Autopilot Hybrid Join – Staging with Freestyle
Customers facing plenty of issues with Autopilto Hybrid Join if they don’t use Dropship Provisioning to pre-stage applications.
Due to the Microsoft limitations, the Enrollment Status Page (ESP) is only available for the Device context. In Workspace ONE UEM, you only can enable or disable both, Device and User, at the same time.
The following workaround was tested and verified on Windows 10 22H2 + Windows 11 22H2 and UEM 23.06.
Preparation
First, we need to create some resources to make sure we can deploy those things via the Freestyle Orchestrator Workflow.
Profile to enable the ESP + disable the user ESP
Create a new custom profile. Assign it to your Offline Domain Join smart group as automatic deployment. Make sure “Track Profile Status during OOBE Provisioning” is selected.
On the install settings, paste the following code:
<Replace>
<CmdID>a0c6bc3f-6b1a-484b-b4fd-2abcbb37f5d4</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/EnableOmaDmKeepAliveMessage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Replace>
<Replace>
<CmdID>03e70534-bae8-4383-bb76-3df2cccdfc41</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/FirstSyncStatus/SkipDeviceStatusPage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>False</Data>
</Item>
</Replace>
<Replace>
<CmdID>5d035fe5-2cd8-4bde-a787-b45a585466f9</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/FirstSyncStatus/SkipUserStatusPage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Replace>This will enable the ESP for the device but disable it for the user (required). Also, it enables the OMA-DM Keep Alive messages to reduce the risk of a timeout.
By default, the timeout of the ESP is set to 60 minutes. In case you want to deploy more apps, you can increase the timeout until 1440 minutes. You can use the follow code and add it to the install command:
<Replace>
<CmdID>5d035fe5-2cd8-aade-a787-b45a585466f9</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/FirstSyncStatus/TimeOutUntilSyncFailure</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>60</Data>
</Item>
</Replace>The profile will be installed after the enrollment and before the Offline Domain Join configuration will be applied. After the device reboots, the ESP will show up.
SFD check script
Next, we need to make sure the workflow engine waits until SFD is installed. Otherwise, in some tests the workflow already started but was blocked due to the missing SFD agent.
Create a new script and paste the following content:
#Check if HUB is installed and enrolled
do {
#Wait for installation
do {
Start-Sleep -Seconds 10
$AWinstalled = Test-Path "HKLM:\SOFTWARE\AIRWATCH\EnrollmentStatus"
}while ($AWinstalled -eq $false)
#Check if AutoLogonCount REG Key is set to 0 (will be deleted as part of the unattend commands
$logontemp = Get-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
If ($logontemp.GetValue("AutoLogonCount") -eq '0') {
$regcheck = $true
}
#Check registry if device is enrolled
$enrolltemp = Get-Item -Path "HKLM:\SOFTWARE\AIRWATCH\EnrollmentStatus"
If ($enrolltemp.GetValue("Status") -eq 'Completed') {
$enrollcheck = $true
}
}while ($regcheck -eq $false -or $enrollcheck -eq $false -or $regcheck -eq $false)
#Wait for the ODJ blob gets applied
$ODJCheckstarttime = Get-Date
do
{
$DomainJoined = $false
Start-Sleep -Seconds 10
If ((Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\JoinDomain") -eq $true -and ( (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName").computername ) -like "*$($env:ComputerNamePrefix)*")
{
$DomainJoined = $true
Write-Host "Domain Join config applied" -ForegroundColor Green
}
}while($DomainJoined -eq $false -and ((Get-Date) -le $ODJCheckstarttime.AddMinutes(10)))
if($DomainJoined -eq $false)
{
Write-Host "Domain Join error - please check Domain Join configuration" -ForegroundColor Red
break
}
#Check if SFD getting installed
Write-Host "Checking SFD installation"
$SFDInstallCheckstarttime = Get-Date
do
{
$count = (Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI').Count
Start-Sleep 10
}while($count -lt 1 -and ((Get-Date) -le $SFDInstallCheckstarttime.AddMinutes(10)))
$SFDInstallCheckstarttime = Get-Date
do{
Clear-Variable -name "sfdinstalled" -ErrorAction SilentlyContinue
$SFDInstalled = Get-wmiobject win32_product | Where-Object {$_.name -like "*SFDAgent*"} | select-object -property name,version,identifyingnumber
Start-Sleep 10
}while(!$SFDInstalled -and ((Get-Date) -le $SFDInstallCheckstarttime.AddMinutes(10)))
if($SFDInstalled)
{
Write-Host "SFD installed" -ForegroundColor Green
}
else
{
Write-Host "SFD installation error - please check SFD installation" -ForegroundColor Red
break
}
This script will check the following things:
- HUB is installed and device is fully enrolled
- Offline Domain Join was applied (we only want to get the workflow started after the automatic reboot that happens after ODJ was applied)
- SFD is installed
As timeout, select a high number – I used 3000 in my tests:
Next – you need to change the ComputerNamePrefix. In my tests, I always use “ODJ” as a prefix. If you use the serial number in your environment, you need to use the “{DeviceSerialNumber}” lookup value.
Don’t assign the script – we’ll assign it through the workflow.
The profile to complete the ESR
If you just assign the first profile, you’ll end up in the following screen:
This screen will time out after 60 minutes (or whatever you selected).
Once your applications and profiles are installed, you want to mark the device as fully provisioned and the user should be able to log in.
To mark the device as fully provisioned, create a new profile and assign it to your ODJ smart group as OPTIONAL.
Next, paste the following content to your custom profile installation settings:
<Replace>
<CmdID>5fe75f56-398c-47bb-8ae7-bf49d37c69f6</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/DMClient/Provider/AirWatchMDM/FirstSyncStatus/ServerHasFinishedProvisioning</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>True</Data>
</Item>
</Replace>Create the Workflow
Actually, it is straightforward to create the workflow. In short, we need to start with the SFD check script, then install our applications and then apply the profile to finish the ESP page.
I would recommend that you apply the apps that require a reboot (e.g. the VMware Tunnel) as last application. ESP is reboot aware and will continue after the applications are installed and device was rebooted.
Assign this workflow to your ODJ devices.
After the workflow was executed, the end-user can log in to the device.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.
Sergiu Constantin
Hi Patrick,
thanks a lot for the description, the profiles the script and the tests.
It worked immediately after implementation, even with a 3rd party VPN (Cisco AnyConnect). The script itself contains elements you don’t really need, e.g. EnrollmentStatus. Without enrollment there would be no freestyle and no scripts to run…
But really good, and if I still have something to “complain”, I’ll get back to you in a few days after some more intensive tests.
Thank you, I really appreciate!
Sergiu