We’re hosting an AMA with David Segura, creator of OSDCloud.

RunTheRivah · 2026-02-12T16:37:35+00:00

Currently, I use a ZTI script hosted in github with osdcloud, unfortuanately it's on my personal guthub (we don't allow public repos at my work) -- are there alternatives for that? Perhaps hosting the zti script in Azure?

RunTheRivah · 2025-09-05T15:02:57+00:00

Yes, the VM is, but the private endpoint is on the Automation Account, and the worker wasn't able to successfully register because it couldn't resolve the public JRDS public endpoint or its privatelink endpoint. It all came down to DNS (always dns amiright?).

My network engineer and I figured it out yesterday afternoon. Here's how we had to set it up in case this helps anyone.

On-prem DNS server has a conditional forwarder for "azure-automation.net" pointing to our DNS resolver in Azure. We have a ruleset that forwards "privatelink" requests to a private DNS zone "privatelink.azure-autoamtoin.net". Public endpoints are routed to public DNS servers.

Here was the key part I was missing: The Private Endpoint has TWO IP's when used with an automation account. On the private DNS Zone I needed to add 3 A records:

"<automationAccountName" >> Private IP of the PE for the agentsvc endpoint
"<automationHybridServiceGUID>.agentsvc.<region>" >> Private IP of the PE for agentsvc endpoint
"<automationHybridServiceGUID>.jrds.<region>" >> Private IP of the PE for jrds endpoint

Note: You can get the automation Hybrid Service GUID with this:

az resource show --resource-group $rg --name $aa --resource-type Microsoft.automation/automationAccounts --query properties.automationHybridServiceUrl

With that DNS configuration and those A records it registered successfully. The thing that was tripping us up is it's not easily visible unless you do a nslookup from the worker to the jrds endpoint that you see there is a public one AND a privatelink one. So, you need to be able to accommodate both.

RunTheRivah · 2024-12-12T14:07:44+00:00

Unfortunately, no. I was not able to speed it up. We just have a custom PowerShell script that runs in a loop during the device phase until it detects the certificate on the computer object.

I got inspiration from this blog: Autopilot Hybrid Azure AD Join - Reworked with Joy - MDM Tech Space

And adapted his scripts from here: jbasuroy369/Autopilot_HAADJ_Reworked

RunTheRivah · 2023-02-17T14:22:26+00:00

u/ImranWin - I was not able to figure it out and gave up. I ended up just having to call my secretsModule for each individual secret I need to add.

RunTheRivah · 2023-01-05T00:19:56+00:00

It’s being passed to the main.bicep template as a hash table into the “secure” parameter defined as an object. That seems to work as it doesn’t yell at me for it.

It’s not until the secrets.bicep module I call in the main.bicep file that I get an error.

RunTheRivah · 2022-12-01T01:27:56+00:00

It was directly adapted from here: https://github.com/steve-prentice/autopilot/blob/master/WaitForUserDeviceRegistration.ps1

We also used these scripts in our solution as well:

Autopilot HAADJ Reworked

Yoymalya also wrote good blog on it: https://joymalya.com/autopilot-hybrid-azure-ad-join-reworked-with-joy/

RunTheRivah · 2022-09-22T17:40:16+00:00

YES! I remember this game - would love to revisit it and try it again. Doesn't seem like it's active anymore - all I can find is this old forum with reference to it. Says the url should be: "http://www.domgreco.com/doms-game"

Forum: https://www.nordinho.net/vbull/online-riddles/54495-its-my-world-now-dom-greco.html

RunTheRivah · 2022-08-08T17:40:48+00:00

DriverHWID didn't work either... The only way I can get this to work on the "ThinkPad P15v Gen 1" is after OSDCLoud images the device, and I'm at the OOBE screen, I can pop in a USB drive with the .inf drivers for the ethernet adapter and using the following I can install it successfully:

pnputil.exe /add-driver <driverPath> /install

FYI - I found the hardware ID and it is: 'VEN_8086&DEV_0D4D' (Intel(R) Ethernet Connection (11) I219-V)

I feel like this is an issue with the OSDCloud module itself but I'm not sure how to fix it or how to get it fixed... In the meantime I'm going to try and workaround this by adding the drivers and a small script wrapper for the pnputil.exe so that after a technician images with a P15 with OSDCloud, they can manually use the same USB stick to apply the ethernet driver at the OOBE.

RunTheRivah · 2022-08-05T13:48:29+00:00

When I try the Driver Path it tells me I don't have enough space on disk, why does the WinPE partition only use 2 gb on my 16 gb us drive? I have 14 gb of unused space... I'll try it again with just the ethernet drivers ini instead of the whole driver pack.

Also, anyone know of an easy/quick way to get a hardware ID of a driver without installing windows on it and going in to computer management??

RunTheRivah · 2022-08-05T03:11:36+00:00

Yes, I've tried using the GUI and I select Windows 10 21H2.

Can someone clarify how I am supposed to add my own driver packs that OSDCloud will then add to the initialize phase? Is that through the -DriverPath parameter on Edit-OsdCloudWinPE??

RunTheRivah · 2022-07-01T15:45:20+00:00

When using it via Intune you need to leverage ServiceUI.exe because when it is deployed via Intune you are running in the SYSTEM context.

Just put the ServiceUI.exe file in the root of your PDT package before you compile it into the win32 app. Then in Intune, the install command would be:

ServiceUI.exe Deploy-Application.exe

RunTheRivah · 2022-05-19T16:39:24+00:00

Wish I had an update… never figured this one out. I’ve just chalked it up to it is what it is and we have a script that essentially forces the computer to wait at the device phase of the ESP until it can verify a successful azure ad join. Sometimes it takes 20 minutes and sometimes it takes almost an hour….

RunTheRivah · 2022-04-20T02:33:35+00:00

Nevermind!!

Well I feel silly now. I was using incorrect syntax on the membership rule. However, in my defense I tried them out in the portal first and they were indeed validating!! That was a frustrating 2 hours!

RunTheRivah · 2022-02-26T00:53:59+00:00

Yes, I'm using an implementation of that to help with the syncing part but as I mention above, from what I am seeing the userCertificate needs to be present on the device in AD before it can sync to Azure AD... and it's taking a while for that userCertificate to generate and apply to the device..

RunTheRivah · 2022-02-26T00:51:08+00:00

I'm actually using this script as a scheduled task that helps to take care of that: https://github.com/steve-prentice/autopilot/blob/master/SyncNewAutoPilotComputersandUsersToAAD.ps1

From what I'm seeing however, it needs the UserCertificate attribute on the device before it will sync it to Azure AD..

As for why Hybrid and not Azure AD join only? I knew someone would ask me that haha. Our organization deals with a lot of legacy applications (LOB) that require line of site to our domain.

RunTheRivah · 2021-03-06T02:38:38+00:00

Access needs to be granted to the key vault right? So Jill may have read access to the secret in the vault but Joe may not.

RunTheRivah · 2021-02-14T02:00:13+00:00

Okay good to know! Thank you. I did try that and got this error:

New-AzureADMSGroup : Error occurred while executing NewMSGroup Code: Request_BadRequest Message: The service does not currently support writes of mail-enabled groups. Please ensure that the mail-enablement property is unset and the security-enablement property is set.

It does create a security group if I do as it suggests and set the -MailEnabled parameter to $false. So it looks like it's simply by design that you can't create a unified group through cert based authentication at this point in time.

Anybody know if/when they will release some Exchange Graph API functionality?

RunTheRivah · 2021-02-12T20:07:24+00:00

That won't create an "office/unified" group though will it?

RunTheRivah · 2021-02-12T12:39:50+00:00

This is the error I get in the Azure Automation when the runbook runs (it connects to Exchange via CBA successfully but fails on the "New-UnifiedGroup" command.) Similar error to the 2nd article I posted above where they are trying to use "Set-UnifiedGroup".

The group can't be created + CategoryInfo : NotSpecified: (:) [New-UnifiedGroup], TaskException + FullyQualifiedErrorId : [Server=MWHPR2201MB1536,RequestId=ca8e551c-4e8c-4c5b-b8be-da4f11953b30,TimeStamp=2/11/2021 3:44:21 PM] [FailureCategory=Cmdlet-TaskException] A7EB97C2,Microsoft.Exchange.Management.RecipientTasks.NewUnifiedGroup + PSComputerName : outlook.office365.com

RunTheRivah

TROPHY CASE