By Jack Poehlman | Service Engineer on the Enterprise Mobility and Customer Experience Team


NOTE - Preview of this feature is now live. Docs on how to use the feature are here: https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid.


We recently released a new feature in preview: hybrid Azure AD joined devices using Intune and Windows Autopilot – something that we know customers are excited to try! We do want to make you aware of a known issue in reporting. First on the Overview landing page for the device configuration profile, after your users or devices have completed Autopilot, the Profile type -  Domain Join (Preview)  will show as “Not Applicable” for all devices (and users) regardless of the status of the device that completes Autopilot and domain joins via the profile. Here’s an example of what you will likely see on the overview of the new domain join profile after devices successfully complete the Autopilot enrollment process:



Second, the other related monitor pages (Devices status, User status, & Per-setting status) will show a similar “Not Applicable” result. We are working to improve this reporting in the future.  For now, we’re releasing this in preview while we continue to finalize the details on reporting. 

A few other things to keep in mind – reminders I learned from my own testing. You will need to assign the Domain Join (Preview) profile type to an Azure AD group containing the Autopilot devices you wish to domain join. You can directly assign Autopilot devices to a group or to a Dynamic Azure AD group with attributes unique to Autopilot devices. Here’s a few dynamic group Autopilot property operator values examples for different grouping scenarios:

  • If you want to create a group that includes all of your Autopilot devices, type (device.devicePhysicalIDs -any _ -contains "[ZTDId]")
  • If you want to create a group that includes all of your Autopilot devices with a specific order ID, type: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
  • If you want to create a group that includes all of your Autopilot devices with a specific Purchase Order ID, type: (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")


Remember, too, this feature will only work with the latest release of Windows 10, October 2018 update, Version 1809 and later. You can see preview documentation here: https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid.


If you are interested in testing this on a Virtual machine, build the Windows machine and complete OOBE, then use the guidance in Michael Niehaus’s blog to use the WindowsAutoPilotIntune script to collect a hardware hash and upload it to Autopilot via Intune. Once the VM is added to Autopilot and you configure Intune to deploy hybrid Azure AD joined devices using Intune and Windows Autopilot, use the Windows setting on the VM to “Reset this PC” and chose the “Remove Everything” option.  The virtual machine will complete the reset process and enter OOBE and the Autopilot experience.


Happy testing! 


Is there a work around for the Domain Join Profile showing up as Not Applicable?


Unfortunately, there is not a work around for profile reporting /  monitor showing as "Not Applicable".  This is only a reporting issue, but we are working to correct this while this feature is in Preview.


I've been trying to make this work both using the Auto Pilot settings to do hybrid AD, and by doing the domain join policy.  Neither appears to do anything, the test machine is still sitting in a workgroup.  I've done everything except the step to assign the device in the S4B to the Auto Pilot profile.  The rest of the Auto Pilot stuff seems to work with exception of the domain join and the computer doesn't show up in the Intune > Device enrollment - Windows enrollment > Windows Autopilot devices view.  It seems that registering the device when using User-Driven with Hybrid Azure AD joined shouldn't require the use of registering the device, but I'll try it with registering it in S4B and see if that works.


When I tried adding the computer to the S4B devices and assigning the User-Driven profile I got an error 0x80004005.  So I don't think lack of registration is the issue.


Hello Bob, Sorry to hear you are having challenges.  For the solution to work, you would need the Windows Autopilot deployment profile created with the join type of "Hybrid Azure AD Joined (Preview)", assigned to Autopilot device group, AND the device configuration profile type "Domain Join (Preview)" also assigned to the Autopilot device group.  All in addition to having the having the "Intune Connector for Active Directory (Preview)" installed and configured.  With everything set, on Windows device, go into settings -> update & Security -> Recovery -> Rest this PC  -> Get started, then chose Remove everything.  The device should go through a full reset of Windows and go through Autopilot setup.


This feature will not work on a device that has already completed the Windows Out of the Box setup experience, so registering in S4B will not trigger the domain join.  Hope that helps.  If you need assistance, please open a support case via the Intune Admin portal, Help and support.


Jack Poehlman


I did all those steps.  When I get back from the holidays I'll contact Intune Admin and see if they can help.

New Contributor

@Jack Poehlman  unfortunately with hybrid joined how you mentioned it still results in the same.  Not applicable 



Occasional Visitor

have any of you resolved this issue? I have the same issue and have a ticket with Microsoft support but its been 2 weeks and they are still looking at the issue.


@Wilmatic81 The reporting to this policy has improved in that now we show success at least at the device level which is the key as this is a Device based policy.  In my console I see the "Not Applicable" status listed for users that logged on after the device was enrolled, whoever the enrolling user shows a "Success".  PM me your support case number so I can look into what's going on with in your case.