboot to apply critical security updates, the Autopilot process begins.

4. Once the Autopilot process begins, the Microsoft Entra sign-in page appears. At the Microsoft Entra sign-in page, if a user was assigned to the device, their username may be pre-populated in this screen. Enter the Microsoft Entra credentials for the user.

   If on-premises domain end-user credentials are different from Microsoft Entra end-user credentials, make sure that Microsoft Entra end-user credentials are used to sign in at this step. Don't use on-premises credentials to sign in at this step.

5. Once the credentials are entered, select Next (Windows 10) or Sign in (Windows 11) to sign in. If necessary, proceed through the multi-factor authentication (MFA) screens.

6. After authenticating with Microsoft Entra ID, the Enrollment Status Page (ESP) appears. The ESP displays progress during the provisioning process across three phases:

   • Device preparation (Device ESP)
   • Device setup (Device ESP)
   • Account setup (User ESP)

   The first two phases of Device preparation and Device setup are part of the Device ESP while the final phase of Account setup is part of the User ESP.

7. Once the Device setup phase of the Device ESP is complete, user ESP begins and the User setup phase starts. The ESP is temporarily dismissed and the Windows sign-on screen appears:

   1. Select CTRL + ALT + DEL on the keyboard to initiate Windows sign-on.

   2. Enter the on-premises domain credentials for the end-user.

      If on-premises domain end-user credentials are different from Microsoft Entra end-user credentials, make sure that the on-premises domain end-user credentials are used to sign into the device at this step. Don't use the Microsoft Entra end-user credentials to attempt to sign into the device at this step.

   3. Select ENTER on the keyboard to sign the end-user into the device.

8. The Enrollment Status Page (ESP) appears again and the Account setup phase of the user ESP continues.

   1. After a short period of time, the Microsoft Entra sign-in page may appear. Sign in with the end-user's Microsoft Entra credentials.

      If on-premises domain end-user credentials are different from Microsoft Entra end-user credentials, make sure that Microsoft Entra end-user credentials are used to sign in at this step. Don't use on-premises credentials to sign in at this step.

   2. Once the credentials are entered, select the Next button.

   3. The Stay signed in to all your apps screen appears. Make sure that the option Allow my organization to manage my device is selected, and then select OK.

   4. The You're all set! screen appears. Select Done.

      Note

      Under certain circumstances, the Microsoft Entra sign-in and subsequent pages may not appear and the end-user may be automatically signed into Microsoft Entra ID. For example, if using Active Directory Federation Services (ADFS) and single sign-on (SSO). If the end-user is automatically signed into Microsoft Entra ID, then the Autopilot deployment will proceed on to the next step automatically.

9. Once Account setup and the user ESP process completes, the provisioning process completes and the ESP finishes. Select the Sign out button to dismiss the ESP and go to the Windows sign-on screen. At this point, the end-user can sign into the device using their on-premises domain end-user credentials and start using the device.

Deployment tips

• Before starting the Autopilot deployment, you may want to have:
  
  

  • At least one type of policy and at least one application assigned to the device(s).
  • At least one type of policy and at least one application assigned to the user(s).

  These assignments ensure proper testing of the Autopilot deployment during both the device ESP phase and user ESP phase of the ESP. It may also prevent possible issues when there are either no policies or no applications assigned to the device(s) or the user(s).

• Depending on how the Autopilot profile was configured at the Create and assign Autopilot profile step, additional screens may appear during the Autopilot deployment such as:
  
  
  • Language/Country/Region or Keyboard screens before the Microsoft Entra sign-in page.
  • Privacy screen when the user ESP/Account setup begins but before the Windows sign-on screen appears.

• If the device is left alone with no interaction during the Account setup phase of the ESP, the device may enter the Windows lock screen. If the device does enter the Windows lock screen during Account setup of the ESP, unlock the device by selecting CTRL + ALT + DEL on the keyboard, entering the on-premises domain credentials for the end-user, and then selecting ENTER on the keyboard. Unlocking the device should go back to the Enrollment Status Page (ESP) and display the current progress of Account setup.

• To view and hide detailed progress information in the ESP during the provisioning process:
  
  
  • Windows 10: To show details, next to the appropriate phase select Show details. To hide the details, next to the appropriate phase select Hide details.
  • Windows 11: To show details, next to the appropriate phase select ∨. To hide the details, next to the appropriate phase select ∧.

More information