Controlled validation of hybrid Azure AD join

Iron Contributor

Hi All


Not sure if this should be here or in the Azure AD section.


I'm looking to implement a Controlled validation of Hybrid Azure AD Join / Auto enrollment in Intune via GPO, using the MS guide below as a reference:


My questions are:


  • Do I set the GPO to my test deployment OU
  • Do I simply remove the GPO from my test deployment OU on successful testing

Would like to hear from anyone who has implemented this



12 Replies
From my experience, I just create registry keys and assign them to the devices.

If you are done testing, would you like to remove these devices from AAD/Intune or add all devices to AAD?

@Thijs Lecomte 


Hi Buddy


What I would like to do is:


  • Hybrid Azure AD Join my devices in my TEST / PILOT / UAT group only
  • Once successful
  • Apply to the whole on-premise AD domain / devices



@Stuart King 


This is the way I do it:

- Create GPO with registry edits and apply to test OU

- If succesfull, delete GPO

- Assign domain wide policy through AAD connect (


BTW: best make sure all the computers are W10 1803 in order to avoid dual state (

@Thijs Lecomte 


Hi Buddy


So the process would be:


  • Controlled Hybrid Azure AD Join on Test OU
  • Then once successful
  • Configure AADC


In essence, DO NOT TOUCH AADC until Controlled Hybrid Azure AD Join is verified OK?



@Stuart King that's correct :)


let me know how it goes!

@Thijs Lecomte 


Sorry, I did mention before about applying the Controlled Hybrid GPO to the test OU BEFORE touching AADC, but I assume the TEST OU must be included in the AADC sync with the syncing of devices as per below?



Yes, the OU needs to be sync'ed

This doesn't enable Hybrid join by itself

@Thijs Lecomte 


Do the devices need to be in a group or is the OU sufficient for the Controlled Hybrid test?



Dependant on how you configure the GPO
If you put the GPO on a OU, than a OU is sufficient

@Thijs Lecomte 


Excellent thanks, testing now.

@Thijs Lecomte 


Applied GPO to OU and OU to sync, still no device in AAD.


Am I missing something?