User-driven Microsoft Entra hybrid join: Create and assign user-driven Microsoft Entra hybrid join Autopilot profile

Autopilot user-driven Microsoft Entra hybrid join steps:

  • Step 7: Create and assign Microsoft Entra hybrid join Autopilot profile

For an overview of the Windows Autopilot user-driven Microsoft Entra hybrid join workflow, see Windows Autopilot user-driven Microsoft Entra hybrid join overview.

Create and assign user-driven Microsoft Entra hybrid join Autopilot profile

The Autopilot profile specifies how the device is configured during Windows Setup and what is shown during the out-of-box experience (OOBE).

When an admin creates an Autopilot profile for the user-driven scenario, devices with this Autopilot profile are associated with the user enrolling the device. User credentials are required to enroll the device.

The difference between a Microsoft Entra join and a Microsoft Entra hybrid join is that the Microsoft Entra hybrid join scenario joins both an on-premises domain and Microsoft Entra ID during Autopilot. The user-driven Microsoft Entra join scenario only joins Microsoft Entra ID during Autopilot.

Tip

For Configuration Manager admins, the Autopilot profile is similar to some of the configuration that takes place during a task sequence via an unattend.xml file. The unattend.xml file is configured during the Apply Windows Settings and Apply Network Settings steps. Note however that Autopilot doesn't use unattend.xml files.

To create a user-driven Microsoft Entra hybrid join Autopilot profile, follow these steps:

  1. Sign into the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left hand pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.

  5. In the Windows | Windows enrollment screen, under Windows Autopilot, select Deployment Profiles.

  6. In the Windows Autopilot deployment profiles screen, select the Create Profile drop down menu and then select Windows PC.

  7. The Create profile screen opens. In the Basics page:

    1. Next to Name, enter a name for the Autopilot profile.

    2. Next to Description, enter a description.

    3. Select Next.

      Note

      Microsoft recommends setting the option Convert all targeted devices to Autopilot to Yes. This tutorial concentrates on new devices where the device is manually imported as an Autopilot device using the hardware hash. However, this option can be helpful when assigning Autopilot profiles to device groups that contain existing devices. For example, this option is helpful when using the Windows Autopilot for existing devices scenario. With Windows Autopilot for existing devices, existing devices might need to be registered as an Autopilot device after the Autopilot deployment completes. For more information, see Register device for Windows Autopilot.

  1. In the Out-of-box experience (OOBE) page:

    • For Deployment mode, select User-driven.

    • For Join to Microsoft Entra ID as, select Microsoft Entra hybrid joined. After this option is selected, several the options underneath this option will change.

    • For Skip AD connectivity check, select No. This section of the tutorial assumes that the device undergoing Windows Autopilot is an on-premises internal client that has direct connectivity to the on-premises domain and domain controllers. For off-premise/Internet scenarios where VPN connectivity is required, see Off-premises/Internet scenarios and VPN connectivity.

    • For Microsoft Software License Terms, select Hide to skip the EULA page.

    • For Privacy settings, select Hide to skip the privacy settings.

    • For Hide change account options, select Hide.

    • For User account type, select either Administrator or Standard user depending on the desired account type for the user. If Administrator is chosen, the user is added to the local Administrator group on the device.

    • For Allow pre-provisioned deployment, select No.

      Note

      For the Windows Autopilot for pre-provisioned deployment Microsoft Entra hybrid join scenario, see Step by step tutorial for Windows Autopilot for pre-provisioned deployment Microsoft Entra hybrid join in Intune

    • For Language (Region), select Operating system default to use the default language for the operating system being configured. If another language is desired, select the desired language from the drop-down list.

    • For Automatically configure keyboard, select Yes to skip the keyboard selection page.

    • The Apply device name template is greyed out for Microsoft Entra hybrid join scenarios. Although not as robust, device names can be specified during the Configure and assign domain join profile step.

    Note

    The above settings are selected to minimize user interaction during device setup. However, some of the options that are set as hidden can instead be shown as desired. For example, some regions might require that Privacy settings always be shown.

    Note

    If the language/region and keyboard screens are set to hidden, they might still be displayed if there's no network connectivity at the start of the Windows Autopilot deployment. When there's no network connectivity at the start of the deployment, the Windows Autopilot profile, where the settings to hide these screens is defined, hasn't downloaded yet. Once network connectivity is established, the Autopilot profile is downloaded and any additional screen settings should work as expected.

  1. Once the options in the Out-of-box experience (OOBE) page are configured as desired, select Next.

  2. In the Assignments page:

    1. Under Included groups, select Add groups.

    Note

    Make sure to add the correct device groups under Included groups and not under Excluded groups. Accidentally adding the desired device groups under Excluded groups prevents devices in those device groups from receiving the Autopilot profile.

    1. In the Select groups to include window that opens, select the groups that the Windows Autopilot profile should be assigned to. These device groups are normally the device groups created in the previous Create device group step. Once done, select Select.

    2. Under Included groups > Groups, ensure the correct groups are selected, and then select Next.

  3. In the Review + Create page, verify that all settings are set correctly, and then select Create to create the Autopilot profile.

Verify device has an Autopilot profile assigned to it

Before deploying a device, ensure that an Autopilot profile is assigned to a device group that the device is a member of. Autopilot profile assignment to a device can take some time after the Autopilot profile is assigned to the device group or after the device is added to the device group. To verify that the profile is assigned to a device, follow these steps:

  1. Sign into the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left hand pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.

  5. In the Windows | Windows enrollment screen, under Windows Autopilot, select Devices.

  6. In the Windows Autopilot devices screen that opens:

    1. Find the desired device that Autopilot deployment profile assignment status needs to be checked.

    2. Once the device is located, its current status is listed under the Profile status column. The status has one of the following values:

      Before starting the Autopilot deployment process on a device, make sure that in the Windows Autopilot devices page:

      • The device's Profile status status is Assigned.
      • In the properties of the device, Date assigned has a value.
      • In the properties of the device, Assigned profile displays the expected Autopilot profile.

Note

Intune periodically checks for new devices in the assigned device groups, and then begins the process of assigning profiles to those devices. Due to several different factors involved in the process of Autopilot profile assignment, an estimated time for the assignment can vary from scenario to scenario. These factors can include Microsoft Entra groups, membership rules, hash of a device, Intune and Autopilot services, and internet connection. The assignment time varies depending on all the factors and variables involved in a specific scenario.

Off-premises/Internet scenarios and VPN connectivity

Windows Autopilot user-driven Microsoft Entra hybrid join supports off-premises/Internet scenarios where direct connectivity to Active directory and domain controllers isn't available. However, an off-premises/Internet scenario doesn't eliminate the need for connectivity to Active Directory and a domain controller during the domain join. In an off-premises/Internet scenario, connectivity to Active Directory and a domain controller can be established via a VPN connection during the Autopilot process.

For off-premises/Internet scenarios requiring VPN connectivity, the only change in the Autopilot profile would be in the setting Skip AD connectivity check. In the Create and assign user-driven Microsoft Entra hybrid join Autopilot profile section, the Skip AD connectivity check setting should be set to Yes instead of to No. Setting this option to Yes prevents the deployment from failing since there's no direct connectivity to Active Directory and domain controllers until the VPN connection is established.

In addition to changing the Skip AD connectivity check setting to Yes in the Autopilot profile, VPN support also relies on the following requirements:

  • The VPN solution can be deployed and installed with Intune.
  • The VPN solution needs to support one of the following options:
    • Lets the user manually establish a VPN connection from the Windows sign-in screen.
    • Automatically establishes a VPN connection as needed.

The VPN solution would need to be installed and configured via Intune during the Autopilot process. Configuration would need to include deploying any required device certificates if needed by the VPN solution. Once the VPN solution is installed and configured on the device, the VPN connection can be established, either automatically or manually by the user, at which point the domain join can occur. For more information and support on VPN solutions during Windows Autopilot, consult the respective VPN vendor.

Note

Some VPN configurations aren't supported because the connection isn't initiated until the user signs into Windows. Unsupported VPN configurations include:

  • VPN solutions that use user certificates.
  • Non-Microsoft UWP VPN plug-ins from the Windows Store.

Next step: Configure and assign domain join profile

For more information on configuring Autopilot profiles, see the following articles: