Supercharge AAD Sync for new hybrid Azure AD joined Autopilot devices
So you want to speed up the Autopilot enrollment process on a Hybrid Azure AD Join scenario? Well then, this is want you want to set up in your environment.
Let me give you some explanation what you exactly speed up and why this can even solve problems in some ways. So if you are using HAADJ for your devices Intune will handle the enrollment into Intune and the domain join. (with an offline domain join blob learn more) But not the hybrid join to Azure. For this we will need to wait for the next sync thorugh AAD Connector to have the computer object in AAD too. This is the following step during the ESP:
This means that in the worst case a user will wait 30 minutes (by default sync period) for the next aad sync in this step.
The solution and how to set it up
Steve Prentice offers the workaround for this issue. It is a script called SyncNewAutoPilotComputersandUsersToAAD.ps1 that hits the start-adsyncsynccyle command for AAD sync if there are any computer objects created in the last 5 hours from a specific OU (which you will need to provide) with an existing usercertificate attribute. You simply set up a scheduled task, on the server with AAD connector installed as described:
- Download & adjust the script with your custom values. Insert the distinguished name of where the Intune computerobjects from the domain join are stored: (optionally give the DN of your Intune users OU location)
- Set up a scheduled task:
and the path to the script (custom, for example C:\Tasks) with parameter -File
Check if it works
Now you want to test if this process works.
- Execute "Get-ADSyncScheduler" in a Powershell session to see when the next sync was planned originally.
- Create a test computerobject in the OU you provided in the script and add a custom value (just any nonsense) for the usercertificate attribute.
- Run the script manually through the Task Scheduler.
- Perform another "Get-ADSyncScheduler" to see if the next sync was delayed to a diffrent time. (should be because through the script it should have made a sync) It should look something like this:
Check out if you can run a manual "Start-ADSyncSyncCycle -Policytype Delta" command through a non-elevated Powershell session. If this is not possible there might be a dedicated user configured in your AAD synchronization options or the privileges are not sufficient.
Run the script manual (without task scheduler) or check error codes in the task scheduler. Also consider a look to the histroy in the task:
If you want to read more about it.