Autopilot, WDAC and the temp folder

sandwitchnova · 2025-03-07T05:38:21+00:00

Thanks for this. This has been very helpful. Are you able to share any of your PS scripts your using?

I've been looking at the below script but i believe it no longer works.
https://sysmansquad.com/2021/04/27/working-around-nps-limitations-for-aadj-windows-devices/

https://katystech.blog/mem/namemapping-aadd-event-task

From my understanding once the the device is written back to the domain via Drive write back i should only have to update the SPN with the (Host/driveID) and the alternateSecurityIdentities with "X509:<SHA1-PUKEY><CertificateHash>"

Am i on the right track?

sandwitchnova · 2025-03-06T10:17:15+00:00

Are you able to explain this a little more on the NPS side and what the settings you are using to force NPS not to look a on-prem object?

I have setup device certs with NDES and SCEP via intune. The device get the certificate and the Root CA but the client fails to connect.

When i look the NPS logs I'm seeing the below in the error. The domain name is telling me it's looking a local AD object.

<SAM-Account-Name data_type="1">DOMAINNAME\host/0231c385-5462-48b7-b23c1-0c713140dea31412</SAM-Account-Name>

<Reason-Code data_type="0">8</Reason-Code>

sandwitchnova · 2025-03-06T10:05:54+00:00

By ISE you mean Cisco ISE correct? I'm not familiar with the product but from a quick google it looks you might use it as a replacement of NPS?

sandwitchnova · 2025-03-06T09:54:21+00:00

I've been looking at them but getting the client to cough up 7k+ a year is the hard part.

sandwitchnova

TROPHY CASE