You’ve probably heard someone say it before: Don’t do Hybrid Azure AD Join, move to Azure AD Join. What they are generally referring to is more specifically talking about Windows Autopilot and its user-driven Hybrid Azure AD Join scenario, in which Windows Autopilot joins a device to Active Directory and enrolls it in Intune.
But it’s worth looking at that question more broadly. Let’s start from the top…
What’s wrong with Active Directory?
We should probably be more specific here and say “Active Directory Domain Services” since for a while everything had an Active Directory label on it. For simplicity though, let’s just say AD. What’s wrong with AD? Well, it was originally shipped in the year 2000 and was designed for a different computing reality: Devices that are always (or at least mostly) connected to the corporate network. These days, people work from home; they travel around the world; they primarily use laptops which are certainly not always connected to the corporate network. So what’s wrong with that?
First, there’s always a need for connectivity to do certain tasks. For example, you need connectivity to an AD domain controller to log in initially; to change your password; to apply updated Group Policy objects; to enroll and renew AD Certificate Services certificates; to map network drives to file servers; etc.
Solutions like DirectAccess (which was deprecated and then un-deprecated) solved that challenge, but were difficult to deploy and support. Newer solutions like Always On VPN could also work, but they were also challenging to implement. Many organizations adopted third-party VPN solutions that supported integration with Windows to help (e.g. start before logon [SBL], PLAP, etc.), and with the right instructions you could get it to work. But it typically wasn’t smooth or seamless, and required educating employees on how to use it.
Second, Active Directory assumed good connection speeds, e.g. devices on a LAN, so it can get more challenging when using slower internet/VPN-based connections. This can cause issues with the same sorts of AD capabilities (e.g. GPOs) even when you have solved the connectivity issues. As internet speeds improved, this may not be as big of any issue now.
What’s wrong with Hybrid Azure AD Join (generally)?
Azure Active Directory was designed for internet-connected devices, so it doesn’t have the same challenges. But it also has much less functionality when you look at it from a Windows perspective. It’s just an authentication service, it has no device management capabilities of its own: no policy delivery (so no GPOs); no certificate enrollment features; no drive mapping; etc. Hence you need a separate management solution (e.g. Intune/MDM, ConfigMgr/CMG, or pretty much any other management solution that can support internet-facing clients, which is pretty much all of them at this point). But even with that, you need to rethink things, e.g. no more file servers, logon scripts, mapped drives or anything like that. “All you need to do is move that stuff to OneDrive, SharePoint, Teams, etc.” But that’s more of a “what’s wrong with Azure AD” discussion.
If we look at Hybrid Azure AD Join, it has a more limited purpose: To get devices joined to AD known to Azure AD, and to get users signed into AD to also have Azure AD user tokens. The benefits for doing that include single sign-on to Azure AD-based services, conditional access, etc.
But to get this to work, you need to synchronize AD to Azure AD: all users and devices need to be synchronized. The user part works pretty well, but there are complications with the device part. Here’s an image from a post I did a few years ago:
For organizations not using ADFS (which is likely a lot at this point since Microsoft is trying to push customers away from ADFS), the Hybrid Azure AD device registration process needs for the device to communicate with an AD domain controller, first to find the SCP object that tells the device what AAD tenant it needs to register with, and then again to update the device’s certificate in AD. Only when that certificate is present will AAD Connect synchronize the device into AAD. And if a user signs into the device before that happens, they don’t get an AAD user token, which has some potentially bad side effects, e.g. timeouts from user ESP, an inability to do single sign-on to AAD-based services (e.g. OneDrive, SharePoint, Teams), etc.
There used to also be issues caused by duplicate objects for a single device in Azure AD: you would find the original AAD device created when the device was first registered with Autopilot, and then a second Hybrid Azure AD device that was synchronized from AAD Connect into AAD. This caused havoc with Intune policy targeting because Intune would switch to the new HAADJ device object as soon as it showed up; anything that targeted the original AAD device would fall out of scope. The most noticeable side effect of this was the offline domain join process timing out; you could work around it by either assigning the Domain Join configuration profile to “All users” or to a dynamic group that contained both objects. Interestingly, I haven’t seen this happen recently. Perhaps it’s been fixed so that AAD now merges the two objects together? The docs aren’t particularly clear.
What’s wrong with Windows Autopilot user-driven Hybrid Azure AD Join (HAADJ)?
The user-driven HAADJ process definitely has some shortcomings. While some have been eliminated, others remain.
First, there’s the computer naming. The only thing you can configure for the computer name is the prefix, e.g. “DJ-“. The rest of the name is filled with random characters to create a 15-character name. (You can tell that whoever implemented this initially didn’t realize that Windows computer names were case-insensitive, as they use both upper and lower case letters in the names.) Few organizations are happy with this.
Also, the offline domain join process implemented by Intune that is used to join the device to AD is rather slow as it’s designed to handle a ridiculous scale, even though orgs typically would only deploy a few devices per hour, so the implementation is overkill. The process also doesn’t support the other DirectAccess-related capabilities that are generally useful for offline join scenarios: embedding root certificates; generating a computer-specific cert and including it in the blob; including one or more GPO objects in the blob. I tried to add these at one point (and did add them in the Tanium Provision offline domain join implementation) by modifying the ODJ Connector’s code myself, but it wouldn’t work: the communication channel to send the resulting ODJ blob back to Intune for relaying to the client via MDM wouldn’t accept an ODJ blob that was larger than 16KB.
Related to the AAD Connect synchronization process described above, it’s also highly unlikely that user ESP will work properly since the signed-on user will not have an AAD user token. Unfortunately, the ESP settings in Intune don’t provide a simple way to turn it off (you really don’t need it); you have to use a custom OMA-URI configuration profile to do that. That doesn’t help Intune out any — it still won’t be able to deliver any user policies or apps until the user signs out and back in again, but at least that is a background issue that the user won’t notice.
At least one improvement was made to the original user-driven HAADJ process: the addition of the “Skip AD connectivity check” option. Prior to this, Autopilot would always try to find a domain controller before it would continue the deployment process, but unless you had successfully implemented an Always-On VPN connection (“all you have to do is replace your current VPN with the Windows Always On VPN solution”) that would never work. By saying “skip the check” you are telling Autopilot that you are responsible for establishing connectivity in some way before the user will be able to sign into the device (if they are are off the network — obviously not an issue if you are deploying while on the corporate network).
Enrolling certificate via MDM can also be tricky with the user-driven HAADJ process, since the initial certificate template configuration profiles will be received by the device before it has rebooted to complete the ODJ process; that sets the “real” computer name at the same time. There is a workaround using the {{FullyQualifiedDomainName}} attribute in the profile. That value can’t be obtained until after the ODJ reboot, and the device will keep trying until that happens, so you will eventually end up with a “proper” cert. (Be careful if you are using AD-delivered auto-enroll certificates since those have the same connectivity challenges as previously mentioned.)
So what should I do?
The Microsoft message will always be “move to AAD Join, give up on HAADJ.” But that can be a significant amount of work. There’s nothing wrong with using HAADJ in the near term, you just need to make sure you do some things to increase your chances of success.
- Implement Always On VPN or a third-party equivalent that supports automatic connections. This will provide the smoothest operation, just like if you were on the corporate network. If that’s not an option (e.g. you’re a Cisco shop and you need to use the Start Before Logon [SBL] feature of AnyConnect), you would need to at least teach your users how to make a VPN connection before logging on (check the box on the logon screen, connect to VPN first). This post is probably a little out-of-date, but it’s a good starting point.
- Check the “Skip AD Connectivity Check” box in the HAADJ Autopilot profile. Even if you are using Always On VPN from Microsoft, this can still be problematic — by skipping this, connectivity isn’t needed until the user signs in.
- Turn off user ESP. See the “SkipUserStatusPage” instructions in my post here. (There really should be a checkbox in the ESP settings to make this easier.)
- Target your Domain Join profile to “All devices.” This avoids issues that can occur with group membership in Azure AD (Entra ID) that can cause ODJ timeouts that occur because Intune couldn’t find any Domain Join profile targeted to the device. This does mean that all devices would need to be put into the same OU, but you can always move them later. (The typical symptom that you’re running into this: a newly-registered device works once, but if you reset it or reimage it and try again it doesn’t work the second time.)
- Specify the {{FullyQualifiedDomainName}} attribute on certificate templates in Intune so that the certificate does not get enrolled until after the computer name has been set (so after the ODJ reboot). (Note that this only works for AD-joined devices; a certificate profile set up like that won’t work on an AAD-joined device.)
One other item to consider if you really don’t like the random computer names:
- Rename the AD device after the provisioning process completes. See this post for the details around that (AD/VPN connectivity required).
Out of Office Hours 
16 responses to “What’s wrong with Hybrid Azure AD Join?”
Hello. Thanks for an excellent article. The script to rename a computer sounds great, unfortunately, the requested .net version is no longer available, and the code needs to be changed.
LikeLike
Sigh, will look into fixing that when I get some time.
LikeLike
Thanks Michael. I was trying to use ChatGPT to rewrite the function or to create a new one, but I am not C# developer and my attempts have failed.
LikeLike
Michael, was wondering if you or anyone else who’s listening has ever come across an issue with Autopilot where a trial version of Office is interfering with the main Office 365 Win32 app that we are pushing with Intune. So the whole build process hangs because there are some registry keys evidently that cannot be deleted — specifically in a log we see “unable to delete OOBE keys” — HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions
On the machine, we see the Office UI setup screen is hung and in a failed state. We started seeing this with Windows 11 on new OEM PCs. Never saw it on Win10.
LikeLike
I have heard of issues in the past, but don’t have any personal experience in how to deal with them. I suspect you would need to uninstall the trial version first, but sequencing that into the process likely means scripting your own Office install and not using the one built into Intune.
LikeLike
We had issues with the built-in Intune o365 install causing havoc with win32 apps installing at the same time, so we had to move everything to win32 apps. If possible, I would configure the office pre-install, but we used a 32-bit office and 64-bit office came pre-installed.
To remove the office pre-installs, create a custom configuration file to pass to the setup.exe first with the following:
LikeLike
Hi Casey,
I’d suggest just adding commands to delete the offending app and registry keys associated with it into your provisioning powershell script (if you have one) and running it before you start the AutoPilot process (I had to implement a couple of OS changes to get Autopilot working at my Org; Long story short for one of them – our network hates MSLLDP causing Windows 11 to fail the Autopilot process so I had to disable MSLLDP pre Autopilot which I accomplished by just adding it to my script).
LikeLike
Casey, Don’t install o365 via intune. Instead use the pre installed o365 (mainly OneDrive) to activate and if high enough level will force to enterprise, then your AOVPN will work too.and push o365 updates via intune after.
LikeLike
Jeremy Moskowitz here. Wouldn’t you also say that one of the HAADJ problems is… its like a roach motel. You can check in, but you can’t check out. Once a machine is HAADJ there’s no way, short of FDISK/FORMAT of the whole OS to transition away from HAADJ to AAD only if you wanted to later? I know of a customer who buckled in >100,000 machines… and NOW are looking to turn off their on-prem AD. “Now what?” Right now: Only suffering; no transition ability. (Who knows if this will change in the future, but right now… ugh.)
LikeLike
I’ve never seen customers that were anxious to do anything significant to their device once it’s been deployed — they’ll wait until they replace the device. So, you are committing to staying with HAADJ for the life of the device.
LikeLike
We have been doing some POC testing to exploring Hybrid Autopilot wipe options. We are starting to offload GPO’s to Configuration Policies and Policy management from SCCM to Intune. I’ve been hunting for caveats to confirm if we are better to pursue AAD only Autopilot directly to progress our Cloud transition.
In the environment the Autopilot process creates the new AD device object in an OU with disabled inheritance to exclude all existing GPO’s (except Software Centre client push requirements and Domain certificate registration). This OU is used to populate a distribution group in SCCM to “Co-manage Pilot” all Workloads out to Intune. The process is dependent on domain connectivity, the environment uses Azure VPN client which doesn’t seem to be compatible.
The Hybrid Autopilot process takes about an hour to complete the AADJ device registration with just LAPS and Office as required apps assigned. The device is then usable, but it takes another few hours to re-encrypt the drive with BitLocker and complete the full list of company compliance checks. The user is able to log in while this process completes in the background.
We still see duplicate device objects in Azure AD for Hybrid Autopilot deployments (One for Hybrid Azure AD Joined object and another for Azure AD joined object). The Azure AD joined object (created when the Hash is uploaded to Autopilot and renamed during autopilot) remains after an Intune wipe (retain enrolment disabled) of the Hybrid Azure AD Joined device. The wipe removes the link to the Hybrid Azure AD Azure AD device in Autopilot devices and eventually cleans up the Azure AD object too.
As with Jeremy’s comment, to move devices from Hybrid to AAD, I did some testing to confirm today. There’s nothing stopping you from re-autopiloting an Intune Wiped Hybrid Autopilot device, you simply need to assign an Azure AD Only Autopilot Profile via the AAD Only device object linked to the Autopilot Device hash.
Thanks for the excellent write up Michael!
LikeLike
Changing the profile then resetting the device is really the only good path. It’s the preparation that goes into that (GPOs, data off the device, etc.) that is where all the work resides.
I’m still not sure why I’m not seeing duplicate devices any more — the AAD device that was created when the device was originally registered disappears and the HAADJ device takes its place. That’s not what I expected to happen, and certainly in the past that wasn’t what happened.
LikeLike
I would LOVE to have a HAADJ to AADJ switch. We have a pretty long HW refresh rate and didn’t understand AADJ enough when we rolled it all out. We also have a number of problems that haven’t been solved yet in regards to making AADJ work in parity to HAADJ but those seem to be numbered and I think solved before the next HW refresh. Maybe by they there will be a nice Intune policy that does it 🙂
LikeLike
Firstly let me state what an incredibly useful blog I have found this to be and it’s a credit to you Michael! I found it as I have been having a lot of ‘play time’ with Autopilot of late (being new to this tech). AADJ is straight forward. However, HAADJ is a nightmare and so poorly documented from MS!
One thing I have been struggling with is enabling Bitlocker for user-driven HAADJ silently during Autopilot. Is this even possible? The Endpoint Security -> Disk Encryption profile in Intune has a setting that states ‘Allow standard users to enable encryption during Autopilot’
Is this only possible for AAAJ in Autopilot?
LikeLike
Hi Michael
It’s always magical to read your posts and I have learnt a lot. Thank you so much for your efforts.
I have a doubt though, you have mentioned that to successfully sync the device to AAD via Entra connect, you need Device Certificate, please correct me if I am wrong isn’t it Usercertificate attribute of AD object of the device which device need to generate and update once device finish probing SCP config.
If it is then when and how it is generated by the device?
Is this require User login?
Thanks.
LikeLike
Yes, the device cert is stored in the user certificate property in AD. It doesn’t require a user to login, but it does need connectivity to a DC as it won’t do anything until it reads the SCP from AD.
LikeLike