Intune Enroll Remote ADDS Joined Windows 10 Machines

Iron Contributor

I have a fleet of laptops that are ADDS joined but due to the pandemic have not been in touch with a Domain Controller in months as we don't have VPN for remote users. Users log onto the laptops with cached credentials.  I also have M365 E5 licenses and Intune/MECM. On-prem I am using AzureAD hybrid join and co-management. All working well. I'd like to start enrolling these laptops remotely into Intune. Here's where my confusion starts:


  • Q: is this possible? Can I AzureAD join them even though they are joined to ADDS (I assume no as AzureAD joined you logon with AzureAD identity not ADDS cached one!)
  • Would these have to be AzureAD Hybrid joined? How can I hybrid join them without them being in contact with the Domain Controller? I have AD Connect running an synching my desktops on-prem but my understanding is this works with the windows machine updating its userCertificate attribute in ADDS and AConnect synching this to cloud.

Any steer here would be greatly appreciated. 

2 Replies
You'll have to either get them on a VPN to complete hybrid join, or simply unjoin them from the on prem domain, and have them Azure AD Joined, How many machines are you managing? This maybe the simpler option.
400 laptops currently remote. If I un-join them from the domain whilst remote then users would loose the cached credentials.