I have come across customers who auto enroll Azure AD domain joined Windows 10 devices in Intune and use the device management capabilities like enforcing compliance polices, configuring certificates, Wi-Fi, VPN, Endpoint and other profiles. These devices are remotely used, and IT team does not have much control. Most frequent ask is to rename the device based on the user who has joined the device to Azure AD which will help in quick Identification.
There are several ways to achieve the goal and one of which is leveraging the Configuration Service Provider (CSP) OMA URI and push a custom configuration through Intune. This method has been documented here. This is available only for devices running Windows 10 1803 or later. Also, this supports only using a random number or device serial number.
To mitigate these limitations, we can leverage PowerShell script configuration available in Intune, which is documented here.
Below are the high-level steps to be performed.
- Create AD Device Security Group with Static or Dynamic Membership rules (example: include all Azure AD Domain joined machines)
- Create a PowerShell Script with commands to rename computer.
- Configure PowerShell Script profile in Intune and upload the created script.
- Assign the profile to AD Device Security group created in Step 1.
- Review the status based on user or device.
We will go through these steps one by one.
Create AD Device Security Group:
First, we will create Azure AD Device group with dynamic membership to include all Windows 10 devices that are Azure AD domain joined. To do so,
- Sign in to the Azure AD admin center with an account that is in the Global Administrator, Intune Service Administrator, or User Account Administrator role in the tenant.
- Select Groups.
- Select All groups and select New group.
- On the Group blade, enter a name and description for the new group. Select a Membership type of Dynamic Device and then select Add dynamic query.
Click Advanced Rule and enter as below.
(device.deviceOSType -eq “Windows”) and (device.deviceOwnership -eq “Company”)
- After creating the rule, select Add query at the bottom of the blade.
- Select Create on the Group blade to create the group.
- After group calculation, you should see the members in the group. Note that the machine name is “GOKARTHI-L”
PowerShell Script to rename Computer:
As our goal is to rename computer based on account that is used to do Azure AD Domain join, first step is to retrieve the user details.
The email details can be retrieved from below registry key.
HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\<GUID>\UserEmail
From this, we need to extract the user name. Also, there are high chances that a user may use more than 1 windows 10 device. Hence, we need to add some random digits to the new computer name. Finally, we will use Rename-Computer command to set the new name to computer.
Below is the script, which we will use to arrive at new name. Save the script locally.
function AddLog {
param (
$Path = "C:\Windows\Temp\RenameComputer.log",
$Log
)
Add-Content $path $log
}
$ADJoinInfo = Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\
$ADJoinInfo = $ADJoinInfo -replace "HKEY_LOCAL_MACHINE","HKLM:"
AddLog -Log "$ADJoinInfo"
$User = Get-ItemProperty -Path $ADJoinInfo
AddLog -Log "Username: $User"
$UserName = $User.UserEmail.Split("@")[0]
$NewName = $UserName.replace(".","")
If ($NewName.Length -gt 9) {$NewName = $NewName.Substring(0,9)}
AddLog -Log "Trimmed UserName: $NewName"
$Random = Get-Random -Minimum 100 -Maximum 999
$NewName = $NewName + "-" + $Random + "-L"
AddLog -Log "New Name of Computer: $NewName"
AddLog -Log "Executing Rename-Computer"
Try {
Rename-Computer -NewName $NewName
AddLog -Log "Executing Rename-Computer Successful"
}
Catch {
AddLog -Log "Executing Rename-Computer Failed - $_"
}
Configure PowerShell Script Profile in Intune:
- In the Azure portal, select All services > filter on Intune > select Microsoft Intune.
- Select Device configuration > PowerShell scripts > Add.
- Enter a Name and Description for the PowerShell script. For Script location, browse to the PowerShell script we created. The script must be less than 200 KB (ASCII) or 100 KB (Unicode) in size.
-
Choose Configure. Then choose to run the script with the system context (No). By default, the script runs in the system context.
Note: When you run the script under user context, the renaming of computer fails as it needs elevated permissions.
-
Choose if the script must be signed by a trusted publisher (Yes). By default, there is no requirement for the script to be signed. Hence, leave it as No.
- Select OK, and then Create to save the script.
Assign the profile to AD Device Security group:
- In PowerShell scripts, select the script to assign, and then choose Manage > Assignments.
- Choose Select Groups to list available Azure AD groups.
- Select AAD Windows 10 Devices group which we have created in step 1.
- Click Select and Click Save.
Review the status based on user or device:
Note: It will take up to 15 minutes for the script configuration to get updated in end device. Though the script execution is successful, the name of computer changes only after machine restart. Only then, the name gets updated in Azure AD. So, in actual scenario, we must wait till the user restarts the machine. In my lab, I have restarted the machine and captured the update.
- In the Azure portal, select All services > filter on Intune > select Microsoft Intune.
- Select Device configuration > PowerShell script.
- Click the PowerShell Script Rename Windows Computer PS Script and navigate to Device Status.
- The Status is Succeeded. The device name is renamed to “MKANNAN-604-L”
- Going back to windows 10 machine and reviewing the log, we found the execution was successful and hostname command in command prompt or PowerShell gives the new name of machine.
- Also, going back to Azure Active Directory Group, I can see the new name is updated.
Hurray! The device has been automatically renamed as per the defined criteria. You can edit the PowerShell logic and define your own organizational criteria to rename the device.
One thought on “Intune Device Management – Renaming Windows 10 Devices”