-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0bf6ae6
commit 4f96513
Showing
3 changed files
with
155 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,18 @@ | ||
# autopilot | ||
# WaitForUserDeviceRegistration | ||
Pauses device ESP for up to 60 minutes for machine to register with AzureAD. | ||
Add the WaitForUserDeviceRegistration.intunewin app to Intune and specify the following command line: | ||
|
||
powershell.exe -noprofile -executionpolicy bypass -file .\WaitForUserDeviceRegistration.ps1 | ||
|
||
To "uninstall" the app, the following can be used (for example, to get the app to re-install): | ||
|
||
cmd.exe /c del %ProgramData%\DeviceRegistration\WaitForUserDeviceRegistration.ps1.tag | ||
|
||
Specify the platforms and minimum OS version that you want to support. | ||
|
||
For a detection rule, specify the path and file and "File or folder exists" detection method: | ||
|
||
%ProgramData%\DeviceRegistration\WaitForUserDeviceRegistration | ||
WaitForUserDeviceRegistration.ps1.tag | ||
|
||
Deploy the app as a required app to an appropriate set of devices. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# SyncNewAutoPilotComputersandUsersToAAD.ps1 | ||
# | ||
# Version 1.3 | ||
# | ||
# Stolen from Alex Durrant. Updated by Steve Prentice, 2020 | ||
# | ||
# Triggers an ADDConnect Delta Sync if new objects are found to be have been created | ||
# in the OU's in question, this is helpful with Hybrid AD joined devices via Autopilot | ||
# and helps to avoid the 3rd authentication prompt. | ||
# | ||
# Only devices with a userCertificate attribute are synced, so this script only attempts | ||
# to sync devices that have been created within the last 5 hours and have the attribute set, | ||
# which is checked every 5 minutes via any changes in the object's Modified time. | ||
# | ||
# Install this as a scheduled task that runs every 5 minutes on your AADConnect server. | ||
# Change the OU's to match your environment. | ||
|
||
Import-Module ActiveDirectory | ||
|
||
$time = [DateTime]::Now.AddMinutes(-5) | ||
$computers = Get-ADComputer -Filter 'Modified -ge $time' -SearchBase "OU=AutoPilotDevices,OU=Computers,DC=somedomain,DC=com" -Properties Created, Modified, userCertificate | ||
$users = Get-ADUser -Filter 'Created -ge $time' -SearchBase "OU=W10Users,OU=Users,DC=somedomain,DC=com" -Properties Created | ||
|
||
If ($computers -ne $null) { | ||
ForEach ($computer in $computers) { | ||
$diff = $computer.Modified.Subtract($computer.Created) | ||
If (($diff.TotalHours -le 5) -And ($computer.userCertificate)) { | ||
# The below adds to AD groups automatically if you want | ||
#Add-ADGroupMember -Identity "Some Intune Co-management Pilot Device Group" -Members $computer | ||
$syncComputers = "True" | ||
} | ||
} | ||
# Wait for 30 seconds to allow for some replication | ||
Start-Sleep -Seconds 30 | ||
} | ||
|
||
If (($syncComputers -ne $null) -Or ($users -ne $null)) { | ||
Try { Start-ADSyncSyncCycle -PolicyType Delta } | ||
Catch {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
# WaitForUserDeviceRegistration.ps1 | ||
# | ||
# Version 1.6 | ||
# | ||
# Steve Prentice, 2020 | ||
# | ||
# Used to pause device ESP during Autopilot Hybrid Join to wait for | ||
# the device to sucesfully register into AzureAD before continuing. | ||
# | ||
# Use IntuneWinAppUtil to wrap and deploy as a Windows app (Win32). | ||
# See ReadMe.md for more information. | ||
# | ||
# Tip: Win32 apps only work as tracked apps in device ESP from 1903. | ||
# | ||
# Exits with return code 3010 to indicate a soft reboot is needed, | ||
# which in theory it isn't, but it suited my purposes. | ||
|
||
# Create a tag file just so Intune knows this was installed | ||
if (-not (Test-Path "$($env:ProgramData)\DeviceRegistration\WaitForUserDeviceRegistration")) | ||
{ | ||
Mkdir "$($env:ProgramData)\DeviceRegistration\WaitForUserDeviceRegistration" | ||
} | ||
Set-Content -Path "$($env:ProgramData)\DeviceRegistration\WaitForUserDeviceRegistration\WaitForUserDeviceRegistration.ps1.tag" -Value "Installed" | ||
|
||
# Start logging | ||
Start-Transcript "$($env:ProgramData)\DeviceRegistration\WaitForUserDeviceRegistration\WaitForUserDeviceRegistration.log" | ||
|
||
$filter304 = @{ | ||
LogName = 'Microsoft-Windows-User Device Registration/Admin' | ||
Id = '304' # Automatic registration failed at join phase | ||
} | ||
|
||
$filter306 = @{ | ||
LogName = 'Microsoft-Windows-User Device Registration/Admin' | ||
Id = '306' # Automatic registration Succeeded | ||
} | ||
|
||
$filter334 = @{ | ||
LogName = 'Microsoft-Windows-User Device Registration/Admin' | ||
Id = '334' # Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located. | ||
} | ||
|
||
$filter335 = @{ | ||
LogName = 'Microsoft-Windows-User Device Registration/Admin' | ||
Id = '335' # Automatic device join pre-check tasks completed. The device is already joined. | ||
} | ||
|
||
$filter20225 = @{ | ||
LogName = 'Application' | ||
Id = '20225' # A dialled connection to RRAS has sucesfully connected. | ||
} | ||
|
||
# Wait for up to 60 minutes, re-checking once a minute... | ||
While (($counter++ -lt 60) -and (!$exitWhile)) { | ||
# Let's get some events... | ||
$events304 = Get-WinEvent -FilterHashtable $filter304 -MaxEvents 1 -EA SilentlyContinue | ||
$events306 = Get-WinEvent -FilterHashtable $filter306 -MaxEvents 1 -EA SilentlyContinue | ||
$events334 = Get-WinEvent -FilterHashtable $filter334 -MaxEvents 1 -EA SilentlyContinue | ||
$events335 = Get-WinEvent -FilterHashtable $filter335 -MaxEvents 1 -EA SilentlyContinue | ||
$events20225 = Get-WinEvent -FilterHashtable $filter20225 -MaxEvents 1 -EA SilentlyContinue | ||
|
||
If ($events335) { $exitWhile = "True" } | ||
|
||
ElseIf ($events306) { $exitWhile = "True" } | ||
|
||
ElseIf ($events20225 -And $events334 -And !$events304) { | ||
Write-Host "RRAS dialled sucesfully. Trying Automatic-Device-Join task to create userCertificate..." | ||
Start-ScheduledTask "\Microsoft\Windows\Workplace Join\Automatic-Device-Join" | ||
Write-Host "Sleeping for 60s..." | ||
Start-Sleep -Seconds 60 | ||
} | ||
|
||
Else { | ||
Write-Host "No events indicating successful device registration with Azure AD." | ||
Write-Host "Sleeping for 60s..." | ||
Start-Sleep -Seconds 60 | ||
If ($events304) { | ||
Write-Host "Trying Automatic-Device-Join task again..." | ||
Start-ScheduledTask "\Microsoft\Windows\Workplace Join\Automatic-Device-Join" | ||
Write-Host "Sleeping for 5s..." | ||
Start-Sleep -Seconds 5 | ||
} | ||
} | ||
} | ||
|
||
If ($events306) { | ||
Write-Host $events306.Message | ||
Write-Host "Exiting with return code 3010 to indicate a soft reboot is needed." | ||
Stop-Transcript | ||
Exit 3010 | ||
} | ||
|
||
If ($events335) { Write-Host $events335.Message } | ||
|
||
Write-Host "Script complete, exiting." | ||
|
||
Stop-Transcript |