Hybrid Join skip AD connectivity check

Brass Contributor



With this new option "Skip AD connectivity check" during deployment to remote machines, will the machine ever attempt to complete the Hybrid Join between AAD and AD on premise?


It is a great option for deploying devices to remote workers who do not have line of site access to a DC during initial deployment.


Would be great to understand the process behind the Hybrid Join recovery if there is one.



5 Replies

@torquetechit_tonyd yes if you have everything else in place for Hybrid AD Join and you successfully can use it from inside your office with visibility to the DC.

Then you only need to have a VPN client coming from Intune that can do prelogon authentication and configure it to be required installed to the device in the ESP phase.

@Matthias_Hei thanks for the advise.


However, it seems the Hybrid Join Skip process prevents you logging onto the machine until such a time that AD DC is in line of site and you logon using the internal AD DC account.


Here is my scenario,

  • Machine is provisioned using the Hybrid Join Skip AD connectivity check, the machine is at a remote location with NO line of site access to DC.
  • The machine is provisioned using the autopilot process, the account used is the device enrolment manager account.
  • The deployment process proceeds with no reported issues. applications, configurations, policies etc are deployed.
  • Upon logon, the logon screen displays that the logon is to the internal AD Domain. (This is not possible at the moment as there is NO direct line of site to the DC)
  • Changed the account to logon using the account used to deployed to the device. (We can't sign you in with this credential because your domain isn't available) This is a O365 account! used to deploy the autopilot profile..

Established VPN connectivity into internal domain so DC is now in line of site.

  • Can logon to the device using the internal domain credentials
  • NOT able to logon to the device using the device management account used to deploy the device.
  • Upon logon with the internal domain account the Autopilot provisioning process appear to begin again, although supposedly had finished prior to enable logon to the device.

Maybe I am doing something completely wrong here, however, I would have thought the device would have completed the original deployment connected AADJ therefore being able to logon to the device using an O365 account not an internal AD Domain as this may not be accessible at the time the device is deployed.


Maybe a bug or maybe my process is wrong.. 


Look forward to some sage advise...







Sounds ok to me what you described.

You first see the Device ESP and then you are asked to log on but with a on premise AD account and with VPN. The device is at this stage actually a normal AD machine that is registered for Hybrid AD but that doesn't mean you can log on with a pure Azure AD account.

After log on the user ESP runs and there is also now the waiting time till the machine AD account is suycned up into AAD and successfully registered for Hybrid AD join.

Only then the desktop opens up for access.


I think this feature is really great.
When will this feature be GA?
Now it is displayed as preview on the Endpoint Manager Admin Center.
There is no description in the roadmap of MS365.
I'm really looking forward to GA.