Entra ID hybrid join was generally enabled for Windows 10 devices and Windows Server 2016 or better in the NETID domain on June 25, 2020, via a change to settings in our Entra ID Connect.

A computer in the NETID AD can end up in a hybrid joined state one of two ways:

• If your computer is among the eligible Windows platforms, it is joined to your delegated OU, and you don’t block Entra ID registration (i.e. it happens automatically)
• The computer was built via UW Autopilot, in which case it is hybrid joined and might be in your delegated OU (or the general Autopilot OU)

A device is said to be hybrid joined if it has both an AD object and an Entra ID object, which allow users of that device to sign in with an AD user account, which provides access to resources which are protected by either the AD or the Entra ID user.

A hybrid joined computer is joined to both AD and Entra ID, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined.

Please reference our cloud-based device management glossary for terms you are unfamiliar with.

Microsoft supplies a detailed process diagram for hybrid join which may help you understand how it works.

How do I disable Hybrid Join for my Delegated OU computers?

Only Windows 10 or Windows Server 2016 or later devices can hybrid join, due to the UW’s Entra ID Connect configuration.

Microsoft does not provide good guidance on this question, providing an answer about a registry value at https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan which testing demonstrates does not work.

You can disable hybrid join by preventing one of the requirement elements from triggering hybrid join registration:

1. Modify the Scheduled Task which triggers Entra ID device registration. See Task Scheduler > Microsoft > Windows > Workplace Join > Automatic-Device-Join. See the following 3 items for details:
   1. Deleting the Scheduled Task seems to work reliably.
   2. Disabling the Scheduled Task does not work reliably; the disabled task will still run after a user signs in.
   3. Modify both triggers from an Enabled status to a Disabled status; this works reliably.
2. Add a firewall block for https://enterpriseregistration.windows.net, to prevent the computer from connecting to the Entra ID Device Registration Service (DRS). See the following item for possible side-effects:
   1. This should only affect the ability to Entra ID join. If you have Office installed on the Windows device, this might have an undesirable impact on Entra ID device registration (different from Entra ID device join) which is required per user for Microsoft 365 Apps (was Office 365 ProPlus) sign-in.

How do I unjoin a hybrid Entra ID device?

For hybrid Entra ID joined devices, make sure to turn off automatic registration (see ‘how to disable’ section). Then the scheduled task (see ‘Entra ID device registration’ section) doesn’t register the device again. Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave. Or run this command as a script across several devices to unjoin in bulk.

This answer comes from https://docs.microsoft.com/en-us/azure/active-directory/devices/faq.

Entra ID device registration

When enabled for hybrid join, the trigger for Entra ID device registration is a default scheduled task with several triggers:

• user sign in
• an event with a special event id is recorded — it is unclear what causes this event

Note: the scheduled task comes installed with Windows 10; you do not need to add it, but you can trigger it manually yourself. See the links in the troubleshooting section for more info on this.

Note: An additional user sign in may be required to get an Entra ID primary refresh token (PRT)

Line of Sight Connectivity to NETID AD

If your computer is off the UW network, you’ll need to get it connected via a VPN prior to user sign-in to trigger Entra ID device registration. Please read our document about that.

Verify and Troubleshoot Hybrid Join

Please consult https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current for how to verify and troubleshoot hybrid join.

Other pages which may be useful are:

• https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd
• https://365bythijs.be/2019/11/02/troubleshooting-hybrid-azure-ad-join/

Benefits of Hybrid Join

The known benefits are:

• The computer has a device object in Entra ID , which enables a variety of capabilities including:
  • Microsoft 365 Apps device licensing is possible (when offered by UW)
  • Entra ID Conditional Access features based on device conditions are possible
• There is a reduction in user sign ins because user sign in gets both an NETID AD token and uw.edu Entra ID token
• Enterprise State Roaming is enabled (to disable this, see https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-group-policy-settings#group-policy-settings)