Ultimate guide to define device names in Windows Autopilot Hybrid Join Scenario

When working with Windows Autopilot and implementing Hybrid join you will face different issues. One common challenge is to implement a naming convention for your devices, because Autopilot only allows to change the name based on:

  • Azure AD Join:
    • Fixed string
    • Serial Number
    • Random Number
  • Azure AD Hybrid Join
    • Prefix (Fixed String)

This is in most of the companies an issue because other systems have used specific naming conventions on the devices to group them based on locations or device type like Desktop or Notebook.

With the modern enrollment scenarios this is no longer that easily possible. Especially in a Hybrid Join scenario, where the device gets a new name on each enrollment this leads to a lot of unused old computer objects in your Active Directory.
We always try to move customers to just leverage the built-in solutions, but at some point, you would like to have at minimum on each enrollment the same device name for a device, which is not possible with Azure AD Hybrid Join at the moment. Therefore, I created a solution to have much more flexibility in a Hybrid Join Environment.

Azure AD Hybrid Join really required?

First, you should ask the question if you really require an Azure AD Hybrid Join or if an Azure AD Join is not enough in your environment. The biggest drawback is that with an Azure AD Join you cannot use old but good working GPO’s. Intune is working on the replacement, but the troubleshooting is much more complex, not all settings are available and the management of them is not that simple like with the on-premise GPO editor. So, this can be a good point to stay on Azure AD Hybrid Joined devices, but the Authentication to on-premise resources, which is most often referred to is not a valid point. Also, with Azure AD Joined device and no trust to the on-premise Active Directory your users can still authenticate to fileservers and print servers (Kerberos/NTLM) without entering the password. More details in the following blog.

Renaming devices in Azure AD Join scenario

There are lot of good blogs which are highlighting the steps to rename a device with a PowerShell Script on the devices. Therefore, I will not explain this process in detail, but you will find them for example on the following pages:

Renaming devices in an Azure AD Hybrid Joined scenario

If you try the MDM OMA-URI version from above, it will end in a device which lost the trust to the domain and therefore the users are no longer able to sign-in again. So, this functionality should not be used at all. I started trying out, if it works when we rename the device manually on the device in a ConfigMgr Co-Managed environment and it worked like a charm and updated the name in all systems (AD, Azure AD, Intune and also ConfigMgr). Now how can we invoke this remotely on all machines in a reliable way. The renaming can only be successful when a device is connected to the company network. Because PowerShell Scripts in Intune are only executed once and in case of an error only retried a few times, I only saw two possible options to build a reliable solution:

  • ConfigMgr Configuration Item
  • Intune PowerShell Script Extended by Scheduled Task to retry renaming infinite times.

Because I have a co-managed environment, I decided to use a Configuration Item. The renaming will happen in the local system context; therefore, we have to set the permissions in Active Directory accordingly. You have to provide write permissions on Computer Objects to the “_Self” principal where the Objects resides. In my environment I granted “Write all properties” to all “descendent computer objects”:

 

Next you have to create the Configuration item. For your convenience you can just download it from my GitHub repository and Import it:

After importing it, you should configure your target computer name. At the moment it’s using “KUR-” as a prefix and attaches the serial number of the device.

#Target Computername
$Serial = Get-WmiObject Win32_bios | Select-Object -ExpandProperty SerialNumber
$TargetComputername = "KUR-$Serial"

Here you have all the possibilities, just think about requesting a predefined name from a webservice. For example, you could provide the device name as Order ID in Windows Autopilot. Therefore, the vendor can use the value to print it on a sticker and you can retrieve it easily from Windows Autopilot and set it here. Or detect if it’s a notebook or a desktop and include an abbreviation of it in the name. If you created a cool solution, please share it.

My solution checks also for the maximum NetBIOS hostname length (15) and shortens it if required. The actual renaming happens later in the script:

$ComputerName = $env:COMPUTERNAME
Write-Log "Current ComputerName '$env:COMPUTERNAME'"
Write-Log "Target ComputerName: '$TargetComputername'"
 
if ($TargetComputername.Length -ge 15) {
   Write-Log "Target ComputerName is longer ($($TargetComputername.Length)) than the allowed length of 15. It will be shorted."
   $TargetComputername = $TargetComputername.substring(0, 15)
   Write-Log "New Target ComputerName: '$TargetComputername' "
}
 
if ($ComputerName -eq $TargetComputername) {
   Write-Log "Computer Name matched! Compliant."
   return "Compliant"
} else {
   Write-Log "Computer Name doesn't match! Non Compliant"
   Rename-Computer $TargetComputername
   Write-Log "Change Computer Name from $($env:COMPUTERNAME) to $TargetComputername"
   Write-Log "Reboot required."
   return "NonCompliant"
}

Then you can assign the Configuration Item to a Baseline and deploy it to your devices, and they start renaming according to your defined names. Important, the actual renaming happens after the device reboots.

But keep in mind you need to have a cleanup job, because if the computer object already exists with a specific name, then the rename process will fail. Read more about this issue and how to solve it in my blog about the Intune Connector for Active Directory Extender.

What’s next

Now, what can we need more in an Azure AD Hybrid joined environment?

  • Move the computer to a specific OU, based on things like hardware type or based on user’s location.
  • Add computer accounts to a specific active directory group to assign share permissions or grant auto enrollment on specific certificate template.
  • Cleanup old computer objects. With every join a new computer object is created and also Intune keeps records of the old device.

Read more about how to solve these challenges in my blog about the Intune Connector for Active Directory Extender.

Thomas Kurth

Thomas Kurth

I’m a consultant, trainer and architect formodern workplace and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.
Enterprise Adminstrator ExpertMCTCMCE

4 Comments

kevin Smith · July 8, 2019 at 14:58

I’ve tried several methods to rename computers that are deployed with Autopilot in a hybrid domain joined environment. The issue I keep running into is that it breaks the device association between the device and autopilot. This is an issue the next time you want to rebuild the device. The only way to fix is to delete the device from Autopilot and re-import. Have you experienced this? Thanks

    Thomas Kurth · July 8, 2019 at 20:05

    Hello Kevin, We are using the approach in a bigger environment and it is just working. We are currently in testing phase, so we are rebuild the devices multiple times per day, so this shouldn’t be an issue. Are you using Windows 1903?

    Important is, that we trigger the rename directly on the device. If we do it over Intune, then we have an issue…

Extending the Intune Connector for Active Directory - Workplace Management Blog by baseVISION · June 10, 2019 at 19:21

[…] Protected: Ultimate guide to define device names in Windows Autopilot Hybrid Join Scenario – June 10, 2019 […]

Automatic environment cleanup with Intune Connector for AD Extender - Workplace Management Blog by baseVISION · June 24, 2019 at 22:45

[…] Directory: In case you build your device name by using for example the serial number, done by a custom script after the enrollment by Intune. Then you need a mechanism to delete the old object if the device was already enrolled. Otherwise […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe
Hosting sponsored by:
Archive