Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft recommends deploying new devices as cloud-native using Microsoft Entra join. Deploying new devices as Microsoft Entra hybrid join devices isn't recommended, including through Windows Autopilot. For more information, see Microsoft Entra joined vs. Microsoft Entra hybrid joined in cloud-native endpoints: Which option is right for your organization.
Intune and Windows Autopilot can be used to set up Microsoft Entra hybrid joined devices. To do so, follow the steps in this article. For more information about Microsoft Entra hybrid join, see Understanding Microsoft Entra hybrid join and co-management.
Requirements
The list of requirements for performing Microsoft Entra hybrid join during Windows Autopilot is organized into three different categories:
- General - general requirements.
- Device enrollment - device enrollment requirements.
- Intune connector - Intune Connector for Active Directory requirements.
Select the appropriate tab to see the relevant requirements:
- Successfully configured the Microsoft Entra hybrid joined devices. Be sure to verify the device registration by using the Get-MgDevice cmdlet.
- If Domain and OU-based filtering is configured as part of Microsoft Entra Connect, ensure that the default organizational unit (OU) or container intended for the Windows Autopilot devices is included in the sync scope.
Set up Windows automatic MDM enrollment
- Sign in to the Azure portal and select Microsoft Entra ID. 
- In the left hand pane, select Manage | Mobility (MDM and WIP) > Microsoft Intune. 
- Make sure users who deploy Microsoft Entra joined devices by using Intune and Windows are members of a group included in MDM User scope. 
- Use the default values in the MDM Terms of use URL, MDM Discovery URL, and MDM Compliance URL boxes, and then select Save. 
Install the Intune Connector for Active Directory
The Intune Connector for Active Directory, also known as the Offline Domain Join (ODJ) Connector, joins computers to an on-premises domain during the Windows Autopilot process. The connector creates computer objects in a specified Organizational Unit (OU) in Active Directory during the domain join process.
Important
Starting with Intune 2501, the Intune Connector for Active Directory is updated and improves security by following least-privilege principles using a Managed Service Account (MSA). When you download the connector from Intune, you automatically get the updated version.
The deprecated legacy connector is still available and will soon stop accepting enrollment requests. If you still use the legacy connector, update immediately to avoid loss of functionality. For more information, see the Intune Connector for Active Directory with low-privileged account for Windows Autopilot Hybrid Microsoft Entra join deployments blog post.
To update the connector, you must:
- Manually uninstall the legacy connector. There isn't an automatic option.
- Download and install the updated connector (described in this article).
Tip
If using multiple domains to enroll Autopilot devices:
- You'd need a separate connector instance for each domain. A connector can only process enrollment requests for the same domain as the server it was installed on.
- There can be at most 1 connector per server (VM or physical). Additional servers per domain can be set up for redundancy, each with its own connector installed. In that setup, if one connector fails, the requests will go to another connector on another server within the same domain.
Select the tab that corresponds to the version of the Intune Connector for Active Directory that is being installed:
Before you begin
- Before you install, make sure that all of the Intune connector for Active Directory server requirements are met. 
- Microsoft recommends (not required) that the administrator installing and configuring the Intune Connector for Active Directory has the domain rights listed in Intune Connector for Active Directory requirements. These rights allow the Intune Connector for Active Directory installer and configuration process to set permissions for the Managed Service Account (MSA) on the Computer container or OUs where computer objects are created. - If the administrator lacks these permissions, another administrator with the appropriate rights must Increase the computer account limit in the Organizational Unit (OU). 
Turn off Internet Explorer Enhanced Security Configuration
Starting with version 6.2504.2001.8, the updated Intune Connector for Active Directory switched to using WebView2, built on Microsoft Edge, instead of WebBrowser, built on Microsoft Internet Explorer. This change means that the Internet Explorer Enhanced Security Configuration setting in Windows Server no longer needs to be turned off. Make sure to install version 6.2504.2001.8 or later of the Intune Connector for Active Directory to avoid issues with the Internet Explorer Enhanced Security Configuration setting.
Download the Intune Connector for Active Directory
- On the server where the Intune Connector for Active Directory is being installed, sign into the Microsoft Intune admin center. 
- In the Home screen, select Devices in the left hand pane. 
- In the Devices | Overview screen, under By platform, select Windows. 
- In the Windows | Windows devices screen, under Device onboarding, select Enrollment. 
- In the Windows | Windows enrollment screen, under Windows Autopilot, select Intune Connector for Active Directory. 
- In the Intune Connector for Active Directory screen, select Add. 
- In the Add connector window that opens, under Configuring the Intune Connector for Active Directory, select Download the on-premises Intune Connector for Active Directory. The link downloads a file called - ODJConnectorBootstrapper.exe.
Install the Intune Connector for Active Directory on the server
Important
The Intune Connector for Active Directory installation needs to be done with an account that has the following domain rights:
- Required - Create msDs-ManagedServiceAccount objects in the Managed Service Accounts container.
- Optional - Modify permissions in OUs in Active Directory - if the administrator installing the updated Intune Connector for Active Directory doesn't have this right, additional configuration steps are required by an administrator who has these rights. For more information, see the step/section Increase the computer account limit in the Organizational Unit.
- Sign into the server where the Intune Connector for Active Directory is being installed with an account that has local administrator rights. 
- If the previous legacy Intune Connector for Active Directory is installed, uninstall it first before installing the updated Intune Connector for Active Directory. For more information, see Uninstall the Intune Connector for Active Directory. - Important - When uninstalling the previous legacy Intune Connector for Active Directory, make sure to run the legacy Intune Connector for Active Directory installer as part of the uninstall process. If the legacy Intune Connector for Active Directory installer prompts to Uninstall it when it's run, select to uninstall it. This step ensures that the previous legacy Intune Connector for Active Directory is fully uninstalled. The legacy Intune Connector for Active Directory installer can be downloaded from Intune Connector for Active Directory. - Tip - In domains with only a single Intune Connector for Active Directory, Microsoft recommends first installing the updated Intune Connector for Active Directory on another server. Installing the updated Intune Connector for Active Directory on another server should be done before uninstalling the legacy Intune Connector for Active Directory on the current server. Installing the Intune Connector for Active Directory on another first avoids any downtime while the Intune Connector for Active Directory is being updated on the current server. 
- Open the - ODJConnectorBootstrapper.exefile that downloaded to launch the Intune Connector for Active Directory Setup install.
- Step through the Intune Connector for Active Directory Setup install. 
- At the end of the install, select the checkbox Launch Intune Connector for Active Directory. - Note - If Intune Connector for Active Directory Setup install is accidentally closed without selecting the checkbox Launch Intune Connector for Active Directory, the Intune Connector for Active Directory configuration can be reopened by selecting Intune Connector for Active Directory > Intune Connector for Active Directory from the Start menu. 
Sign in to the Intune Connector for Active Directory
- In the Intune Connector for Active Directory window, under the Enrollment tab, select Sign In. 
- Under the Sign In tab, sign in with the Microsoft Entra ID credentials of an Intune administrator role. The user account must have an assigned Intune license. The sign in process might take a few minutes to complete. - Note - The account used to enroll the Intune Connector for Active Directory is only a temporary requirement at the time of installation. The account isn't used going forward after the server is enrolled. 
- Once the sign in process completes: - The Intune Connector for Active Directory successfully enrolled confirmation window appears. Select OK to close the window.
- A Managed Service Account with name "<MSA_name>" was successfully set up confirmation window appears. The name of the MSA is in the format msaODJ#####where ##### are five random characters. Notate the name of the MSA that was created, and then select OK to close the window. The name of the MSA might be needed later to configure the MSA to allow creating computer objects in OUs.
 
- The Enrollment tab shows Intune Connector for Active Directory is enrolled. The Sign In button is greyed out and Configure Managed Service Account is enabled. 
- Close the Intune Connector for Active Directory window. 
Verify the Intune Connector for Active Directory is active
After authenticating, the Intune Connector for Active Directory finishes installing. Once it finishes installing, verify that it's active in Intune by following these steps:
- Go to the Microsoft Intune admin center if it's still open. If the Add connector window is still displayed, close it. - If the Microsoft Intune admin center isn't still open: - Sign into the Microsoft Intune admin center. 
- In the Home screen, select Devices in the left hand pane. 
- In the Devices | Overview screen, under By platform, select Windows. 
- In the Windows | Windows devices screen, under Device onboarding, select Enrollment. 
- In the Windows | Windows enrollment screen, under Windows Autopilot, select Intune Connector for Active Directory. 
 
- In the Intune Connector for Active Directory page: - Confirm that the server is displayed under Connector name and shows as Active under Status
- For the updated Intune Connector for Active Directory, make sure the version is greater than or equal to 6.2501.2000.5.
 - If the server isn't displayed, select Refresh or navigate away from the page, and then navigate back to the Intune Connector for Active Directory page. 
Note
- It can take several minutes for the newly enrolled server to appear in the Intune Connector for Active Directory page of the Microsoft Intune admin center. The enrolled server only appears if it can successfully communicate with the Intune service. 
- Inactive Intune Connectors for Active Directory still appear in the Intune Connector for Active Directory page and will automatically be cleaned up after 30 days. 
After the Intune Connector for Active Directory is installed, it will start logging in the Event Viewer under the path Applications and Services Logs > Microsoft > Intune > ODJConnectorService. Under this path, Admin and Operational logs can be found.
Configure the MSA to allow creating objects in OUs (optional)
By default, MSAs only have access to create computer objects in the Computers container. MSAs don't have access to create computer objects in Organizational Units (OUs). To allow the MSA to create objects in OUs, the OUs need to be added to the ODJConnectorEnrollmentWizard.exe.config XML file found in ODJConnectorEnrollmentWizard directory where the Intune Connector for Active Directory was installed, normally C:\Program Files\Microsoft Intune\ODJConnector\.
To configure the MSA to allow creating objects in OUs, follow these steps:
- On the server where the Intune Connector for Active Directory is installed, navigate to - ODJConnectorEnrollmentWizarddirectory where the Intune Connector for Active Directory was installed, normally- C:\Program Files\Microsoft Intune\ODJConnector\.
- In the - ODJConnectorEnrollmentWizarddirectory, open the existing- ODJConnectorEnrollmentWizard.exe.configXML file in a text editor, for example, Notepad.
- In the - add keyelement of the- ODJConnectorEnrollmentWizard.exe.configXML file:- Next to value=, add in any desired OUs that the MSA should have access to create computer objects in.
- The OU name needs to be in the LDAP distinguished name format and if applicable, needs to be escaped.
- Multiple OUs are supported by separating each OU with a semicolon (;).
- Make sure to retain the quotes (") next to value=. All of the OU values need to be within one pair of quotes.
- Don't change the name of the key element OrganizationalUnitsUsedForOfflineDomainJoin.
 - The following example is an example XML entry with multiple OUs in LDAP distinguished name format: - <appSettings> <!-- Semicolon separated list of OUs that will be used for Hybrid Autopilot, using LDAP distinguished name format. The ODJ Connector will only have permission to create computer objects in these OUs. The value here should be the same as the value in the Hybrid Autopilot configuration profile in the Azure portal - https://free.blessedness.top/en-us/mem/intune/configuration/domain-join-configure Usage example (NOTE: PLEASE ENSURE THAT THE DISTINGUISHED NAME IS ESCAPED PROPERLY): Domain contains the following OUs: - OU=HybridDevices,DC=contoso,DC=com - OU=HybridDevices2,OU=IntermediateOU,OU=TopLevelOU,DC=contoso,DC=com Value: "OU=HybridDevices,DC=contoso,DC=com;OU=HybridDevices2,OU=IntermediateOU,OU=TopLevelOU,DC=contoso,DC=com" --> <add key="OrganizationalUnitsUsedForOfflineDomainJoin" value="OU=SubOU,OU=TopLevelOU,DC=contoso,DC=com;OU=Mine,DC=contoso,DC=com" /> </appSettings>- Tip - In the example, replace the example red text next to - value=with the organization's OUs in LDAP distinguished name format. As shown in the example, make sure all OU entries are within the quotes (") and that each OU is separated with a semicolon (;) .
- Next to 
- Once all desired OUs are added, save the - ODJConnectorEnrollmentWizard.exe.configXML file.
- As an administrator that has appropriate permissions to modify OU permissions, open the Intune Connector for Active Directory by navigating to Intune Connector for Active Directory > Intune Connector for Active Directory from the Start menu. - Important - If the administrator installing and configuring the Intune Connector for Active Directory doesn't have permissions to modify OU permissions, then the section/steps Increase the computer account limit in the Organizational Unit need to be followed instead by an administrator that does have permissions to modify OU permissions. 
- Under the Enrollment tab in the Intune Connector for Active Directory window, select Configure Managed Service Account. 
- An A Managed Service Account with name "<MSA_name>" was successfully set up confirmation window appears. Select OK to close the window. 
Configure web proxy settings
If there's a web proxy in the networking environment, ensure that the Intune Connector for Active Directory works properly by referring to Configure proxy settings for the Intune Connector for Active Directory.
Increase the computer account limit in the Organizational Unit
Important
This step is only needed under one of the following conditions:
- The administrator that installed and configured the Intune Connector for Active Directory didn't have appropriate rights as outlined in Intune Connector for Active Directory Requirements.
- The administrator that installed and configured the Intune Connector had appropriate rights as outlined above, but the Managed Service Account (MSA) could not be granted permission to create computer objects in the organizational unit(s) specified during the Intune Connector installation. For more information, see Configure the new Microsoft Intune connector for Active Directory with the least privilege principle.
- The ODJConnectorEnrollmentWizard.exe.configXML file wasn't modified to add OUs that the MSA should have permissions for.
The purpose of Intune Connector for Active Directory is to join computers to a domain and add them to an OU. For this reason, the Managed Service Account being used for the Intune Connector for Active Directory needs to have permissions to create computer accounts in the OU where the computers are joined to the on-premises domain.
With default permissions in Active Directory, domain joins by the Intune Connector for Active Directory might initially work without any permission modifications to the OU in Active Directory. However after MSA attempts to join more than 10 computers to the on-premises domain, it would stop working because by default, Active Directory only allows any single account to join up to 10 computers to the on-premises domain.
The following users aren't restricted by the 10 computer domain join limitation:
- Users in the Administrators or Domain Administrators groups: In order to comply with the least privilege principles model, Microsoft doesn't recommend making the MSA an administrator or domain administrator.
- Users with delegated permissions on Organizational Unit (OUs) and containers in Active Directory to create computer accounts: This method is recommended since it follows the least privilege principles model.
To fix this limitation, the MSA needs the Create computer accounts permission in the Organizational Unit (OU) where the computers are joined to in the on-premises domain. The Intune Connector for Active Directory sets the permissions for the MSAs to the OUs as long as one of the following conditions is met:
- The administrator installing the Intune Connector for Active Directory has the necessary permissions to set permissions on the OUs.
- The administrator configuring the Intune Connector for Active Directory has the necessary permissions to set permissions on the OUs.
If the administrator installing or configuring the Intune Connector for Active Directory doesn't have the necessary permissions to set permissions on the OUs, then the following steps need to be followed:
- Sign into a computer that has access to the Active Directory Users and Computers console with an account that as the necessary permissions to set permissions on OUs. 
- Open the Active Directory Users and Computers console by running DSA.msc. 
- Expand the desired domain and navigate to the organizational unit (OU) that computers are joining to during Windows Autopilot. - Note - The OU that computers join during the Windows Autopilot deployment is specified later during the Configure and assign domain join profile step. 
- Right-click on the OU and select Properties. - Note - If computers are joining the default Computers container instead of an OU, right-click on the Computers container and select Delegate Control. 
- In the OU Properties windows that opens, select the Security tab. 
- In the Security tab, select Advanced. 
- In the Advanced Security Settings window, select Add. 
- In the Permission Entry windows, next to Principal, select the Select a principal link. 
- In the Select User, Computer, Service Account, or Group window, select the Object Types... button. 
- In the Object Types window, select the Service Accounts check box, and then select OK. 
- In the Select User, Computer, Service Account, or Group window, under Enter the object name to select, enter the name of the MSA being used for the Intune Connector for Active Directory. - Tip - The MSA was created during the Install the Intune Connector for Active Directory step/section and has the name format of - msaODJ#####where ##### are five random characters. If the MSA name isn't known, follow these steps to find the MSA name:- On the server running the Intune Connector for Active Directory, right-click on the Start menu and then select Computer Management.
- In the Computer Management window, expand Services and Applications and then select Services.
- In the results pane, locate the service with the name Intune ODJConnector for Active Service. The name of the MSA is listed in the Log On As column.
 
- Select Check Names to validate the MSA name entry. Once the entry is validated, select OK. 
- In the Permission Entry windows, select the Applies to: drop-down menu and then select This object only. 
- Under Permissions, unselect all items, and then only select the Create Computer objects check box. 
- Select OK to close the Permission Entry window. 
- In the Advanced Security Settings window, select either Apply or OK to apply the changes. 
Create a device group
- In the Microsoft Intune admin center, select Groups > New group. 
- In the Group pane, select the following options: - For Group type, select Security. 
- Enter a Group name and Group description. 
- Select a Membership type. 
 
- If Dynamic Devices is selected for the membership type, in the Group pane, select Dynamic device members. 
- Select Edit in the Rule syntax box and enter one of the following code lines: - To create a group that includes all Windows Autopilot devices, enter: - (device.devicePhysicalIDs -any _ -startsWith "[ZTDId]")
- Intune's Group Tag field maps to the OrderID attribute on Microsoft Entra devices. To create a group that includes all of Windows Autopilot devices with a specific Group Tag (OrderID), enter: - (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
- To create a group that includes all Windows Autopilot devices with a specific Purchase Order ID, enter: - (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")
 
- Select Save > Create. 
Register Windows Autopilot devices
Select one of the following ways to enroll Windows Autopilot devices.
Register Windows Autopilot devices that are already enrolled
- Create a Windows Autopilot deployment profile with the setting Convert all targeted devices to Autopilot set to Yes. 
- Assign the profile to a group that contains the members that need to be automatically registered with Windows Autopilot. 
For more information, see Configure Windows Autopilot profiles.
Register Windows Autopilot devices that aren't enrolled
Devices that aren't yet enrolled into Windows Autopilot can be manually registered. For more information, see Manual registration.
Register devices from an OEM
If purchasing new devices, some OEMs can register the devices on behalf of the organization. For more information, see OEM registration.
Display registered Windows Autopilot device
Before devices enroll in Intune, registered Windows Autopilot devices are displayed in three places (with names set to their serial numbers):
- The Windows Autopilot Devices pane in the Microsoft Intune admin center. Select Devices > By platform | Windows > Device onboarding | Enrollment. Under Windows Autopilot, select Devices.
- The Devices | All devices pane in the Azure portal. Select Devices > All Devices.
- The Autopilot pane in Microsoft 365 admin center. Select Devices > Autopilot.
After the Windows Autopilot devices are enrolled, the devices are displayed in four places:
- The Devices | All Devices pane in the Microsoft Intune admin center. Select Devices > All devices.
- The Windows | Windows devices pane in the Microsoft Intune admin center. Select Devices > By platform | Windows.
- The Devices | All devices pane in the Azure portal. Select Devices > All Devices.
- The Active devices pane in Microsoft 365 admin center. Select Devices > Active devices.
Note
After devices are enrolled, the devices are still displayed in the Windows Autopilot Devices pane in the Microsoft Intune admin center and in the Autopilot pane in Microsoft 365 admin center, but those objects are the Windows Autopilot registered objects.
A device object is pre-created in Microsoft Entra ID once a device is registered in Windows Autopilot. When a device goes through a hybrid Microsoft Entra deployment, by design, another device object is created resulting in duplicate entries.
VPNs
The following VPN clients are tested and validated:
- In-box Windows VPN client
- Cisco AnyConnect (Win32 client)
- Pulse Secure (Win32 client)
- GlobalProtect (Win32 client)
- Checkpoint (Win32 client)
- Citrix NetScaler (Win32 client)
- SonicWall (Win32 client)
- FortiClient VPN (Win32 client)
When using VPNs, select Yes for the Skip AD connectivity check option in the Windows Autopilot deployment profile. Always-On VPNs shouldn't require this option since it connects automatically.
Note
This list of VPN clients isn't a comprehensive list of all VPN clients that work with Windows Autopilot. Contact the respective VPN vendor regarding compatibility and supportability with Windows Autopilot or regarding any issues with using a VPN solution with Windows Autopilot.
Unsupported VPN clients
The following VPN solutions are known not to work with Windows Autopilot and therefore aren't supported for use with Windows Autopilot:
- UWP-based VPN plug-ins
- Anything that requires a user cert
- DirectAccess
Note
Omission of a specific VPN client from this list doesn't automatically mean it's supported or that it works with Windows Autopilot. This list only lists the VPN clients that are known not to work with Windows Autopilot.
Create and assign a Windows Autopilot deployment profile
Windows Autopilot deployment profiles are used to configure the Windows Autopilot devices.
- Sign into the Microsoft Intune admin center. 
- In the Home screen, select Devices in the left hand pane. 
- In the Devices | Overview screen, under By platform, select Windows. 
- In the Windows | Windows devices screen, under Device onboarding, select Enrollment. 
- In the Windows | Windows enrollment screen, under Windows Autopilot, select Deployment Profiles. 
- In the Windows Autopilot deployment profiles screen, select the Create Profile drop down menu and then select Windows PC. 
- In the Create profile screen, on the Basics page, enter a Name and optional Description. 
- If all devices in the assigned groups should automatically register to Windows Autopilot, set Convert all targeted devices to Autopilot to Yes. All corporate owned, non-Windows Autopilot devices in assigned groups register with the Windows Autopilot deployment service. Personally owned devices aren't registered to Windows Autopilot. Allow 48 hours for the registration to be processed. When the device is unenrolled and reset, Windows Autopilot enrolls it again. After a device is registered in this way, disabling this setting or removing the profile assignment won't remove the device from the Windows Autopilot deployment service. Instead the devices need to be directly deleted. For more information, see Delete Windows Autopilot devices. 
- Select Next. 
- On the Out-of-box experience (OOBE) page, for Deployment mode, select User-driven. 
- In the Join to Microsoft Entra ID as box, select Microsoft Entra hybrid joined. 
- If deploying devices off of the organization's network using VPN support, set the Skip Domain Connectivity Check option to Yes. For more information, see User-driven mode for Microsoft Entra hybrid join with VPN support. 
- Configure the remaining options on the Out-of-box experience (OOBE) page as needed. 
- Select Next. 
- On the Scope tags page, select scope tags for this profile. 
- Select Next. 
- On the Assignments page, select Select groups to include > search for and select the device group > Select. 
- Select Next > Create. 
Note
Intune periodically checks for new devices in the assigned groups, and then begin the process of assigning profiles to those devices. Due to several different factors involved in the process of Windows Autopilot profile assignment, an estimated time for the assignment can vary from scenario to scenario. These factors can include Microsoft Entra groups, membership rules, hash of a device, Intune and Windows Autopilot service, and internet connection. The assignment time varies depending on all the factors and variables involved in a specific scenario.
(Optional) Turn on the enrollment status page
- Sign into the Microsoft Intune admin center. 
- In the Home screen, select Devices in the left hand pane. 
- In the Devices | Overview screen, under By platform, select Windows. 
- In the Windows | Windows devices screen, under Device onboarding, select Enrollment. 
- In the Windows | Windows enrollment screen, under Windows Autopilot, select Enrollment Status Page. 
- In the Enrollment Status Page pane, select Default > Settings. 
- In the Show app and profile installation progress box, select Yes. 
- Configure the other options as needed. 
- Select Save. 
Create and assign a Domain Join profile
- In the Microsoft Intune admin center, select Devices > Manage devices | Configuration > Policies >Create > New Policy. 
- In the create a profile window that opens, enter the following properties: - Name: Enter a descriptive name for the new profile.
- Description: Enter a description for the profile.
- Platform: Select Windows 10 and later.
- Profile type: Select Templates, select the template name Domain Join, and select Create.
 
- Enter the Name and Description and select Next. 
- Provide a Computer name prefix and Domain name. 
- (Optional) Provide an Organizational unit (OU) in DN format. The options include: - Provide an OU in which control is delegated to the Windows device that is running the Intune Connector for Active Directory.
- Provide an OU in which control is delegated to the root computers in organization's on-premises Active Directory.
- If this field is left blank, the computer object is created in the Active Directory default container. The default container is normally the CN=Computerscontainer. For more information, see Redirect the users and computers containers in Active Directory domains.
 - Valid examples: - OU=SubOU,OU=TopLevelOU,DC=contoso,DC=com
- OU=Mine,DC=contoso,DC=com
 - Invalid examples: - CN=Computers,DC=contoso,DC=com- a container can't be specified. Instead, leave the value blank to use the default for the domain.
- OU=Mine- the domain must be specified via the- DC=attributes.
 - Make sure not to use quotation marks around the value in Organizational unit. 
- Select OK > Create. The profile is created and displayed in the list. 
- Assign a device profile to the same group used at the step Create a device group. Different groups can be used if there's a need to join devices to different domains or OUs. 
Note
The naming capability for Windows Autopilot for Microsoft Entra hybrid join doesn't support variables such as %SERIAL%. It only supports prefixes for the computer name.
Uninstall the Intune Connector for Active Directory
The Intune Connector for Active Directory is installed locally on a computer via an executable file. If the Intune Connector for Active Directory needs to be uninstalled from a computer, it needs to also be done locally on the computer. The Intune Connector for Active Directory can't be removed through the Intune portal or through a graph API call.
To uninstall the Intune Connector for Active Directory from the server, select the appropriate tab for the version of the Windows Server OS and then follow the steps:
- Sign into the computer hosting the Intune Connector for Active Directory. 
- Right-click on the Start menu and then select Settings > Apps > Installed apps. - Or - Select the following Apps > Installed apps shortcut: 
- In the Apps > Installed apps window, find Intune Connector for Active Directory. 
- Next to Intune Connector for Active Directory, select ... > Uninstall, and then select the Uninstall button. 
- The Intune Connector for Active Directory proceeds to uninstall. 
- In some cases, the Intune Connector for Active Directory might not fully uninstall until the original Intune Connector for Active Directory installer - ODJConnectorBootstrapper.exeis run again. To verify that the Intune Connector for Active Directory is fully uninstalled, run the- ODJConnectorBootstrapper.exeinstaller again. If it prompts to Uninstall, select to uninstall it. Otherwise, close the- ODJConnectorBootstrapper.exeinstaller.- Note - The legacy Intune Connector for Active Directory installer can be downloaded from the Intune Connector for Active Directory and should only be used for uninstalls. For new installs, use the updated Intune Connector for Active Directory. 
Next steps
After Windows Autopilot is configured, learn how to manage those devices. For more information, see What is Microsoft Intune device management?.
Related content
- What is a device identity?.
- Learn more about cloud-native endpoints.
- Microsoft Entra joined vs. Microsoft Entra hybrid joined in cloud-native endpoints.
- Tutorial: Set up and configure a cloud-native Windows endpoint with Microsoft Intune.
- How to: Plan your Microsoft Entra join implementation.
- A framework for Windows endpoint management transformation.
- Understanding hybrid Azure AD and co-management scenarios.
- Success with remote Windows Autopilot and hybrid Azure Active Directory join.