Why Hybrid Azure AD Join?
You manage a Windows fleet in your enterprise and you're fed up with manual provisioning? Windows Autopilot changes the game: a device comes out of the box, connects to WiFi, and configures itself. But in a world where on-premises Active Directory coexists with Azure AD, Hybrid Join mode is often essential.
This guide takes you from zero to a working configuration, PowerShell scripts included.
What you need
- License: Microsoft Intune (M365 E3/E5 or Intune Plan 1)
- Infrastructure: Azure AD Connect v2+ configured and synchronizing
- Server: Intune Connector for Active Directory installed on a domain member server
- Devices: Windows 11 22H2 or higher
Architecture at a glance
Hybrid Join deployment involves 5 components that must communicate with each other seamlessly:
| Component | Role | Location |
|---|---|---|
| Azure AD | Cloud identities + device registration | Microsoft Cloud |
| Active Directory | On-premises directory + computer objects | On-premises |
| Azure AD Connect | Synchronization of identities and devices | On-premises server |
| Microsoft Intune | MDM management + Autopilot profiles | Microsoft Cloud |
| Intune AD Connector | Creation of computer objects in AD | On-premises server |
Key point
The Intune connector is the cornerstone. It's what creates the computer object in your local AD before the device starts up. Without it, no Hybrid Join.
Step-by-step configuration
Validate Azure AD Connect
Open Azure AD Connect and verify that the Hybrid Azure AD Join feature is enabled in the configuration options. Run a full synchronization if it has never been done.
Install the Intune Connector for Active Directory
Download the connector from the Intune portal (Devices > Windows > Connectors). Install it on a domain member server with Internet connectivity. The ODJ Connector service must be in Running state.
Create an Autopilot deployment profile
Intune admin center > Devices > Windows > Enrollment > Deployment profiles. Create a profile by selecting Hybrid Azure AD joined as the join type. Assign it to a device group.
Configure the Enrollment Status Page (ESP)
The ESP allows you to block access to the desktop until critical applications are installed. Configure a reasonable timeout (30-45 min for initial deployment).
Import hardware hashes
Export the hardware hash from your devices using PowerShell (see below) and import the CSV into Intune > Devices > Windows > Enrollment > Devices.
Essential PowerShell scripts
Export hardware hash
1# Install module if necessary2Install-Module -Name Get-WindowsAutopilotInfo -Force -Scope CurrentUser3 4# Export hash from current device5Get-WindowsAutopilotInfo -OutputFile C:\Temp\AutopilotHash.csv6 7# To export from multiple machines over the network8$computers = Get-ADComputer -Filter "OperatingSystem -like '*Windows 11*'" |9 Select-Object -ExpandProperty Name10 11foreach ($pc in $computers) {12 Invoke-Command -ComputerName $pc -ScriptBlock {13 Get-WindowsAutopilotInfo14 } | Export-Csv -Path "C:\Temp\AllHashes.csv" -Append -NoTypeInformation15}16 17Write-Host "Export completed: $($computers.Count) devices processed" -ForegroundColor GreenCheck connector status
1# Verify that the ODJ Connector service is running2$service = Get-Service -Name "ODJConnectorSvc" -ErrorAction SilentlyContinue3 4if ($service) {5 if ($service.Status -eq "Running") {6 Write-Host "Intune Connector OK - Service running" -ForegroundColor Green7 } else {8 Write-Warning "Service is stopped. Attempting restart..."9 Start-Service -Name "ODJConnectorSvc"10 }11} else {12 Write-Error "Intune connector is not installed on this server."13}14 15# Check last synchronization16$logPath = "C:\ProgramData\Microsoft\Windows Intune\ODJConnector\Logs"17if (Test-Path $logPath) {18 $lastLog = Get-ChildItem $logPath -Filter "*.log" |19 Sort-Object LastWriteTime -Descending |20 Select-Object -First 121 Write-Host "Last log: $($lastLog.Name) - $($lastLog.LastWriteTime)"22}Force Azure AD Connect synchronization
1# Run on Azure AD Connect server2Import-Module ADSync3 4# Delta synchronization (fast)5Start-ADSyncSyncCycle -PolicyType Delta6 7# Check status8Get-ADSyncScheduler | Select-Object SyncCycleInProgress, NextSyncCycleStartTimeInUTCTroubleshooting: most common errors
Critical error: 0x801c03f3
This error means the Intune connector cannot create the computer object in your AD. Possible causes: ODJConnectorSvc service stopped, target OU missing, or insufficient permissions on the OU.
| Error / Symptom | Probable cause | Solution |
|---|---|---|
| 0x801c03f3 | Intune connector unreachable or target OU missing | Check ODJConnectorSvc service + permissions on OU |
| ESP timeout > 60 min | Large applications or slow connection | Increase timeout or exclude non-critical apps from ESP |
| Device remains 'Pending' in Intune | Hardware hash not imported or profile not assigned | Re-import CSV and verify Autopilot profile assignment |
| No Hybrid synchronization | Azure AD Connect not synchronizing device objects | Force delta sync and verify Hybrid Join configuration in AADConnect |
| Error 'TPM attestation failed' | TPM 2.0 disabled or obsolete firmware | Enable TPM 2.0 in BIOS and update firmware |
Run dsregcmd /status on the device. Look for AzureAdJoined: YES and DomainJoined: YES in the output. Both must be YES for successful Hybrid Join.
No, TPM 2.0 is mandatory for Autopilot attestation. Make sure it's enabled in the BIOS/UEFI of your devices. Windows 11 requires it anyway.
On average 30 to 60 minutes for initial deployment with ESP, depending on the number of applications and connection speed. Subsequent deployments on the same model are often faster thanks to caching.
Yes, but the VPN must be established before the domain join attempt. Use a VPN profile deployed via Intune with the "before user login" option (device tunnel).
Best practices
- Test in lab first — Never deploy directly to production. Create a test group with 2-3 devices.
- Monitor the connector — Set up an alert if the
ODJConnectorSvcservice stops. - Name your profiles clearly — Use a convention like
AP-HybridJoin-Win11-FRfor easier management. - Keep Azure AD Connect updated — Older versions can cause device object synchronization issues.
- Document your target OUs — The connector must know exactly where to create computer objects in your AD.
Watch the timing
After importing hardware hashes, allow 15 to 30 minutes before devices appear in Intune. Azure AD Connect synchronization adds additional delay for Hybrid Join. Patience!
Conclusion
Autopilot deployment in Hybrid Azure AD Join mode requires rigorous preparation — Intune connector, Azure AD Connect, profiles and ESP. But once in place, it's a significant time saver: your users receive a pre-configured device, ready to use, without IT manual intervention.
The secret? Test, monitor, iterate. Start small, validate each step, and gradually expand to the entire fleet.
