Autopilot (Hybrid): Complex Naming Standards (Part 1)

Jan 20, 2025

by Luke Torrens, Endpoint Architect

 

In the ever-evolving landscape of device management, simplicity and efficiency are paramount. Microsoft Autopilot has revolutionised the way organisations provision devices, streamlining deployment and ensuring consistency. However, hybrid environments come with their unique challenges, particularly when it comes to adhering to legacy device naming conventions.

This blog (the first in a series) serves as your guide to navigating these complexities, offering practical solutions for maintaining structured naming schemes in hybrid Autopilot deployments. While the push towards a cloud-only future remains strong, real-world constraints often necessitate hybrid setups. For organisations with structured workflows or regulatory requirements, device naming still plays a crucial role.

Let’s explore how you can tackle these challenges, balancing the modern efficiencies of Autopilot with the structured demands of hybrid environments.

 

Introduction to Autopilot Hybrid Join

Before we dive into the details, let’s address the inevitable question that arises whenever hybrid scenarios are mentioned:

  • “Why are you using hybrid?”
  • “Isn’t cloud-only the future?”
  • “Hybrid doesn’t offer anything that cloud-only doesn’t.”

We’re with you: cloud-only is absolutely the recommended approach championed by Microsoft, Gartner, and other industry leaders. If you can go cloud-only, do it. But sometimes, consultants and architects find themselves in situations where a customer insists on maintaining a hybrid setup – despite all guidance to the contrary. In these rare but real scenarios, you need strategies that work. And that’s where this guide comes in. Yes, we know device naming used to be crucial, and many say it’s less important now that devices are user-linked. However, for certain organisations and legacy workflows, naming conventions still matter. Let’s unpack how you can handle those complex naming requirements in a hybrid Autopilot environment.

 

Challenges with Autopilot Naming
Some companies still rely on structured naming schemes to quickly identify where a device is located and what it’s used for. For example: USNY5CGXYZ might translate to Country: US, City: NY, plus a device-specific serial number. Achieving this style with Autopilot can be tricky.

 

Limitations

  • Entra ID Joined (EIDJ) devices can use a naming template with a prefix plus either %serial% or %rand%. This allows for something like UK%Serial% or US%Serial% to differentiate by country. You can even manually rename a device in the Autopilot portal, and it’ll pick up that name after the next reboot.

  • Hybrid Entra ID Joined (HEIDJ) devices are more restricted. You can only specify a prefix; the rest is random characters to fill out the 15-character limit. While you can create separate profiles for different prefixes, the extra characters won’t carry any meaningful data.

 

Naming Options
There are countless ways to solve this problem. We’ll focus on a couple of methods that have worked in the field. One of the first approaches comes from Michael Niehaus (links provided below), which you can then customise to meet various needs. All these methods require granting Self permissions on computer objects in AD, as detailed in Michael’s blog.

 

1. Using Serial/Asset Tags

Michael Niehaus’s original and updated blog posts:

This script mimics the EIDJ prefix+%serial% style. You can fine tune it as needed. It’s deployed as an Intune application and relies on VPN connectivity (Always-On VPN (or similar) is the best option but push to connect also works). The script runs as a scheduled task, continually retrying until it succeeds. Full details are in the links above.

 

2. Using Group Tags

A customer needed a naming convention like:
[CountryCode][DeviceType][%Serial%]

Because they knew these details at ordering time, we used a simple solution – use the Group tag field as the ‘desired device name’.  They weren’t using group tags for anything else.

When importing the hardware hash, set the desired name in the device’s Group tag field either manually or in the csv during import.

The script then does the below:

    1. Checks if the current name meets the pattern via regex matching.
    2. Verifies corporate network connectivity (or prompts the user to connect via VPN).
    3. Retrieves the device’s serial number.
    4. Uses Intune Graph API to look up the serial number in Intune and then grab the group tag.
    5. Renames the AD computer object accordingly.
    6. Prompts the user for a reboot, with a countdown timer.

You’ll need the same Self permissions as before. Also, create an Enterprise App with read permissions on Intune to fetch Autopilot info. Required permissions include:

  • DeviceManagementManagedDevices.Read.All
  • Directory.Read.All

       

You’ll package this as an Intune application using the PowerShell App Deployment Toolkit (PSADT). With ServiceUI.exe (from the MDT toolkit), you can run the script as SYSTEM but still display user prompts. The detection method involves a regex to confirm that the device name matches the expected pattern (e.g., 6 letters + 6 digits).

Call the rename script (in the References) by using the below syntax as part of the PSADT.

Execute-Process -Path "$PSHOME\powershell.exe" -Parameters "-executionpolicy bypass -File $dirSupportfiles\DeviceRenameScriptProd.ps1"

 

Conclusion

While the ultimate goal is often a pure cloud-only strategy, real-world constraints sometimes force hybrid scenarios to persist. In these cases, finding an effective naming strategy that meets organisational requirements is key. By leveraging Autopilot profiles, group tags and scripting with appropriate permissions, you can craft naming conventions that bridge the gap between legacy processes and modern device management approaches.

 

What’s Next?

In the next blog, we’ll explore an even more complex method. In this approach, attributes from the user’s Entra ID account – like country, office code and department – feed into the computer name. We’ll use a CSV translation table stored in blob storage so you can easily maintain and update naming rules.

This advanced naming pattern might look like:

[CountryCode][OfficeCode][DepartmentCode][DeviceType][LastDigitsFromSerial]

 

High-Level Steps for the Next Method

  1. Check if the current name fits the required pattern; if it does, stop.
  2. Confirm corporate network connectivity or prompt VPN connection.
  3. Identify the logged-on domain user.
  4. Convert username to UPN and query Entra ID for attributes.
  5. Use a CSV mapping table from blob storage to convert friendly names into short codes.
  6. Construct the final name with all required components.
  7. If a component is missing, fallback to a default name indicating missing properties.
  8. Rename the AD object.
  9. Prompt for a reboot with a countdown.

 

References

Have you implemented Autopilot with Hybrid domain join? Share your experiences with device naming in the comments below!

Luke

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Luke Torrens began his IT career in 2007, working with local government organisations in Australia. Over four years, he honed his skills across various industries before moving into consulting, where he specialised in endpoint architecture and management for clients in government, energy, finance, security, and law enforcement. In 2016, he relocated to the UK to contribute to a major digital transformation project for a government regulatory agency. This collaboration inspired the formation of the Brickley Group, a consultancy focused on delivering modern IT solutions.