Currently, Azure AD Hybrid Domain Join (In Preview) does not allow the use of variables such as %SERIAL% or %RAND% but only allows the use of a simple prefix such as WIN10- for the computer name. This is an important feature that does currently exist for standard Azure Domain join but not Hybrid where customers need to ensure the device enrolls in Autopilot in Intune, but also in the local network AD domain.

I wrote a blog post about this issue in more details here.

https://www.moderndeployment.com/intune-hybrid-domain-join-error-80180005/

Most customers use a standard Computer naming convention with the serial number OR asset tag from the BIOS on the hardware device.

Example: L-%SERIAL% for laptops or D-%SERIAL% for desktops. Win10 SCCM task sequences allow the use of variables (%SERIALNUMBER%) for this requirement.

Autopilot standard Azure AD profile allows %SERIAL% but again, not Azure HYBRID Azure Domain join currently which is in PREVIEW.

Thanks
Nathan

From the requirements here:
https://docs.microsoft.com/en-us/intune/windows-autopilot-hybrid
"Have access to your Active Directory (VPN connection not supported)."

This requirement breaks the concept of having a device that could be shipped anywhere directly to a user. Large enterprises still have, and will continue to have applications that rely on domain connectivity for authentication. Many of these enterprises build their devices onsite and ship to users that never see the corporate network. Autopilot could never work in this scenario without users disclosing their credentials.

The feature we would like is a secure means of establishing an AAO VPN tunnel during enrollment that would allow enterprise users with domain applications to enroll their devices.

When importing Autopilot devices in Intune, we would like (for us and the OEM) to be able to assign machine names against each device that is imported.

Sadly %Rand% or %Serial% is not sufficient for a lot of our use cases (e.g. IT labs). We use location identifiers in the device name for our fixed device estate (7000 devices) - this allows us to create dynamic device groups based on location, room, lab, etc. which in turn is used for policy/app control (e.g. licensing, etc.).

In the file used to import the device it would be good to have an additional tag option, e.g.:
Device Serial Number,Windows Product ID,Hardware Hash, Order ID, Device Name,

We have multiple deployments where devices have been enrolled with a Device Enrolment Manager account and then issued to users.

Using a DEM account has allowed us to manage the enrolment of devices and configure any steps not yet supported by Intune before issuing to users. This isn't something that would be appropriate to change with AutoPilot.

These same deployments are relying on the ability to use the devices Compliance state as telemetry within a Conditional Access policy. Unfortunately we have seen mixed results where devices do not consistently report as compliant nor do they consistently report the reason for their non compliance.

Through working with support I have been provided with this article where it is stated this is an unsupported scenario -

We need this added as a supported scenario.

It's not appropriate for everyone to use AutoPilot or to rely on user led enrolment or to issue one device to a user or for devices to not be ever shared without needing re-enrolment.

This is proving a major blocker to adoption of Intune and Conditional Access.

If you need anymore information or scenarios at all please let me know.

During enrollment, a computer name is currently created with a template that may or may not contain random characters, or the serial number. That template is limited.

It would be helpful to use a script to set the computer name, or more advanced options, to set the name.

It doesn't make sense to change the name after the device has been enrolled, and is more difficult following a hybrid AAD join.

For example, our infosec team has strict requirements for computer naming for quick discovery during investigation: Device type (Desktop/Laptop), State, Location, and serial number.

This can be accomplished via a combination of creative use of the Group Tag and a Powershell script, but this is not an option with the current available capabilities for PC naming in Intune/Autopilot.

Windows Autopilot Hardware ID "on the box"

This might not be a 100% Microsoft issue, but gathering the Hardware ID of a device to enroll it into Intune for Autopilot assingments is still a pain.

The Problem is, that if you do not use just your one Standard Supplier, or the MIcrosoft online store gathering the Hardware ID is quite a pain.

Example,
there is a user somewhere in Kuala Lumpur... and Needs a new device, somehow they happen to have a Surface Laptop in a shop there. Now it would be easy to set this up as a Autopilot device if the HardwareID would somehow be provided on the box ... as a QR Code with an App to read it... but today this User Needs to go through the whole process of OOBE finalizing ... has to call it to go through the process of gathering the Hardware ID via Powershell etc.

So the Idea would be, can Microsoft for their own devices, and maybe also talk to the Hardware Vendors to do this together, add the Hardware in any way to the "Box"?

Cool would be to have this as a QR Code sticker on the box, which can be read by a Special App (maybe with a Login or link to the Tenant to Register the device in? MFA etc.)