So talking about the Task sequence built to facilitate AD to Hybrid Azure AD join I started with a task sequence because let's face it majority of on-premise enterprise environments are running SCCM and leveraging Task Sequences and Task Sequences are just an elegant way to execute what I was looking for.

FYI This is not a Microsoft Supported Process (Do not contact Support)

Though all the steps themselves are supported.. LOL

So below I lay out the steps to achieve an AD to AAD migration, now moving this to a strait up PowerShell script the steps are pretty much the same just the method to execute changes, but you will find much of the logic is the same in the task sequence as it is in the PowerShell script.

First I set some variables which will be unique to your environments, like our Domain Admin or account with workstation removal permissions, and a temp user account which is created and deleted during this process.

TS Variables:

Set Task Sequence Variable DomainAdmin
Set Task Sequence Variable DomainAdminPassword
Set Task Sequence Variable Temp User
Set Task Sequence Variable Temp User Password

Local Prep:

Bitlocker Suspend 3 Reboots
- Suspend-BitLocker -MountPoint "C:" -RebootCount 3
Create Local Account
- CreateLocal.ps1 - This step using a staged PS1 to pull TS variables, be sure you have this in your package

Set Auto login Registry

SetAutoLogInRegistry.ps1 - This step using a staged PS1 to pull TS variables, be sure you have this in your package

Set PS Disable Privacy Experience

Next we perform a dsregcmd /leave don’t worry if you're not hybrid this will just fail out and continue but it's an attempt to gracefully remove hybrid registration to prep for AADJ

Next we perform our Domain removal and reboot

AD Join Removal:

Run dsregcmd /leave
AD Join Removal V1
- DomainRemoval.ps1 - This step using a staged PS1 to pull TS variables, be sure you have this in your package

Reboot Post Disjoin

Autologin should kick off with our temp account here and next we will copy the PPKG from a package associated with the TS. Keep in mind you must replace the PPKG with the one you created for this to work, any package without application will work we are simply staging the files.

Next we apply the PPKG using PowerShell and then a reboot after 60 seconds, its best to not reboot immediately to allow the PPKG to fully sync up prior to reboot.

AAD Join via PPKG

Copy PPKG
- xcopy.exe ".\AAD Join.ppkg" "C:\windows\temp" /D /E /C /I /Q /H /R /Y /S
Apply PPKG
- Install-ProvisioningPackage -PackagePath "C:\Windows\Temp\AAD Join.ppkg" -ForceInstall -QuietInstall
Restart Computer

Now our machine is AAD joined, we need to do some prep, first we will escrow all Bitlocker keys to the computer object in Azure AD, next stage a script to help with user profile copying if that’s something you're interested in I will address that in another blog, and we reboot.

Post AAD Join

Escrow Bitlocker Keys to AADJ

Create and Copy user Profile Script
Restart Computer

Finally we cleanup our temp account and reg keys, give OneDrive a kick to get started and restart one last time providing the user the option to select other user and sign in with their Azure AD Credentials.

Final Cleanup