Configure device trust and join settings
This unit gives step-by-step examples to configure common join and trust scenarios: Entra join with automatic enrollment, Entra hybrid join via Microsoft Entra Connect, and device registration for BYOD. Follow the prerequisites and verification steps for each scenario.
Prerequisites
- Global administrator or Intune service administrator permissions.
- For hybrid join: Microsoft Entra Connect installed and configured.
- Intune tenant enabled and MDM automatic enrollment configured if you want automatic enrollment.
- Devices with supported OS versions and network access to required endpoints.
Example 1: Entra join and automatic Intune enrollment
You use this flow for corporate-owned Windows devices provisioned for Entra ID sign-in and Intune management.
- In the Intune admin center, go to Devices > Device onboarding > Enrollment > Windows tab > Automatic Enrollment.
- Configure Automatic enrollment: set MDM user scope to the groups you want to enroll automatically.
- During OOBE (Out of Box Experience) on a new device, choose Set up for work or school and sign in with the user's Entra ID credentials.
- After sign-in, the device becomes Entra joined and Intune enrollment runs automatically for targeted users.
Verification
- On the device run
dsregcmd /statusand check the AzureAdJoined value. - In the Intune admin center, confirm the device appears under Devices and shows a managed state.
If you want to use Windows Autopilot for device setup you must register the device in Windows Autopilot before the OOBE.
Tip
Windows Autopilot device preparation is a modernized provisioning option generally available since June 2024. Unlike classic Windows Autopilot, it doesn't require pre-registration of hardware hash IDs and is configured directly through Intune enrollment policies. For new deployments, evaluate Windows Autopilot device preparation as the go-forward provisioning approach. For more information, see Windows Autopilot device preparation overview.
Example 2: Entra hybrid join with Microsoft Entra Connect
Use Hybrid join when devices need on-premises domain join and cloud features.
- Install and configure Microsoft Entra Connect with device writeback and Entra Hybrid join enabled.
- In Microsoft Entra Connect, configure the device options and select the appropriate device OU if you filter by OU.
Note
Microsoft Entra Connect is required for hybrid join device synchronization. Microsoft Entra Cloud Sync, the newer alternative, doesn't currently support device synchronization for hybrid join. 3. Ensure devices can reach required endpoints and that service account permissions are correct for device registration. 4. Restart devices or force a sync; devices that are domain-joined will register with Entra ID and appear as Entra Hybrid joined.
Verification
- Run
dsregcmd /statuson a domain-joined device and confirmDomainJoined: YESandAzureAdJoined: YES. - In Microsoft Entra admin center, confirm the device shows
Entra Hybrid joinedin the join type.
Example 3: Device registration for BYOD
For personally owned Windows devices or mobile devices where you only need a device signal:
- Instruct users to go to Settings > Accounts > Access work or school and select Connect.
- Choose Work or school account and sign in with your Entra ID credentials to register the device.
- Use enrollment and compliance policies to control conditional access for registered devices.
Verification
- Confirm the device appears under Devices in Microsoft Entra admin center with
Registeredas the join type.
Tip
Use dynamic device groups and filters to target policies by join type and ownership.
Troubleshooting quick checks
- Confirm network connectivity to Entra endpoints and Intune service URLs.
- Check Microsoft Entra Connect sync health for hybrid join issues.
- Review device event logs and use
dsregcmd /statuson Windows.
Pick the join method that matches your provisioning and resource requirements. Configure automatic enrollment to reduce manual steps and verify join state with dsregcmd /status and the Microsoft Entra admin center.