• Home
  • BLOGS

Menu
  • Home
  • BLOGS
22 October 2020

Autopilot Hybrid Joined device built outside the corporate network

Written by Ryan Wilson

Autopilot as we know still has limitations when deploying Hybrid Joined Devices especially when they are built outside the corporate network. The primary issue is the devices sometimes do not have direct line of site to the active directory to write the usercertificate attribute on the newly created device AD object when outside the office. With the usercertificate attribute missing from the local device AD object it will not be synced by AAD Connect and Azure will not provision a Hybrid Joined Device for this machine.

Now, we can use VPN and the popular choice is Always on VPN (AOVPN). However, depending on when the AOVPN profile is deployed through the Autopilot ESP build it may not be enough time for the connection to be established, and lets say the AOVPN profile is deployed early on during the build and the connection is established it still may not write the usercertificate back to the local directory in time. This is because the task schedule which creates the usercertificate attribute is a triggered schedule therefore even though the device may have a connected VPN the task schedule will not trigger as it may have already been triggered before the VPN connection was established. When using Autopilot whiteglove the device will need to be sealed at the end of the device ESP build and the problem you have will be a sealed device without the machine being Hybrid Joined Device within Azure. The end user will then not be able to sign in using their on-premise credentials.

Due to this issues mentioned above i have created a script which needs to be deployed as a Win32 intune app and assigned to the devices during the Autopilot build.

The below script will action the following:

1 – Add the RSAT tools for Windows 10

2 – Check for the AOVPN profile deployed during the build and force the connection to be established

3 – Ping the local domain controller consistently until it has successful pings,

4 – Check the usercertificate attribute is present on-premise for the device being built

5 – should the usercertificate value on-premise be null it will trigger the scheduled task to force the attribute to be created

6 – task 5 will run in a loop until it has successfully created the usercertificate attribute

7 – script will then stop running once the local active directory device object has the usercertificate attribute, this will ensure on the next AAD Connect sync it will create a Hybrid Joined Device in Azure

set-executionpolicy bypass
Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”
Import-Module ActiveDirectory
 
Start-Transcript -Path C:\setup\userCertificate.txt
 
$SessionHostServer = 'domaincontroller.changeme.local'
 
Do {
rasphone -d "Always On VPN Device Tunnel Name"
Start-Sleep -s 15
}
Until ((Test-NetConnection -ComputerName $SessionHostServer).PingSucceeded -eq $true)
Write-Host "Domain Controller is reachable"
 
Import-Module ActiveDirectory
$device=hostname
$count=1
 
If (($value).userCertificate -eq $null) {
Do {
       
    $value=Get-ADComputer -server $SessionHostServer -Identity $device -Properties userCertificate
    Get-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" -TaskName Automatic-Device-Join | Start-ScheduledTask
    Start-Sleep -s 120
    Write-host $count
    $count=$count+1}
Until (($value).userCertificate -ne $null)
}else {
quit}
Write-host “UserCertificate in place”
$device | out-file -filepath c:\setup\complete.txt
Exit

Using the script above you can successfully build Autopilot hybrid joined devices outside the corporate network. The script has been created and tested on multiple machines by myself so please use at your own risk.

1 Comment

  1. film Reply to film
    November 30, 2020 at 11:58 pm

    You made some decent points there. I looked on the internet for the subject and found most persons will approve with your blog. Elyssa Nikolai Hayley

Leave a Reply

Cancel reply

Recent Posts

  • MS Teams – export team owners
  • Deploy AppLocker in Intune- Block CMD and PowerShell
  • Autopilot Hybrid Joined device built outside the corporate network
  • Add a SharePoint site as a custom app within Teams
  • Query all MS Teams and Export list of guests added to each Team site
  • MS Flow – adding timestamp in the middle of a filename whilst retaining file extension
  • MS Flow to export outlook attachment into a Teams channel and notify users with an adaptive card
  • Unlicense Office suite using last 5 characters
  • Azure Information Protection – We were not able to find the Information Rights Management template.
  • Intune – Chrome homepage remediation failed Error: 0x87d1fde8

Recent Comments

  • Ged on MS Flow to export outlook attachment into a Teams channel and notify users with an adaptive card
  • film on Autopilot Hybrid Joined device built outside the corporate network
  • Ryan Wilson on Azure Information Protection – We were not able to find the Information Rights Management template.
  • BurtonMBrohl on Azure Information Protection – We were not able to find the Information Rights Management template.
  • Ryan Wilson on Azure Information Protection – We were not able to find the Information Rights Management template.
  • RayeXDuesing on Azure Information Protection – We were not able to find the Information Rights Management template.
  • TroyTHulette on Azure Information Protection – We were not able to find the Information Rights Management template.
  • NildaZAdamos on Azure Information Protection – We were not able to find the Information Rights Management template.
  • Ryan Wilson on Azure Information Protection – We were not able to find the Information Rights Management template.
  • NoahVSolak on Azure Information Protection – We were not able to find the Information Rights Management template.

Archives

  • December 2020
  • November 2020
  • October 2020
  • August 2020
  • June 2020
  • May 2020
  • February 2020
  • January 2020
  • December 2019
  • July 2019

Categories

  • IT Blogs (19)
© Copyright 2017. Theme by BloomPixel.