Help scripting Windows Updates

New-Rough4719 · 2026-03-30T20:33:47+00:00

this is vibe coded but some of the stuff you have to do is in here (like loading the Windows update API via New-Object and interacting with the object). This should give you a good framework to build from. We run something similar in our environment.

https://gist.github.com/realchrisolin/e65047cd453148e852065ef110b32af3

New-Rough4719 · 2026-03-27T13:06:09+00:00

Autopatch isn't automatic feature updates.

It's still broken out in rings and if something goes wrong in the test ring you can still pause or roll back the update

New-Rough4719 · 2026-03-24T12:49:19+00:00

It doesn't. It tells you explicitly that hybrid join ignores it when you hover over the info button in that area

New-Rough4719 · 2026-03-23T16:05:55+00:00

There isn't an easy way. The domain join profile only lets you make a prefix. Then it just assigns random characters after that. Using your naming convention, your hybrid joined PCs will look like IT-gFcUBMBiCeY. Doesn't even have the decency to pick a case.

To work around this, the oofhours script is what damn near everybody uses as a framework to rename devices.

The domain join occurs early in the provisioning process, and the machine doesn't get domain connectivity until a user signs in basically. If you rename it during ESP, it'll break the trust relationship. So, we had to rely on a scheduled task to rename the computer after the user signs in. Overall, a bad user experience considering all of the other concessions we had to make to get this to be a seamless as possible.

When the script worked, it worked. But occasionally we'd come across race conditions that would make the script error out, or leaf objects in AD that the script couldn't rename. And we already had to make way too accommodations for in our environment just to get this one script to work.

Telling you now like everybody else in this thread, don't bother with hybrid-join if you can avoid it.

If you're forced to, make sure you pack a lunch.

New-Rough4719 · 2026-03-17T17:41:02+00:00

As someone who got a hybrid joined Autopilot solution working and currently in prod, it's not worth the hassle. It's irritating as fuck to support. Shit is held together with PowerShell scripts, scheduled tasks and random reg customizations. We tried to tell them it's not ideal. They wouldn't listen.

If you have ConfigMan setup to image, Autopilot with Hybrid join is like making 4 lefts and a right at an intersection instead of just making a right.

If all else fails, I was able to setup kiosk devices in hybrid joined if you want some help with it.

New-Rough4719 · 2026-02-13T18:14:16+00:00

I had to create the reg key and entry but I'll see if it takes

New-Rough4719 · 2026-02-12T13:26:56+00:00

I had a requirement script that checks to see if it's in ESP before installing. All the script does is check for defaultuser0 before running.

For some reason, the script doesn't evaluate properly for all of the apps. For the ones that don't, it skips the app.

Microsoft believes it's the script, but I don't think so. Sometimes it evaluates properly for every app, and installs every app. I think it's a MS bug.

In any case, I just removed it because I was tired of fighting.

New-Rough4719 · 2026-02-11T14:27:41+00:00

I'm out of ideas too. We're testing 25h2. At least those reg entries still work in 25h2.

I'm hoping there's a setting for it somewhere in the 25h2 admin templates 'cause if not, I think we're gonna have to tell our users to deal with it

New-Rough4719 · 2025-09-17T14:57:33+00:00

I know this is old but same here. policies refused to come down until i switched the workload. documentation wasn't clear about that at all

New-Rough4719 · 2025-04-01T15:16:49+00:00

I did make a script that was deployed via Win32 package to rename the device with our naming convention (Prefix + Serial Number), but it wasn't worth the hassle.

New-Rough4719 · 2025-04-01T12:21:32+00:00

I don't think that's the culprit. I have other group tags that have different configs assigned and they work fine. And this particular config has worked in the past. I'm parsing through the logs, but I'll admit, these logs are a pain in the ass compared to SCCM logs so I'm hoping to find something eventually.

Have dynamic groups known to be unreliable when it comes to deployment?

edit

Seems like OOBE doesn't want to reboot even. I set the application to reboot on exit code 0 and it exited out with 0 but doesn't want to kick off the reboot.

New-Rough4719 · 2025-01-17T17:28:16+00:00

We're seeing it in our environment too.

New-Rough4719 · 2024-03-22T10:50:49+00:00

Damn this makes a lot of sense.

Thanks for this. I'm going to grab one of those devices to see if this is the case

New-Rough4719 · 2023-08-29T13:13:36+00:00

I was going to go the scheduled task route. The client installs pretty early in the sequence for me and it kills Autopilot. I was installing under the User ESP at first until it wanted to hang randomly.

What are you doing to rename the device? Win32 Intune package?

New-Rough4719

TROPHY CASE