Microsoft Portals
      Back to home
      1. Help Center
      2. Microsoft Portals

      On premises Active Directory to Microsoft Entra Hybrid Join


      To facilitate onboarding of existing devices without wipe and load the most common path is to turn on prem AD devices into hybrid and then join them to Intune.

      1. The first step is to configure Entra Connect (Configure Microsoft Entra hybrid join for managed domains). This will add the SCP entry necessary so on prem devices can try to register to Entra ID as hybrid, if you cant configure the scp you can manually configure it via Registry (Controlled validation of Microsoft Entra hybrid join devices) keep in mind that for the hybrid to complete the device must be see the domain controllers (either via LAN or via VPN).

      2. After AD Connect is configured for Hybrid AD some more configurations are required:

        1. Check if user has Intune license assigned (and any other required licenses).

        2. Move Computer object on AD to right OU (one which is synced with AD Connect in case not all OUs are).

        3. Make sure CCM client is not installed (if CCM client is installed and there is no co-management enabled the enrollment will fail).

        4. Configure the MDM Auto Enrollment via GPO (Enroll a Windows 10 device automatically using Group Policy - Windows Client Management) or via registry key (Intune auto MDM enrollment for devices already Entra joined).

        5. Make sure user is logged on with username@domain.com instead of username only or domain\username.

        6. If the enrollment doesn't work make sure there isn't another enrollment already in place (likely to be one for MAM) by looking into HKLM:SOFTWARE\Microsoft\Enrollments\Guid (Enroll a Windows 10 device automatically using Group Policy - Windows Client Management).

      The following script can help remove the key programmatically:

      $regName = (Get-ChildItem -path HKLM:SOFTWARE\Microsoft\Enrollments\ -recurse -ErrorAction SilentlyContinue | Where-Object {$_.Property -eq "DiscoveryServiceFullURL"}).Name
      $regproperty = (Get-Item -path Registry::$regName | ForEach-Object {Get-ItemProperty -Path Registry::$regName -Name $_.Property}).DiscoveryServiceFullURL
      if ($regproperty -like "*mam*") {Remove-Item -path Registry::$regName -Recurse -Force}