Create Windows 10 AutoPilot Hybrid Azure AD joined profile

This blogpost is about creating a Windows 10 AutoPilot deployment profile based on a Hybrid Azure AD Joined scenario via Microsoft 365/Microsoft Intune.

Creating the profile

Go to https://devicemanagement.microsoft.com/ and log on.

Go to Devices and to Windows:

After that click on “Windows Enrollment”:

We first need to setup automatic enrollment. Click on automatic enrollment:

You need the configure the MDM user scope. You can select a group or enable it for all users. I have test tenant so I have enabled it for all users:

Windows Hello for Business and the Enrollment Status Page are optional to configure:

We first need to create a dynamic group. Go to https://portal.azure.com/ and go to Azure Active Directory:

Go to groups:

Click on New group:

Name the group and click on add dynamic query:

The dynamic query must be stated like this:

This is the query: (device.devicePhysicalIDs -any _ -contains “[ZTDId]”)

This query is needed to have Autopilot devices targetted which where uploaded via CSV upload. If you want to know how to do so click on this link:

https://www.nielskok.tech/microsoft365/windows-10-autopilot-info-upload-script/

This is the query: (device.devicePhysicalIDs -any _ -contains “[ZTDId]”)

This query is needed to have Autopilot devices targetted which where uploaded via CSV upload. If you want to know how to do so click on this link:

https://www.nielskok.tech/microsoft365/windows-10-autopilot-info-upload-script/

For testing purpose to include Virtual Machines I have used the query:

(device.deviceModel -contains “Virtual”)

The next step is to install the Intune Hybrid Connector:

This connector needs to be installed on a domain joined machine (Windows Server 2016 and above) and needs to be reachable from the domaincontroller and the Microsoft Cloud.

Click on Add:

Click on the link to download the connector:

Copy this file to the server where you are going to install the connector. Run the installation and configure the connector. In addition, you need to log on as Global Admin during the configuration.

Click Configure Now:

When the setup has completed and the following screen present itself, please log on with a Global Admin which has a license!

You need to see this message:


After you installed the connector you need to check whether it’s online:

Delegate Control

We need to delegate control on the Organizational Unit in Active Directory where the AutoPilot are going to be added. Log on to your Domain Controller and open Active Directory Users and Computers. Go to the Organizational Unit and right click for delegate control:

Now you need add the computers which holds the Intune Connectors and click next:

Now we need to assign custom task to delegate:

Select all permissions:

Click next and finish.

The next step is the creation of the Windows 10 AutoPilot Profile

Click on Deployment Profiles:

Click on Create profile:

Name the profile and select “Convert all targeted devices to AutoPilot”

Select the following options at “Out-of-box-experience (OOBE)”

Assign the profile to the dynamic group created earlier on:

At review and create check your settings and click on create!

The next and last step is the creation of the domain join profile.

Go to devices:

And go to Configuration profiles:

Click on create profile:

Select these options:

Name the policy:

Fill in the options:

Fill in the scope tags if you need them.

At assignments use the dynamic group created earlier.

Assign the “Applicability Rules” only when needed.

Check your settings and click on create:

Testing the profile

Some notes before we begin to test the Hybrid AD Join Profile.

The test machine needs be in contact with a Domain Controller. This can’t be used via client VPN. You can use a Site 2 Site VPN. Furthermore the test machine needs to have his DNS server pointed to the Domain Controller for the Domain Join part.

This the first screen you see when the machine boots for the first time, log on with your credentials:

The machine is going to download the Autopilot profile and reboots:

After the reboot the Enrolment status page pops up:

After that you need to log on and the domain join is performed.

Then the enrollment status pops up again:

Related Posts

2 thoughts on “Create Windows 10 AutoPilot Hybrid Azure AD joined profile

Leave a Reply