Device Rename in HAADJ environment

%3CLINGO-SUB%20id%3D%22lingo-sub-2231478%22%20slang%3D%22en-US%22%3EDevice%20Rename%20in%20HAADJ%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2231478%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWondering%20if%20there%20is%20a%20supported%20process%20for%20the%20renaming%20of%20devices%20which%20have%20been%20Hybrid%20Joined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20we%20know%20the%20device%20naming%20setup%20is%20currently%20limited%20to%20only%20being%20able%20to%20provide%20a%20per-determined%20prefix%20for%20devices%20which%20then%20has%20a%20randomly%20generated%20suffix%20of%20letters%20and%20characters%20added%20to%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20deploy%20machines%2C%20currently%2C%20there%20is%20no%20easy%20way%20to%20associate%20a%20machine%20with%20the%20machines%20serial%20number%20or%20other%20company%20asset%20tag%20type%20requirements.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20assume%20the%20rename%20process%20would%20probably%20be%20triggered%20by%20the%20device%20first%20being%20renamed%20via%20the%20on%20premise%20AD%20environment%20and%20this%20change%20then%20being%20synced%20to%20AAD%20via%20a%20sync%20process.%20Is%20this%20correct%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20if%20a%20machine%20is%20redeployed%2C%20how%20would%20the%20previously%20assign%20machine%20name%20be%20re-assigned%20to%20the%20same%20device%20to%20prevent%20additional%20unwanted%20orphaned%20device%20be%20left%20around%20in%20both%20AAD%20and%20on%20premise%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20look%20forward%20to%20your%20helpful%20advise%20and%20assistance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%3C%2FP%3E%3CP%3ETony%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2231478%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2237733%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Rename%20in%20HAADJ%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2237733%22%20slang%3D%22en-US%22%3E%3CP%3ETony%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20If%20you%20have%20SCCM%20at%20your%20site%20you%20can%20create%20a%20task%20sequence%20to%20run%20on%20the%20computer%20that%20will%20run%20a%20PowerShell%20script.%20The%20collection%20looks%20for%20computers%20with%20the%20pre-fix%20as%20part%20of%20the%20computer%20name%20(like%20AUTOPILOTPCXXXX)%20The%20script%20will%20query%20the%20BIOS%20to%20see%20if%20an%20asset%20tag%20is%20programed%20into%20it%20and%20then%20rename%20the%20computer%20to%20me%20new%20prefix%2BAsset%20tag.%20Now%20the%20computer%20does%20have%20to%20be%20on%20the%20network%2C%20VPN%20or%20in%20the%20office%20as%20the%20script%20is%20updating%20the%20AD%20record%20which%20will%20then%20get%20updated%20on%20the%20Azure%2FIntune%20side.%20The%20script%20will%20search%20AD%20to%20see%20if%20a%20computer%20object%20with%20the%20same%20name%20exists%20remove%20it%20if%20found%2C%20you%20can%20also%20have%20it%20search%20for%20the%20computer%20in%20SCCM%20and%20remove%20it%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20not%20perfect%20but%20its%20been%20working%20for%20me.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-ExecutionPolicy%20Bypass%20-Scope%20Process%20-Force%3CBR%20%2F%3E%24oldCompName%20%3D%20%24env%3ACOMPUTERNAME%3CBR%20%2F%3E%24AssetTag%20%3D%20(Get-WmiObject%20Win32_SystemEnclosure).SMBiosAssetTag%3CBR%20%2F%3E%24serial%20%3D%20Get-WmiObject%20win32_bios%20%7C%20select%20-expand%20serialnumber%3CBR%20%2F%3E%24sccmServer%3D'SCCMSERVERNAME'%3CBR%20%2F%3E%24sccmSite%3D'SITECODE'%3C%2FP%3E%3CP%3EReset-ComputerMachinePassword%3CBR%20%2F%3EStart-Transcript%20%22C%3A%5CWindows%5CPKGCache%5CLOG%5CRenameComputer.log%22%20-Append%3C%2FP%3E%3CP%3EIf%20((%24AssetTag)%20-and%20(%24AssetTag%20-ne%20%22No%20Asset%20Information%22))%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24newname%20%3D%20%22PREFIX%22%20%2B%20%24AssetTag%20-replace%20'%5B%5Ea-zA-Z0-9%5D'%2C%20''%3CBR%20%2F%3E%23Rename-Computer%20-NewName%20%24newname%20-Force%3CBR%20%2F%3E%7D%3CBR%20%2F%3EElseif%20((!%24AssetTag)%20-or%20(%24AssetTag%20-eq%20%22No%20Asset%20Information%22))%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%24newname%20%3D%20%22PREFIX%22%20%2B%20%24serial%20-replace%20'%5B%5Ea-zA-Z0-9%5D'%2C%20''%3CBR%20%2F%3E%23Rename-Computer%20-NewName%20%24newname%20-Force%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%24validname%20%3D%20%24newname.substring(0%2C%20%5BSystem.Math%5D%3A%3AMin(14%2C%20%24newname.Length))%3CBR%20%2F%3EWrite-host%20%22Old%20Computer%20name%20%24oldcompname%22%3CBR%20%2F%3EWrite-host%20%22New%20computer%20name%20%24validname%22%3C%2FP%3E%3CP%3Eif%20(%24validname%20-eq%20%22PREFIX%22)%3CBR%20%2F%3E%7B%24validname%20%3D%20%22PREFIX%22%20%2B%20(Get-random%20-Maximum%201000000)%7D%3CBR%20%2F%3Eelse%3CBR%20%2F%3E%7BWrite-Host%20%22Computer%20is%20named%20%24validname%2C%20proceeding%22%7D%3C%2FP%3E%3CP%3E%23%20find%20and%20delete%20the%20computer%20from%20AD%3CBR%20%2F%3EIf%20(%24env%3ACOMPUTERNAME%20-eq%20%24Validname)%3CBR%20%2F%3E%7BStop-Transcript%3CBR%20%2F%3EExit%7D%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%7B%24dom%20%3D%20%5BSystem.DirectoryServices.ActiveDirectory.Domain%5D%3A%3AGetCurrentDomain()%3CBR%20%2F%3E%24root%20%3D%20%24dom.GetDirectoryEntry()%3CBR%20%2F%3E%24search%20%3D%20%5BSystem.DirectoryServices.DirectorySearcher%5D%24root%3CBR%20%2F%3E%24search.filter%20%3D%20%22(%26amp%3B(objectclass%3Dcomputer)(name%3D%24validname))%22%3CBR%20%2F%3E%24search.findall()%20%7C%20%25%7B%24_.GetDirectoryEntry()%20%7D%20%7C%20%25%7B%24_.DeleteObject(0)%7D%7D%3C%2FP%3E%3CP%3EStart-Sleep%20-seconds%2060%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%23%20Rename%20computer%20to%20new%20name%3CBR%20%2F%3EIf%20(%24env%3ACOMPUTERNAME%20-eq%20%24validname)%3CBR%20%2F%3E%7BStop-Transcript%3CBR%20%2F%3EExit%7D%3CBR%20%2F%3EElse%3CBR%20%2F%3E%7BRename-Computer%20-NewName%20%24validname%20-Force%7D%3C%2FP%3E%3CP%3EStop-Transcript%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2239799%22%20slang%3D%22en-US%22%3ERe%3A%20Device%20Rename%20in%20HAADJ%20environment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2239799%22%20slang%3D%22en-US%22%3EHope%20this%20helps%3A%20%3CA%20href%3D%22https%3A%2F%2Foofhours.com%2F2020%2F05%2F19%2Frenaming-autopilot-deployed-hybrid-azure-ad-join-devices%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foofhours.com%2F2020%2F05%2F19%2Frenaming-autopilot-deployed-hybrid-azure-ad-join-devices%2F%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

Wondering if there is a supported process for the renaming of devices which have been Hybrid Joined.

 

As we know the device naming setup is currently limited to only being able to provide a per-determined prefix for devices which then has a randomly generated suffix of letters and characters added to it.

 

When deploy machines, currently, there is no easy way to associate a machine with the machines serial number or other company asset tag type requirements.

 

I would assume the rename process would probably be triggered by the device first being renamed via the on premise AD environment and this change then being synced to AAD via a sync process. Is this correct? 

 

Also, if a machine is redeployed, how would the previously assign machine name be re-assigned to the same device to prevent additional unwanted orphaned device be left around in both AAD and on premise AD.

 

I look forward to your helpful advise and assistance.

 

Cheers

Tony

6 Replies

Tony, 

 

  If you have SCCM at your site you can create a task sequence to run on the computer that will run a PowerShell script. The collection looks for computers with the pre-fix as part of the computer name (like AUTOPILOTPCXXXX) The script will query the BIOS to see if an asset tag is programed into it and then rename the computer to me new prefix+Asset tag. Now the computer does have to be on the network, VPN or in the office as the script is updating the AD record which will then get updated on the Azure/Intune side. The script will search AD to see if a computer object with the same name exists remove it if found, you can also have it search for the computer in SCCM and remove it

 

Its not perfect but its been working for me. 

 

Set-ExecutionPolicy Bypass -Scope Process -Force
$oldCompName = $env:COMPUTERNAME
$AssetTag = (Get-WmiObject Win32_SystemEnclosure).SMBiosAssetTag
$serial = Get-WmiObject win32_bios | select -expand serialnumber
$sccmServer='SCCMSERVERNAME'
$sccmSite='SITECODE'

Reset-ComputerMachinePassword
Start-Transcript "C:\Windows\PKGCache\LOG\RenameComputer.log" -Append

If (($AssetTag) -and ($AssetTag -ne "No Asset Information"))
{
$newname = "PREFIX" + $AssetTag -replace '[^a-zA-Z0-9]', ''
#Rename-Computer -NewName $newname -Force
}
Elseif ((!$AssetTag) -or ($AssetTag -eq "No Asset Information"))
{
$newname = "PREFIX" + $serial -replace '[^a-zA-Z0-9]', ''
#Rename-Computer -NewName $newname -Force
}

$validname = $newname.substring(0, [System.Math]::Min(14, $newname.Length))
Write-host "Old Computer name $oldcompname"
Write-host "New computer name $validname"

if ($validname -eq "PREFIX")
{$validname = "PREFIX" + (Get-random -Maximum 1000000)}
else
{Write-Host "Computer is named $validname, proceeding"}

# find and delete the computer from AD
If ($env:COMPUTERNAME -eq $Validname)
{Stop-Transcript
Exit}

ELSE
{$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $dom.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.filter = "(&(objectclass=computer)(name=$validname))"
$search.findall() | %{$_.GetDirectoryEntry() } | %{$_.DeleteObject(0)}}

Start-Sleep -seconds 60


# Rename computer to new name
If ($env:COMPUTERNAME -eq $validname)
{Stop-Transcript
Exit}
Else
{Rename-Computer -NewName $validname -Force}

Stop-Transcript

The problem with Michaels script is that if the object currently exists in your on-prem AD it fails to rename the computer which will require someone to go into AD and remove it manually.
Thanks @Targetpractise and @Durrante for you replies.

I am testing out a combination of the scripts as we are not using SCCM for device co-management.

Basically, combining the component where it get the device serial number to create the new device name, then checks if it exists already in AD and continues.

It would be good to have an idea when the naming conventions for HAADJ will be updated to enable the use of %Serial% as per a cloud only joined machine.

Cheers
Tony
The script that Durrante posted is from Michaels page, he was for a long time the head of Autopilot at Microsoft so he knows his stuff. Only problem I had with his script was that it runs in the users/computers context and if the object existed in AD it wouldn't have the needed permissions to delete the old object, and would then fail to rename because the object already exists. That's why I wrote mine and run it through SCCM with an AD admin level account so it can do the object cleanup and not have to grant everyone full permissions. The other option you can do is to modify his script, the schedule task part, and tell it to run as an account with full AD permissions, the risk there is username and password would be easy to extract from the script.
In the script you can add the -user & -password switch to the register task part
Register-ScheduledTask -User SYSTEM -Action $action -Trigger $triggers -TaskName "RenameComputer" -user"USERNAME" -password "PASSWORD" -Description "RenameComputer" -Force

I am on weekly calls with MS and a few of their engineers for Autopilot and I have been asking for the %SERIAL% option for about 2 years now. They tell me its not even on the roadmap yet and may never be for Hybrid Join.

Thanks @Targetpractice,

 

We found that following michael's advice to apply delegated permission for the SELF account on the device OU's worked for us.

 

Our next challenge is using a separate Domain Join profile to be used with separate Autopilot profiles based on a AAD dynamic group.

 

Cheers