Azure Active Directory Audit log showing machine has renaming automatically

Question

In the environment, there are many workstation hostnames has changed every 30 minutes. The same hostname is not available in the Intune portal. it's available in on-prem AD and Azure AD. could you guide on how to troubleshoot it.

Note; Suppose the hostname changed from ABCD to XYZ

please check the below screenshot, these many time it's trying to rename the hostname, and its Initiated by Intune

Answer 1

1. What are these affected devices? Is these device newly enrolled into Intune? Existing machines, Which are in AD & those are HAAD joined. But the same hostname is not available in the Intune portal. So from Intune, it won't be happens anything (as a logic), but from the Azur portal, the log shows the Initiated by is "Microsoft Intune" . Without enrolling the device to intune how its show was done by Intune?
2. Are they hybrid Azure AD joined? yes those machines are HAAD joined
3. What is the difference between the affected devices and the working devices? As per the Audit Log, there are a few machines affecting this issue. but unable to find out the difference
4. Is there any script or task scheduler created on these devices to do the rename option? Yes I check there no script that rename the machine's hostname. Is there any other logs shall I get to troubleshooting?

Answer 2

Hello there,

Have you checked the Audit logs in Azure Active Directory?

You can use the Rename device action to rename a device that is enrolled in Intune. When you use this action, the device's name is changed in Intune and on the device but not sure why the changes are taking place every 30 minutes.

Azure Active Directory (Azure AD) activity logs include audit logs, which is a comprehensive reports on every logged event in Azure AD. Changes to applications, groups, users, and licenses are all captured in the Azure AD audit logs. https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs

When having a device that is part of autopilot, whenever this device is reset, windows creates a new hostname for it. But, if that device is a member of a security group and the hostname changes.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 3

If you are seeing entries in the Azure Active Directory (Azure AD) Audit log indicating that a machine has been renamed automatically, it could be due to a few possible causes:

1. Group Policy: Some Group Policy settings may automatically rename a machine when it joins the domain. Check your Group Policy settings to see if this is the case.
2. MDM solutions: Some Mobile Device Management (MDM) solutions may automatically rename a machine when it enrolls in the MDM solution. Check your MDM settings to see if this is the case.
3. Scripts: Some scripts may automatically rename a machine during the startup process. Check your startup scripts to see if this is the case.
4. Intune: Intune can rename the device when the device is enrolled and it is based on the settings configured in Intune.
5. Third-party software: Some third-party software may automatically rename a machine. Check your installed software to see if this is the case.

It's recommended to investigate the cause of the automatic renaming and ensure that it is not a security concern. If the automatic renaming is not desired, it should be disabled or configured correctly. You can also use Azure AD Conditional Access policies to prevent or control the access of the automatically renamed machine.

Answer 4

Can you double check Intune to make sure under Apps the "RenameComputer.intunewin" package file is not listed.

See the following link for further details...[https://oofhours.com/2020/05/19/renaming-autopilot-deployed-hybrid-azure-ad-join-devices/

Answer 5

Hi All

Thanks for your help
contacting Microsoft, and there are investigating. will update soon after debuting this issue.