Hey everyone! I'm curious about the current state of Hybrid Join Autopilot. I've come across a lot of opinions stating that it's not worth enduring, including some info about Microsoft engineers advising against it. However, I've also seen suggestions that disabling the line of sight requirement to the Domain Controller (DC) can help alleviate many issues. My scenario is that all devices will be deployed on-site where they have line of sight to the DC before they are sent out, so I don't expect that to be a problem.
A little background: I joined this environment a few months ago where we were doing everything manually for provisioning and reimaging. Without proper licensing, I've managed to automate a lot using provisioning packages and PowerShell scripts. Now that we have Intune, I'm interested in making the most of Autopilot. Unfortunately, due to decisions from our parent company, we can't fully transition away from on-premises systems nor do we have the budget for Azure AD Domain Services (AADDS). In the past, I've deployed Autopilot and Intune in pure Entra environments without issues, and I'm hoping to figure out if there's a way to make Hybrid Join work for us. Thanks in advance for any insights!
4 Answers
I’ve actually had a pretty decent experience with Hybrid Join. Once you configure it properly, the whole Autopilot process only takes about an hour and a half, especially with the right scripts. I know that's not everyone's experience, but it can work fine for certain environments. Just keep the Intune configurations straightforward.
Honestly, I don’t think Hybrid Join is necessary anymore. We moved to using purely Entra joined devices without many complications, and it works smoother. There are a few speed bumps like application installations depending on user permissions, but overall, it’s much easier. I recommend giving Entra a shot if you can.
From what I've seen, most issues around Hybrid Join stem from Microsoft's focus on pure Entra management – they're not really improving the hybrid model. However, we're working fine with on-prem AD and fully Intune-managed devices. Setting up Cloud Kerberos helps a lot because you can use Windows Hello seamlessly for network access. If your setup allows for it, I suggest testing Cloud Kerberos instead of relying solely on Hybrid Join.
Hybrid Join can still be useful, especially for clients that rely on legacy apps or specific internal authentication methods. However, it isn’t the best long-term solution. Most setups I’ve seen can transition gradually from Hybrid to Entra to clean things up and avoid potential conflicts. If you can sync AD users without needing to join devices to AD, that could be a path forward.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures