/// <summary>
/// Performs the execution of the command.
/// </summary>
public override void ExecuteCmdlet()
{
if (!ShouldProcess("Creates the group policy and service connection point required to have domain joined devices automatically enroll into MDM."))
{
return;
}
if (string.IsNullOrEmpty(Domain) || string.IsNullOrEmpty(TenantId))
{
if (MgmtSession.Instance.Context == null)
{
throw new PSInvalidOperationException(Resources.RunConnectSecMgmtAccount);
}
}
string tenantId = string.IsNullOrEmpty(TenantId) ? MgmtSession.Instance.Context.Account.Tenant : TenantId;
string aadDomain = string.IsNullOrEmpty(Domain) ? GetDomainValue(tenantId).ConfigureAwait(false).GetAwaiter().GetResult() : Domain;
WriteDebug($"Using {aadDomain} for the domain value and {tenantId} for the tenant identifier value");
using (DirectoryEntry rootDSE = new DirectoryEntry("LDAP://RootDSE"))
{
DirectoryEntry deDRC;
DirectoryEntry deSCP;
int size = Marshal.SizeOf(typeof(int));
string azureADId = $"azureADId:{tenantId}";
string azureADName = $"azureADName:{aadDomain}";
string configCN = rootDSE.Properties["configurationNamingContext"][0].ToString();
string servicesCN = $"CN=Services,{configCN}";
string drcCN = $"CN=Device Registration Configuration,{servicesCN}";
string scpCN = $"CN=62a0ff2e-97b9-4513-943f-0d221bd30080,{drcCN}";
if (DirectoryEntry.Exists($"LDAP://{drcCN}"))
{
WriteDebug($"Device registration configuration container already exists at LDAP://{drcCN}");
deDRC = new DirectoryEntry($"LDAP://{drcCN}");
}
else
{
WriteDebug($"Creating the device registration configuration container in LDAP://{servicesCN}");
DirectoryEntry entry = new DirectoryEntry($"LDAP://{servicesCN}");
deDRC = entry.Children.Add("CN=Device Registration Configuration", "container");
deDRC.CommitChanges();
}
if (DirectoryEntry.Exists($"LDAP://{scpCN}"))
{
deSCP = new DirectoryEntry($"LDAP://{scpCN}");
WriteDebug($"Service connection point LDAP://{scpCN} already exists, so clearing the keywords property");
deSCP.Properties["keywords"].Clear();
WriteDebug($"Updating the keywords propoerty on the service connection point LDAP://{scpCN}");
deSCP.Properties["keywords"].Add(azureADName);
deSCP.Properties["keywords"].Add(azureADId);
deSCP.CommitChanges();
}
else
{
WriteDebug($"The service connection point LDAP://{scpCN} does not exists, so it will be created");
deSCP = deDRC.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint");
deSCP.Properties["keywords"].Add(azureADName);
deSCP.Properties["keywords"].Add(azureADId);
deSCP.CommitChanges();
}
IGroupPolicyObject2 groupPolicyObject = new GroupPolicyObject() as IGroupPolicyObject2;
IntPtr sectionKeyHandle;
string domainName = $"LDAP://{rootDSE.Properties["defaultNamingContext"].Value}";
WriteDebug($"Creating {GroupPolicyDisplayName} group policy");
groupPolicyObject.New(domainName, GroupPolicyDisplayName, 0x1);
sectionKeyHandle = groupPolicyObject.GetRegistryKey(0x2);
RegistryOperations.RegistryCreateKey(
sectionKeyHandle,
@"Software\Policies\Microsoft\Windows\CurrentVersion\MDM",
0,
null,
0,
RegSAM.Write,
null,
out IntPtr key,
out RegResult desposition);
SetRegistryDWordValue(key, "AutoEnrollMDM", 1);
SetRegistryDWordValue(key, "UseAADCredentialType", 1);
groupPolicyObject.Save(true, true, new Guid("7909AD9E-09EE-4247-BAB9-7029D5F0A278"), new Guid("D02B1F72-3407-48AE-BA88-E8213C6761F1"));
groupPolicyObject.Save(true, true, new Guid("35378EAC-683F-11D2-A89A-00C04FBBCFA2"), new Guid("D02B1F72-3407-48AE-BA88-E8213C6761F1"));
RegistryOperations.RegistryCloseKey(ref key);
RegistryOperations.RegistryCloseKey(ref sectionKeyHandle);
WriteObject($"Domain has been prepared and the {GroupPolicyDisplayName} group policy has been created. You will need to link the group policy for the settings to apply.");
}
}