Affected scope
project: foundry
Problem to solve
Foundry currently focuses on deployment and Autopilot-oriented provisioning, but it does not provide a built-in way to join the deployed Windows installation to an on-premises Active Directory domain.
Administrators who still rely on local domain join must handle this outside Foundry with custom scripts, unattend files, offline domain join tooling, or post-deployment manual steps.
Proposed solution
Add optional local Active Directory domain join support to Foundry deployment configuration.
The first implementation should prefer a secure offline domain join workflow:
- Allow administrators to provide or reference an offline domain join provisioning blob.
- Stage the blob into the deployed Windows installation.
- Apply it during deployment or before first boot using the appropriate Windows deployment flow.
- Avoid storing domain credentials in Foundry configuration.
- Keep the feature optional and disabled by default.
The UI should make the mode and requirements clear:
- Domain join disabled.
- Offline domain join using a provided provisioning blob.
The implementation should log domain join staging/apply status without logging sensitive content.
Alternatives considered
An online domain join could be performed during or after deployment with domain credentials, but that creates a higher security risk and requires reliable network/domain controller connectivity at the right time. Offline domain join is a better initial scope because it avoids storing reusable domain credentials in Foundry.
Administrators can also use existing GPO, provisioning, scripts, or manual post-deployment workflows, but this keeps Foundry deployments less self-contained for environments that still use local Active Directory.
Use case
A system administrator deploys Windows in an environment that uses on-premises Active Directory. During Foundry media creation, they configure an offline domain join package so the deployed machine joins the domain during the deployment workflow without manually entering domain credentials after installation.
Checklist
Affected scope
project: foundry
Problem to solve
Foundry currently focuses on deployment and Autopilot-oriented provisioning, but it does not provide a built-in way to join the deployed Windows installation to an on-premises Active Directory domain.
Administrators who still rely on local domain join must handle this outside Foundry with custom scripts, unattend files, offline domain join tooling, or post-deployment manual steps.
Proposed solution
Add optional local Active Directory domain join support to Foundry deployment configuration.
The first implementation should prefer a secure offline domain join workflow:
The UI should make the mode and requirements clear:
The implementation should log domain join staging/apply status without logging sensitive content.
Alternatives considered
An online domain join could be performed during or after deployment with domain credentials, but that creates a higher security risk and requires reliable network/domain controller connectivity at the right time. Offline domain join is a better initial scope because it avoids storing reusable domain credentials in Foundry.
Administrators can also use existing GPO, provisioning, scripts, or manual post-deployment workflows, but this keeps Foundry deployments less self-contained for environments that still use local Active Directory.
Use case
A system administrator deploys Windows in an environment that uses on-premises Active Directory. During Foundry media creation, they configure an offline domain join package so the deployed machine joins the domain during the deployment workflow without manually entering domain credentials after installation.
Checklist