User-driven Microsoft Entra hybrid join: Create and assign a domain join profile

• Applies to:

  ✅ Windows 11, ✅ Windows 10

Autopilot user-driven Microsoft Entra hybrid join steps:

• Step 1: Set up Windows automatic Intune enrollment
• Step 2: Install the Intune Connector
• Step 3: Increase the computer account limit in the Organizational Unit (OU)
• Step 4: Register devices as Autopilot devices
• Step 5: Create a device group
• Step 6: Configure and assign Autopilot Enrollment Status Page (ESP)
• Step 7: Create and assign Microsoft Entra hybrid join Autopilot profile

• Step 8: Configure and assign domain join profile

• Step 9: Assign Autopilot device to a user (optional)
• Step 10: Deploy the device

For an overview of the Windows Autopilot user-driven Microsoft Entra hybrid join workflow, see Windows Autopilot user-driven Microsoft Entra hybrid join overview

Note

If you have already created a domain join profile as part of the Windows Autopilot for pre-provisioned deployment Microsoft Entra hybrid join scenario and want to keep the same settings and assignments, you can move on to the Next step: Assign Autopilot device to a user (optional) section.

Create and assign a domain join profile

1. Sign in to the Microsoft Intune admin center.

2. In the Home screen, select Devices in the left pane.

3. In the Devices | Overview screen, under Policy, select Configuration Profiles.

4. In the Devices | Configuration profiles screen, make sure Profiles is selected at the top, and then select Create profile.

5. In the Create profile window that opens:

   1. Under Platform, select Windows 10 and later.

   2. Under Profile type, select Templates.

   3. When the templates appear, under Template name, select Domain join. If Domain join isn't visible, scroll through the Template name list until Domain join is visible. The list is in alphabetical order.

   4. Select Create to close the Create profile window.

6. The Create profile screen opens. In the Basics page:

   1. Next to Name, enter a name for the domain join profile.

   2. Next to Description, enter a description for the domain join profile.

   3. Select Next.

7. In the Configuration settings page:

   1. Next to computer name prefix, enter a prefix for computer names. This field is required. This prefix is used on all computer names. The rest of the computer name after the prefix is randomly generated up to 15 characters.

      Note

      This field doesn't support the %SERIAL% or %RAND:x% variables that can be used with the Apply device name template in the Microsoft Entra join scenario.

   2. Next to Domain name, enter the FQDN of the domain that devices should join. This field is required. Make sure to specify the FQDN of the domain and not the NETBIOS name of the domain. For example, enter in contoso.com and not just CONTOSO.

   3. Next to Organizational unit, enter the full path to the Organizational Unit (OU) in the domain that the computer accounts should be created in. For example, OU=OU-Name,DC=contoso,DC=com. This field is optional. If the OU isn't specified, the computer accounts are created in the Computer container.

      Note

      The OU specified in this step should be the same OU that permissions were set for and computer account limits increased in the step Increase the computer account limit in the Organizational Unit (OU). Make sure that the step Increase the computer account limit in the Organizational Unit (OU) has been followed for the OU specified in this field. Skipping the step that sets permissions correctly on the OU results in computers failing to join the domain.

      Important

      If computers are joining the Computers container, leave this field blank. Don't specify the Computers container in this field via CN=Computers,DC=contoso,DC=com. The Computers container is a container and not an OU. When no OU is specified in this field and the field is left blank, devices automatically join the Computers container. If the Computers container is specified, it causes domain joins to fail.

   4. Once the settings in the Configuration settings page are complete, select Next.

8. In the Assignments page:

   1. Under Included groups, choose Add all devices.

      Note

      It's recommended to select and assign to Add all devices instead of selecting and assigning to the device group created in the Create device group step. Assigning to all devices ensures that the domain join profile works when using the Windows Autopilot deployment for existing devices scenario with an Autopilot deployment that utilizes Microsoft Entra hybrid join.

      Note

      Make sure to add the correct device groups under Included groups and not under Excluded groups. Accidentally adding the desired device groups under Excluded groups results in those devices being excluded and they don't receive the configuration profile.

   2. Under Included groups > Groups, ensure that All devices is selected, and then select Next.

9. In the Applicability Rules page, select Next. For this tutorial, applicability rules are being skipped. However if applicability rules are needed, do so at this screen. For more information about scope tags, see Applicability rules.

10. In the Review + Create page, review and verify that all of the settings are set as desired, and then choose Create to create the domain join profile.

Next step: Assign Autopilot device to a user (optional)

Step 9: Assign Autopilot device to a user (optional)

If you don't plan to assign a user to the device, then skip to Step 10: Deploy the device.

Step 10: Deploy the device

More information

For more information on domain join profiles, see the following article(s):

• Create and assign a Domain Join profile