Autopilot Hybrid Joined device built outside the corporate network

Autopilot as we know still has limitations when deploying Hybrid Joined Devices especially when they are built outside the corporate network. The primary issue is the devices sometimes do not have direct line of site to the active directory to write the usercertificate attribute on the newly created device AD object when outside the office. With the usercertificate attribute missing from the local device AD object it will not be synced by AAD Connect and Azure will not provision a Hybrid Joined Device for this machine.

Now, we can use VPN and the popular choice is Always on VPN (AOVPN). However, depending on when the AOVPN profile is deployed through the Autopilot ESP build it may not be enough time for the connection to be established, and lets say the AOVPN profile is deployed early on during the build and the connection is established it still may not write the usercertificate back to the local directory in time. This is because the task schedule which creates the usercertificate attribute is a triggered schedule therefore even though the device may have a connected VPN the task schedule will not trigger as it may have already been triggered before the VPN connection was established. When using Autopilot whiteglove the device will need to be sealed at the end of the device ESP build and the problem you have will be a sealed device without the machine being Hybrid Joined Device within Azure. The end user will then not be able to sign in using their on-premise credentials.

Due to this issues mentioned above i have created a script which needs to be deployed as a Win32 intune app and assigned to the devices during the Autopilot build.

The below script will action the following:

1 – Add the RSAT tools for Windows 10

2 – Check for the AOVPN profile deployed during the build and force the connection to be established

3 – Ping the local domain controller consistently until it has successful pings,

4 – Check the usercertificate attribute is present on-premise for the device being built

5 – should the usercertificate value on-premise be null it will trigger the scheduled task to force the attribute to be created

6 – task 5 will run in a loop until it has successfully created the usercertificate attribute

7 – script will then stop running once the local active directory device object has the usercertificate attribute, this will ensure on the next AAD Connect sync it will create a Hybrid Joined Device in Azure

set-executionpolicy bypass
new-item -Path C:\setup -ItemType Directory
Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~”
Import-Module ActiveDirectory
Start-Transcript -Path C:\setup\userCertificate.txt
$SessionHostServer = 'domaincontroller.changeme.local'
Do {
rasphone -d "Always On VPN Device Tunnel Name"
Start-Sleep -s 15
Until ((Test-NetConnection -ComputerName $SessionHostServer).PingSucceeded -eq $true)
Write-Host "Domain Controller is reachable"
Import-Module ActiveDirectory
If (($value).userCertificate -eq $null) {
Do {
    $value=Get-ADComputer -server $SessionHostServer -Identity $device -Properties userCertificate
    Get-ScheduledTask -TaskPath "\Microsoft\Windows\Workplace Join\" -TaskName Automatic-Device-Join | Start-ScheduledTask
    Start-Sleep -s 120
    Write-host $count
Until (($value).userCertificate -ne $null)
}else {
Write-host “UserCertificate in place”
$device | out-file -filepath c:\setup\complete.txt

Using the script above you can successfully build Autopilot hybrid joined devices outside the corporate network. The script has been created and tested on multiple machines by myself so please use at your own risk.