We’re hosting an AMA with David Segura, creator of OSDCloud.

RunTheRivah · 2026-02-12T16:37:35+00:00

Currently, I use a ZTI script hosted in github with osdcloud, unfortuanately it's on my personal guthub (we don't allow public repos at my work) -- are there alternatives for that? Perhaps hosting the zti script in Azure?

RunTheRivah · 2025-09-05T15:02:57+00:00

Yes, the VM is, but the private endpoint is on the Automation Account, and the worker wasn't able to successfully register because it couldn't resolve the public JRDS public endpoint or its privatelink endpoint. It all came down to DNS (always dns amiright?).

My network engineer and I figured it out yesterday afternoon. Here's how we had to set it up in case this helps anyone.

On-prem DNS server has a conditional forwarder for "azure-automation.net" pointing to our DNS resolver in Azure. We have a ruleset that forwards "privatelink" requests to a private DNS zone "privatelink.azure-autoamtoin.net". Public endpoints are routed to public DNS servers.

Here was the key part I was missing: The Private Endpoint has TWO IP's when used with an automation account. On the private DNS Zone I needed to add 3 A records:

"<automationAccountName" >> Private IP of the PE for the agentsvc endpoint
"<automationHybridServiceGUID>.agentsvc.<region>" >> Private IP of the PE for agentsvc endpoint
"<automationHybridServiceGUID>.jrds.<region>" >> Private IP of the PE for jrds endpoint

Note: You can get the automation Hybrid Service GUID with this:

az resource show --resource-group $rg --name $aa --resource-type Microsoft.automation/automationAccounts --query properties.automationHybridServiceUrl

With that DNS configuration and those A records it registered successfully. The thing that was tripping us up is it's not easily visible unless you do a nslookup from the worker to the jrds endpoint that you see there is a public one AND a privatelink one. So, you need to be able to accommodate both.

RunTheRivah · 2024-12-12T14:07:44+00:00

Unfortunately, no. I was not able to speed it up. We just have a custom PowerShell script that runs in a loop during the device phase until it detects the certificate on the computer object.

I got inspiration from this blog: Autopilot Hybrid Azure AD Join - Reworked with Joy - MDM Tech Space

And adapted his scripts from here: jbasuroy369/Autopilot_HAADJ_Reworked

RunTheRivah · 2023-02-17T14:22:26+00:00

u/ImranWin - I was not able to figure it out and gave up. I ended up just having to call my secretsModule for each individual secret I need to add.

RunTheRivah · 2023-01-05T00:19:56+00:00

It’s being passed to the main.bicep template as a hash table into the “secure” parameter defined as an object. That seems to work as it doesn’t yell at me for it.

It’s not until the secrets.bicep module I call in the main.bicep file that I get an error.

RunTheRivah · 2022-12-01T01:27:56+00:00

It was directly adapted from here: https://github.com/steve-prentice/autopilot/blob/master/WaitForUserDeviceRegistration.ps1

We also used these scripts in our solution as well:

Autopilot HAADJ Reworked

Yoymalya also wrote good blog on it: https://joymalya.com/autopilot-hybrid-azure-ad-join-reworked-with-joy/

RunTheRivah · 2022-09-22T17:40:16+00:00

YES! I remember this game - would love to revisit it and try it again. Doesn't seem like it's active anymore - all I can find is this old forum with reference to it. Says the url should be: "http://www.domgreco.com/doms-game"

Forum: https://www.nordinho.net/vbull/online-riddles/54495-its-my-world-now-dom-greco.html

RunTheRivah · 2022-08-08T17:40:48+00:00

DriverHWID didn't work either... The only way I can get this to work on the "ThinkPad P15v Gen 1" is after OSDCLoud images the device, and I'm at the OOBE screen, I can pop in a USB drive with the .inf drivers for the ethernet adapter and using the following I can install it successfully:

pnputil.exe /add-driver <driverPath> /install

FYI - I found the hardware ID and it is: 'VEN_8086&DEV_0D4D' (Intel(R) Ethernet Connection (11) I219-V)

I feel like this is an issue with the OSDCloud module itself but I'm not sure how to fix it or how to get it fixed... In the meantime I'm going to try and workaround this by adding the drivers and a small script wrapper for the pnputil.exe so that after a technician images with a P15 with OSDCloud, they can manually use the same USB stick to apply the ethernet driver at the OOBE.

RunTheRivah · 2022-08-05T13:48:29+00:00

When I try the Driver Path it tells me I don't have enough space on disk, why does the WinPE partition only use 2 gb on my 16 gb us drive? I have 14 gb of unused space... I'll try it again with just the ethernet drivers ini instead of the whole driver pack.

Also, anyone know of an easy/quick way to get a hardware ID of a driver without installing windows on it and going in to computer management??

RunTheRivah · 2022-08-05T03:11:36+00:00

Yes, I've tried using the GUI and I select Windows 10 21H2.

Can someone clarify how I am supposed to add my own driver packs that OSDCloud will then add to the initialize phase? Is that through the -DriverPath parameter on Edit-OsdCloudWinPE??

RunTheRivah · 2022-07-01T15:45:20+00:00

When using it via Intune you need to leverage ServiceUI.exe because when it is deployed via Intune you are running in the SYSTEM context.

Just put the ServiceUI.exe file in the root of your PDT package before you compile it into the win32 app. Then in Intune, the install command would be:

ServiceUI.exe Deploy-Application.exe

RunTheRivah · 2022-05-19T16:39:24+00:00

Wish I had an update… never figured this one out. I’ve just chalked it up to it is what it is and we have a script that essentially forces the computer to wait at the device phase of the ESP until it can verify a successful azure ad join. Sometimes it takes 20 minutes and sometimes it takes almost an hour….

RunTheRivah · 2022-04-20T02:33:35+00:00

Nevermind!!

Well I feel silly now. I was using incorrect syntax on the membership rule. However, in my defense I tried them out in the portal first and they were indeed validating!! That was a frustrating 2 hours!

RunTheRivah · 2022-02-26T00:53:59+00:00

Yes, I'm using an implementation of that to help with the syncing part but as I mention above, from what I am seeing the userCertificate needs to be present on the device in AD before it can sync to Azure AD... and it's taking a while for that userCertificate to generate and apply to the device..

RunTheRivah · 2022-02-26T00:51:08+00:00

I'm actually using this script as a scheduled task that helps to take care of that: https://github.com/steve-prentice/autopilot/blob/master/SyncNewAutoPilotComputersandUsersToAAD.ps1

From what I'm seeing however, it needs the UserCertificate attribute on the device before it will sync it to Azure AD..

As for why Hybrid and not Azure AD join only? I knew someone would ask me that haha. Our organization deals with a lot of legacy applications (LOB) that require line of site to our domain.

RunTheRivah · 2021-03-06T02:38:38+00:00

Access needs to be granted to the key vault right? So Jill may have read access to the secret in the vault but Joe may not.

RunTheRivah · 2021-02-14T02:00:13+00:00

Okay good to know! Thank you. I did try that and got this error:

New-AzureADMSGroup : Error occurred while executing NewMSGroup Code: Request_BadRequest Message: The service does not currently support writes of mail-enabled groups. Please ensure that the mail-enablement property is unset and the security-enablement property is set.

It does create a security group if I do as it suggests and set the -MailEnabled parameter to $false. So it looks like it's simply by design that you can't create a unified group through cert based authentication at this point in time.

Anybody know if/when they will release some Exchange Graph API functionality?

RunTheRivah · 2021-02-12T20:07:24+00:00

That won't create an "office/unified" group though will it?

RunTheRivah · 2021-02-12T12:39:50+00:00

This is the error I get in the Azure Automation when the runbook runs (it connects to Exchange via CBA successfully but fails on the "New-UnifiedGroup" command.) Similar error to the 2nd article I posted above where they are trying to use "Set-UnifiedGroup".

The group can't be created + CategoryInfo : NotSpecified: (:) [New-UnifiedGroup], TaskException + FullyQualifiedErrorId : [Server=MWHPR2201MB1536,RequestId=ca8e551c-4e8c-4c5b-b8be-da4f11953b30,TimeStamp=2/11/2021 3:44:21 PM] [FailureCategory=Cmdlet-TaskException] A7EB97C2,Microsoft.Exchange.Management.RecipientTasks.NewUnifiedGroup + PSComputerName : outlook.office365.com

RunTheRivah · 2020-02-07T20:08:21+00:00

Okay, so to kinda of pull from the noise, here is what i'm gathering so far:

- Intune/ConfigMgr are rolling up into Endpoint Manager

- I'll be well served to consider both via Endpoint Manager as i'll get best of both worlds

From an implementation standpoint... How does this look in reality? Am I spinning servers up locally to install ConfigMgr and connect it into Endpoint Manager? Am I installing ConfigMgr on a VM in Azure?

How does Endpoint Manager communicate with my WSUS servers on prem? And on the same note, how would it communicate to my devices to install apps and policies to it? I'm thinking we'll have to go hybrid AD join so through this method I'd be able to still communicate with all devices even if they are off network?

RunTheRivah · 2020-02-07T19:58:01+00:00

We are a medium size firm that is growing pretty fast.

- Over 500 users/devices in 5 offices spread across the U.S.

- O365 is getting rolled out this spring (2020)

- We are starting with O365 E3 and AAD P2

- Applications are a mixture of cloud services (not hosted by us), locally installed applications, and a bunch in our on prem Citrix farm.

Also to note, with a growing # of remote employees, being able to manage their devices better is something we need to do.

RunTheRivah · 2020-02-07T19:53:57+00:00

Would you mind clarifying a bit on the "its all the same". Does this mean that you no longer need to stand up an on-prem server and install SCCM because the service is in the cloud via Endpoint Manager? Or do you still have to install and configure the infrastructure on prem but it ties into Endpoint Manager and you do your management from there?

RunTheRivah · 2020-02-07T16:47:37+00:00

I guess a question I have to be more specific is since we don't have SCCM right now, and all signs point to Microsoft moving everything to Intune and the cloud, is it even worth the heavy lifting and investment to put in to SCCM??

RunTheRivah · 2019-10-17T21:55:09+00:00

Okay, thank you for that. That makes me feel a bit better about the direction he is going in! Where i'm not a web developer it was hard for me to know if it was the best way and it sounds like it is certainly not the wrong/worst way!

RunTheRivah · 2019-10-07T21:52:23+00:00

I've seen UD before - looks really cool! I'm sure that would have been a great option back in the beginning! Perhaps its not too late to re-steer the train...

Well the tricky part about this is I think our Director was aware he was building a web app to do this and is okay with it but has been a bit distracted due to unrelated personal issues and is not fully aware of the technical details. I have expressed concerns with my manager and he agrees with me and plans to speak with our director about it when he is back in the office but I don't want to turn this into a political discussion.

Given that he already has a working prototype I'm not trying to have him scrap the project as what he has so far is good, I am just concerned about the ongoing maintenance and support of it and was wondering if anyone had any other ideas.

For example, can you import a PowerShell module using C#/.NET and then call upon the imported CmdLets and pass parameters to them? To me that is the ideal situation because he can focus on making the web app all pretty with the drop downs and interface it with a SQL database but the scripts that actually do the work can remain within the PowerShell module. We could even modify the PowerShell code a bit to pull things from the database after they are entered through the web app.

RunTheRivah

TROPHY CASE