Agent Support for On-Premise Active Directory and Entra ID Joined Windows Devices

If your organization has on-premise Active Directory (AD) or Entra ID joined Windows devices, you can install the JumpCloud agent on those devices and bring them into your JumpCloud org. Doing so enables the administrator to remotely and securely manage the device as well as take advantage of JumpCloud’s System Insights feature. 

Currently, if you bind users to an on-premise Active Directory domain joined device, the device will ignore the binding and you will be unable to verify your identity on the device. However, if the device leaves the domain, the JumpCloud agent will automatically bind the user to the device. 


If a JumpCloud-managed device with JumpCloud users bound to it joins an on-premise AD domain, those user accounts will be suspended. This is expected behavior as user management is not supported on on-premise AD domain-joined devices. 

If you attempt to bind an Entra ID imported user to an Entra ID joined device, this may result in unexpected behavior.

Why Use the JumpCloud Agent for Domain Joined Devices?

The table below shows the features that are supported on JumpCloud devices, Active Directory devices, and Entra ID devices:

  Telemetry Commands Management Policy Software Management Patch Management User Management & Authentication
JumpCloud Devices
Active Directory Devices Future
Azure Active Directory Devices  Future 

When you install the JumpCloud agent on domain joined devices, you can take advantage of JumpCloud’s System Insights feature and view information such as:

  • Reliability of your organization devices: Gather information about device uptime to leverage when diagnosing device issues.
  • Memory and storage statistics: Gather information about your org device memory and storage capacity to leverage when making device upgrade decisions.
  • Devices that are protected by disk encryption: See which org devices are protected by disk encryption and which devices you need to update with encryption protection.
  • Hardware inventory details: Gather inventory information such as vendor, model, serial number, and more.

For more information on System insights, see Get Started: System Insights.

Applying Policies for AD Joined Devices

For a given policy, an on-premises AD policy will override a JumpCloud policy. For example, if you have an AD policy that configures the screensaver, and a JumpCloud policy that also configures the screensaver, the AD policy will take effect, ignoring the JumpCloud policy. To avoid unexpected behavior, JumpCloud recommends that you only set JumpCloud policies rather than setting both a JumpCloud policy and an AD policy. 

For troubleshooting, you can use the Resultant Set of Policy snap in console. In this console, JumpCloud policies display as "Local Group Policy" and AD policies show as group policies. Group policies override local policies. 

See Migrating Windows Devices from AD On-Prem to JumpCloud for additional information about migrating Windows devices to JumpCloud. 

The following policies are currently unsupported on AD joined devices:

  • Rename Local Administrator Account
  • Enable/Disable Local Administrator Account
  • Rename Local Guest Account
  • Enable/Disable Local Guest Account


Regarding the lock screen, if policies are set in both JumpCloud and Active Directory, whichever policy has the lowest timeout will take effect. 

Full Disk Encryption with Bitlocker 

BitLocker is an encryption feature built into computers running Windows. It secures your data by scrambling it so it can’t be read without using a recovery key. BitLocker differs from most other encryption programs because it uses your Windows login to secure your data; no extra passwords necessary. Once you’re logged in, you can access your files normally. After you log out, everything’s secured.

For more information, see BitLocker Policy

Windows Automated Patch Management

JumpCloud’s automated patch management helps you monitor which version and release your Windows, macOS, or Linux devices are currently using, and remotely schedule and install updates. You can create an OS patch management policy to control which devices will have the policy applied and when it will be applied. 

For more information, see Create a Windows Patch Policy.

Installing the JumpCloud Agent on Domain Joined Windows Devices

You install the JumpCloud Agent on domain joined Windows devices using the same process as installing it on non-domain joined devices. See JumpCloud Agent Windows Installation Walkthrough for more information. 

If you are migrating from Active Directory to JumpCloud, ensure that you bind the device's users to the device through JumpCloud before you remove the device from Active Directory. Doing so ensures that the device remains active and the user can continue to use it. 


After the initial restart after a JumpCloud device joins Active Directory, the user will see a tile on the login screen where they will be prompted for their JumpCloud credentials. However, they will not be able to log in using those credentials. Instead, they will log in using the “Other User” tile with their Active Directory credentials. This is the correct behavior, and on subsequent logins, the user will not see the tile for their JumpCloud user account. 

Viewing Device Details

Once the device has been added, you view additional information about the device from the Device Details page. To view it:

  1. Log into your JumpCloud Admin Portal.
  2. Navigate to DEVICE MANAGEMENT > Devices.
  3. Select the device to view the details of.

From this screen, you can view information such as:

  • Device name, status, and other immutable details. 
  • Device Agent Logs. Click ActionsGet Agent Logs to download the most recent logs for the device. Logs are available only for online devices.
  • Device Settings.
    • Enable JumpCloud’s System Insights to gather useful information from your JumpCloud managed devices and view that information on the Device panel Insights tab. Learn More.

Viewing a User’s Domain Joined Devices in JumpCloud

You can view the domain joined devices in JumpCloud by viewing a user’s details. If the user has a domain joined device, it will show under their list of devices as AD JOINED.

To view the domain joined devices:

  1. Log in to the JumpCloud Admin Portal.
  2. Navigate to USER MANAGEMENT > Users.
  3. Select the user in the user list.
  4. Select the Devices tab.

In the previous screenshot, the device outlined in red is the domain joined device.

User Functionality on Entra ID Joined Devices

If you have a device that is already part of an Entra ID domain, your device will already have an account for each user. When you add that device to your JumpCloud domain, a separate JumpCloud account will be created for each user on that device as well. Nothing will change for the Entra iD account–that account is the one that the user will use for any Entra ID programs and files on the device. The JumpCloud account can be used for user management features, such as identity verification.

These accounts are not linked. 

This process will be simplified in a future update.

Features Unsupported by On-Premise AD Joined Devices

The following JumpCloud features are unsupported by on-premise AD domain joined devices at this time:

  • User Management
    • Locked User use cases
    • Password Expiration
    • Password Change
    • Account Takeover
    • Admin User
    • Binding User to Device
  • Device MFA 


A JumpCloud User Can’t Log Into a Windows device associated with AD.

JumpCloud creates local user accounts on Windows hosts it manages, these hosts are not part of a domain.

When remotely logging into a non-domain host (for example, a JumpCloud-managed Windows device) from a host that is part of a Microsoft Active Directory domain, the remote desktop client will default to attempting to authenticate with the current domain. This results in a failure to login for all JumpCloud users on the JumpCloud-managed host.

To login correctly, you'll need to specify no domain:


Or. specify the work group name of the host (which defaults to WORKGROUP), as in:


Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case