When working with Windows Autopilot and implementing Hybrid join you will face different issues. One common challenge is to implement a naming convention for your devices, because Autopilot only allows to change the name based on:
-
Azure AD Join:
- Fixed string
- Serial Number
- Random Number
-
Azure AD Hybrid Join
- Prefix (Fixed String)
This is in most of the companies an issue because other systems have used specific naming conventions on the devices to group them based on locations or device type like Desktop or Notebook.
With the modern enrollment scenarios this is no longer that easily possible. Especially in a Hybrid Join scenario, where the device gets a new name on each enrollment this leads to a lot of unused old computer objects in your Active Directory.
We always try to move customers to just leverage the built-in solutions, but at some point, you would like to have at minimum on each enrollment the same device name for a device, which is not possible with Azure AD Hybrid Join at the moment. Therefore, I created a solution to have much more flexibility in a Hybrid Join Environment.
Azure AD Hybrid Join really required?
First, you should ask the question if you really require an Azure AD Hybrid Join or if an Azure AD Join is not enough in your environment. The biggest drawback is that with an Azure AD Join you cannot use old but good working GPO’s. Intune is working on the replacement, but the troubleshooting is much more complex, not all settings are available and the management of them is not that simple like with the on-premise GPO editor. So, this can be a good point to stay on Azure AD Hybrid Joined devices, but the Authentication to on-premise resources, which is most often referred to is not a valid point. Also, with Azure AD Joined device and no trust to the on-premise Active Directory your users can still authenticate to fileservers and print servers (Kerberos/NTLM) without entering the password. More details in the following blog.
Renaming devices in Azure AD Join scenario
There are lot of good blogs which are highlighting the steps to rename a device with a PowerShell Script on the devices. Therefore, I will not explain this process in detail, but you will find them for example on the following pages:
-
PowerShell:
-
MDM OMA-URI (Account CSP):
Renaming devices in an Azure AD Hybrid Joined scenario
If you try the MDM OMA-URI version from above, it will end in a device which lost the trust to the domain and therefore the users are no longer able to sign-in again. So, this functionality should not be used at all. I started trying out, if it works when we rename the device manually on the device in a ConfigMgr Co-Managed environment and it worked like a charm and updated the name in all systems (AD, Azure AD, Intune and also ConfigMgr). Now how can we invoke this remotely on all machines in a reliable way. The renaming can only be successful when a device is connected to the company network. Because PowerShell Scripts in Intune are only executed once and in case of an error only retried a few times, I only saw two possible options to build a reliable solution:
- ConfigMgr Configuration Item
- Intune PowerShell Script Extended by Scheduled Task to retry renaming infinite times.
Because I have a co-managed environment, I decided to use a Configuration Item. The renaming will happen in the local system context; therefore, we have to set the permissions in Active Directory accordingly. You have to provide write permissions on Computer Objects to the “_Self” principal where the Objects resides. In my environment I granted “Write all properties” to all “descendent computer objects”:
Next you have to create the Configuration item. For your convenience you can just download it from my GitHub repository and Import it:
After importing it, you should configure your target computer name. At the moment it’s using “KUR-” as a prefix and attaches the serial number of the device.
#Target Computername
$Serial = Get-WmiObject Win32_bios | Select-Object -ExpandProperty SerialNumber
$TargetComputername = "KUR-$Serial"
Here you have all the possibilities, just think about requesting a predefined name from a webservice. For example, you could provide the device name as Order ID in Windows Autopilot. Therefore, the vendor can use the value to print it on a sticker and you can retrieve it easily from Windows Autopilot and set it here. Or detect if it’s a notebook or a desktop and include an abbreviation of it in the name. If you created a cool solution, please share it.
My solution checks also for the maximum NetBIOS hostname length (15) and shortens it if required. The actual renaming happens later in the script:
$ComputerName = $env:COMPUTERNAME
Write-Log "Current ComputerName '$env:COMPUTERNAME'"
Write-Log "Target ComputerName: '$TargetComputername'"
if ($TargetComputername.Length -ge 15) {
Write-Log "Target ComputerName is longer ($($TargetComputername.Length)) than the allowed length of 15. It will be shorted."
$TargetComputername = $TargetComputername.substring(0, 15)
Write-Log "New Target ComputerName: '$TargetComputername' "
}
if ($ComputerName -eq $TargetComputername) {
Write-Log "Computer Name matched! Compliant."
return "Compliant"
} else {
Write-Log "Computer Name doesn't match! Non Compliant"
Rename-Computer $TargetComputername
Write-Log "Change Computer Name from $($env:COMPUTERNAME) to $TargetComputername"
Write-Log "Reboot required."
return "NonCompliant"
}
Then you can assign the Configuration Item to a Baseline and deploy it to your devices, and they start renaming according to your defined names. Important, the actual renaming happens after the device reboots.
But keep in mind you need to have a cleanup job, because if the computer object already exists with a specific name, then the rename process will fail. Read more about this issue and how to solve it in my blog about the Intune Connector for Active Directory Extender.
What’s next
Now, what can we need more in an Azure AD Hybrid joined environment?
- Move the computer to a specific OU, based on things like hardware type or based on user’s location.
- Add computer accounts to a specific active directory group to assign share permissions or grant auto enrollment on specific certificate template.
- Cleanup old computer objects. With every join a new computer object is created and also Intune keeps records of the old device.
Read more about how to solve these challenges in my blog about the Intune Connector for Active Directory Extender.
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
14 Comments
kevin Smith · July 8, 2019 at 14:58
I’ve tried several methods to rename computers that are deployed with Autopilot in a hybrid domain joined environment. The issue I keep running into is that it breaks the device association between the device and autopilot. This is an issue the next time you want to rebuild the device. The only way to fix is to delete the device from Autopilot and re-import. Have you experienced this? Thanks
Thomas Kurth · July 8, 2019 at 20:05
Hello Kevin, We are using the approach in a bigger environment and it is just working. We are currently in testing phase, so we are rebuild the devices multiple times per day, so this shouldn’t be an issue. Are you using Windows 1903?
Important is, that we trigger the rename directly on the device. If we do it over Intune, then we have an issue…
Conrad · August 22, 2019 at 09:35
Good Morning Thomas, just ran into this article and hoped I had seen it sooner … Dio you have a remedy for when you renamed devices in the wrong way and connection to AD is lost for it? Cheers , Conrad
Thomas Kurth · August 24, 2019 at 20:39
No, with my solution it worked in our customer environments without issues. If you have lost domain connection you can probably join again by deploying a PowerShell script with Intune.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/add-computer?view=powershell-5.1
hari · December 29, 2019 at 04:27
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/39328651-is-there-any-way-i-can-setup-the-vpn-profile-in-wh
Any way you can help this issue ?
Thomas Kurth · January 2, 2020 at 11:08
No, there we have to wait on the implementation of Microsoft.
Filip · April 16, 2020 at 14:56
HI,
I downloaded the CAB file and imported it in SCCM 1910 and get an error when evaluating the baseline. We just updated the naming of the device to comply with our standard CO%Serial%. On the client, the logfolder isn’t created. Do you have any idea what might be causing this?
Thomas Kurth · May 2, 2020 at 15:30
Hello Filip
I just tried it on my machine. Perhaps you have to pre create the log folder which is currently defined as C:\Windows\Logs\ComplianceItem
Does this help?
Damien Wing · April 7, 2021 at 00:39
Is there a way to set the naming suffix to the primary user of the computer?
Thomas Kurth · April 25, 2021 at 19:28
Sadly not because the Primary user is not known on the endpoint. but you could try to provide a csv file with a primary user / device list. Then rename the pc if required.
prasant · September 1, 2021 at 06:16
How about Mike Neihaus PowerShell script with Azure function to rename device. The only challenge I noticed is the static name over dynamically generated name
Markus · November 10, 2021 at 16:26
Hey Thomas. Thank you for your guide. In our company, the naming convention is very easy. devices belong to people and people have a three digit username (which is the same as the UPN) for example XYZ. My desktop workstation is called XYZ-PC my Surface is called XYZ-Surface and my notebook is called XYZ-NB, where XYZ is my active directory user name.
Do you have any idea, how I can rename my hybrid joined autopilot devices with this naming convention?
Extending the Intune Connector for Active Directory - Workplace Management Blog by baseVISION · June 10, 2019 at 19:21
[…] Protected: Ultimate guide to define device names in Windows Autopilot Hybrid Join Scenario – June 10, 2019 […]
Automatic environment cleanup with Intune Connector for AD Extender - Workplace Management Blog by baseVISION · June 24, 2019 at 22:45
[…] Directory: In case you build your device name by using for example the serial number, done by a custom script after the enrollment by Intune. Then you need a mechanism to delete the old object if the device was already enrolled. Otherwise […]