Manage Android-“Corporate device identifiers” in Intune without rename it, but add it to an AAD-Group

This Post is waiting for a while until now, when I finally found time to publish it. We will fill the Gap when you add your Company Devices (Tablets) with a csv-File in your Intune Tenant as “Corporate device Identifiers”.

Some companies only allow, company added devices to the Intune Tenant, so a user can’t enroll his private device. In Intune you can disable regular Device Enrollment from users! If you pre-Import the CSV with the Identifiers (Serial or IMEI), you and the users will only be allowed to enroll those devices as Corporate Owned Devices.

If you like to manage those devices in Azure AD with dynamic Groups, it can be difficult because not all attributes are synced from Intune to Azure AD. There is also the problem that you can’t rename the devices in Intune.

In this example scenario, I have a lot of Android Tablets to use as Kiosk Devices with multi app installation. To configure the Kiosk Profile, create Configuration Profiles and assigne some apps is not part of this Blogpost. But anyways, you can find the steps below so you can do it if you like:

  1. Create a “Corporate-owned dedicated devices” profile with a QR-code
  2. Create some “Device compliance – Policies”
  3. And also some “Device configuration – Profiles”
  4. Assign some Applications
  5. Maybe create a AAD-Group to assign all the above to specific Group
    1. Here we come to the point, when you like to use Dynamic Groups with the name tag of the device, that you import with the CSV-File, you have no name on that device! How to handle this, will be explained in this post.

With a Script, I and some Co-Worker (thank you; Athiraiyan Kugaseelan @AKugaseelan, Daniel Schaedler @SchaedlerDaniel) created, you can now fill this gap, since the naming of the device is not the same as you try to import with the CSV-File (in the CSV File you only have the chance to a separate column and give the device a name). However, this attribute is not synced automatically synched to AzureAD.

Here is how it works and what it does:

  1. Import a list of Devices as “Corporate-owned dedicated devices” with a CSV-File
  2. Enroll the Device
  3. Create an AAD Group and add the Device
  4. The script to put all together

1. Import a list of Devices as “Corporate-owned dedicated devices” with a CSV-File

In the Intune Blade to add “Corporate device identifiers” you have to add your devices from a list you create as a CSV File. You can add the devices by serial number or IMEI.
For Tablets, I prefer the serial number and for phones of course IMEI.

The following steps show you how to go on with the serial number:
First of all, we create an enrollment restriction for the users, which does not allow to enroll Android and Android for Kiosk Devices and assign it to all users or to a specific group of users.

Then we import the CSV File with the format of csv:

My example-CSV myExample.csv contains the number (serial or IMEI) and the device details:

In the upload CSV file we can choose to upload the number as serial or IMEI:

Note: In case you are to lazy to use CSV, you can use PowerShell as well 😉
Now you can see your imported devices after clicking on the refresh button in your blade:

In the details column you can see your added name for the device, that name you would like to use in Azure AD with dynamic groups!
Here are the MS-Docs:

2. Enroll the Device

Now you can enroll the devices with a user called: afw#setup, that brings up the camera and let you scan the QR-Code from your Kiosk-Device Profile. As soon as the devices are enrolled, they are not really visible in AzureAD. Go to Intune -> Devices -> all Devices. The devices will show up with a wired name:

Unfortunately, you are not able to rename the device in the properties 🙁

However, the devices should be set as Corporate Owned Device. And you are able to see the serial number of the device. (the same as you have from the CSV-File). This is what we need, a matching number from the AAD-Device and Intune-Device!
The only match you can find on both sides, is the serial number:

Now, I would like to have the same name in the Intune/AzureAD as I uploaded in my CSV (as the details attribute). By design, it is not possible to rename the device, but there is another attribute, called “Management name”.

We came up with the script to read the serial number in the” Corporate device identifiers”-list and to look in the AAD for a device with the same serial number, to catch the details “name” and add the Management name of the AAD Object.

3. Create an AAD Group and add the Device

Afterwards, we have to create an Assigned AAD-Group, because the Management Name is not an attribute to use for dynamic groups, (this attribute is not synced from Intune to AAD).

We have to create the group with a script or manually before we add the device to the group. There we can also assign some apps/profiles or policies…

If you use RBAC, you can also add the scope tag to this group, and every client adds that tag.

4. The Script to put all together

If you like to use this script, just download it and add your name an crypted-password next to line 500. This is a function so script can be run automated in Azure Automation or in a scheduled task on a server, that the devices get as fast as possible the real name we like to have.

How to create the Password crypted?
(get-credential).password | ConvertFrom-SecureString | set-content “C:\source\password.txt”

How to Encrypt Passwords in PowerShell

Just open the password.txt and copy the string.
Be carefully, if you use the script in a scheduled task on a server, the PoSh command to create the password has to be run on that Server 😉

The script will load this modules:
Install-Module -Name Microsoft.Graph.Intune
– Find the Device
– Get the Serial number
– Get the Device ID
– Add the Device to the AAD Group
– Add the Management Name to the Device

There is a little gap in the Intune SDK Module and what we have to use to add the device to the Azrue AD Group, for this case we added some separate functions.
List of variables that you have to change:

  • $LogFilePathFolder     = “C:\Source”
  • $adminUPN= “”
  • $passWd= “***********”
  • $AADGroup = “Android-Classroom1”

Click on the link below to get the script:
Here is the detailed description for the script:

# Login with the Script to your Tenant
$adminPwd= ConvertTo-SecureString -String $passWd -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($AdminUPN, $adminPwd)
Write-Log "Establishing connection"
$connection = Connect-MSGraph -PSCredential $creds
$global:authToken = Get-AuthToken -User $adminUPN
Write-Log "Getting all corporate identifiers"
#getting corp identifiers
$corpDevices = Get-CorporateDeviceIdentifiers
Write-Log "Getting all enrolled devices"
#getting enrolled devices
$enrolledDevices = Get-IntuneManagedDevice
# create the AAD Group for Assigenment, if it's not exists
$AADGroup = "Android-Classroom1"
$GroupId = (Get-AADDeviceGroup -GroupName $AADGroup).id
    if($GroupId -eq $null -or $GroupId -eq ""){
        $newGroup = New-AADGroup -displayName $AADGroup -securityEnabled:$true -mailEnabled:$false -mailNickname $AADGroup
        $GroupId = $
        #Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
# loop every device that is in Corp-identifyers and new enrolled in Intune
foreach($corpDevice in $corpDevices)
# go for the Serial number
    if($corpDevice.importedDeviceIdentityType -eq "serialNumber")
        if($enrolledDevices.serialNumber -contains $corpDevice.importedDeviceIdentifier)
            $deviceToUpdate = Get-IntuneManagedDevice -Filter "SerialNumber eq '$($corpDevice.importedDeviceIdentifier)'"
            if($deviceToUpdate -ne $NULL)
                Write-Log "Modifying device with serialnumber '$($corpDevice.importedDeviceIdentifier)'"
# change the Management name Attribute
                Update-DeviceManagement_ManagedDevices -managedDeviceId $ -managedDeviceName $corpDevice.description
#get the right aad-group id and add the device to the aad-group
                $AADDevice = Get-AADDeviceDevice -DeviceID $
                Add-AADDeviceGroupMember -GroupId $GroupId -AADMemberID $
    if($corpDevice.importedDeviceIdentityType -eq "imei")
    # go for the IMEl number
        $enrolledDevices.imei -contains $corpDevice.importedDeviceIdentifier
        $deviceToUpdate = Get-IntuneManagedDevice -Filter "imei eq '$($corpDevice.importedDeviceIdentifier)'"
        if($deviceToUpdate -ne $NULL)
                Write-Log "Modifying device with serialnumber '$($corpDevice.importedDeviceIdentifier)'"
# change the Management name Attribute
                Update-DeviceManagement_ManagedDevices -managedDeviceId $ -managedDeviceName $corpDevice.description
#get the right aad-group id and add the device to the aad-group
                $AADDevice = Get-AADDeviceDevice -DeviceID $
                Add-AADDeviceGroupMember -GroupId $GroupId -AADMemberID $

More Infomation:

As a fact, this works as well without renaming the Android Device Name. Therefore, you can easily use this:

Please test this before you run it in production. You should be careful since this script creates aad-groups and changes device attributes.

I hope this helps and saves you some time to have a beer….


Android OEM Config with Intune step by step

Microsoft announces that Android OEM Config is now supported in Intune, to manage Samsung Knox and Zebra Devices.

How can we get the extension and use it:

Go to your Tenant, add the Managed Google Play Store for Android:

Add and app from the Managed google Play Store

Have a look for those apps:

EM Bundle ID OEM Documentation (if available)
Samsung Knox Service Plugin Admin Guide
Zebra Technologies com.zebra.oemconfig.common Zebra OEMConfig overview

Add the APP to your Client apps – Apps

Go to Device Configuration – Profiles and Create a New Profile:

Select the App and start configuring the Settings:

Now you have all the Settings to configure, only the settings that the OEM has configured in his JSON.

If you can’t find any settings, go to the OEM’s website for the settings, and you can add those missing settings, if needed and if it’s possible, to the JSON file by your self.

More info’s:

I hope this helps and saves you some time to have a beer….


Implement Intune RBAC (Role-based access control)

Here we go for another Post!

This time, I tied to implement RBAC as a test and for a customer. It was quite hard to get the logic out of it and to figure out how it works in the backend. In the end, I got a piece of advice from a genius (thank you David Falkus for your support) and after a short discussion, it made sense to me.

After searching on the internet, I found some docs from Microsoft. Unfortunately, there are not easy to understand, to make side notes or draw something. The document can be found here:

Therefore, I started my own logic draw and I would say it explains the topic in an easier way and I hope, it helps you to understand RBAC 😉 



As you can see on the picture above, there are different parties involved:

  • Member Group
  • Role
  • Scope Tag
  • Scope Group

First, the whole configuration has to be configured with a role as a basis. Afterwards, it needs an assignment to add Tag, Member Group and Scope Group. You are able to use one role with the permission for multiple assignments for several use cases with the same rights.

Important: This is my own translation for the different parts in RBAC!

Scope Tags

Tags are used to tag for example objects in Intune. These objects can be devices, policies, profiles and so on. If you have a group of device objects, you have to tag them separately. Unfortunately, there is no possibility of tagging a whole bunch of clients at the same time. In this case it is easier to use a script and do it with Graph API:

Scope Group

Scope Group means that there are some users or devices to manage such as a limited group of objects like devices (iOS, Android or Windows) or only part of them such as all iOS from Marketing, etc.

Member Group

Member are one or a group of people who have to manage the objects in the Scope Group.


Roles have different kinds of permissions. A role can have only “Read” rights on specific objects or “Write” or “Create” rights. We can for example grant access to create a new configuration profile or only change a Config profile with reading and writing access. A role can be used multiple times.


The Assignment contains Tags, Groups and Group Members. They are assigned to a role, which is able to only one or even multiple assignments.   

How to Create the Parts

Scope Tags

Scope Tags in Intune

Scope Group

Create a simple AAD Group (dynamic or static) with the objects you would like to manage.

Member Group

Create a simple AAD Group (dynamic or static) with the users, who have to manage the objects from the scope group.


Create permissions.

RBAC Role Permissions
RBAC role permissions


Add the member group to the assignment:

RBAC Role assigenment member

Add the Scope Group to the assignment:

RBAC Role assigenment scope

Add the Scope Tag to the assignment:

RBAC Role assigenment tag

One last Thing:

Add a tag to a device:

RBAC tag device

And this is it! Please be careful and test it only with a test user since you can exclude your own account from some config.  I recommend using a global admin to create the whole RBAC. And avoid using a global admin in a member group. As well to point out: Never use all User & all Device for the Scope Group!

I hope this helps and saves you some time to have a beer….


Simple Creation of a WDATP/MDATP PowerBI Dashboard

Hi all,

In this blog post, I will show you how simple you can create a Power BI Dashboard from your Microsoft Defender Advanced Thread Protection Data.

There is also a very good documentation from Microsoft: for the first part.

Just to be Clear, Windows Defender ATP is now –> Microsoft Defender ATP 🙂

However, the second part is different to the Microsoft documentation.

Part 1

As a first step, log on to the Security Center:

After clicking on the settings-symbol, choose the option “Power BI reports” and click on the “Create Dashboard”-button.

This button will open a new tab in your browser and shows the Power BI online Service Website.

Log in with the same account as you logged-in to the Security Center:

Additional information:
If it is your first log-on, you need to answer some questions and specify some details about the authentication method (use OAuth2). You need as well to accept the access rights.

Choose “Windows Defender Advanced Threat Protection” in the category “My apps”.

 This will open and show you a per-provisioned dashboard.

In case you would like to see a report or create your own dashboard or report, follow the instructions provided below:

Stay on the current dashboard and select the hamburger-button in the top right corner:

This will show you a dashboard, a report and also the connector (datasets) information:

Open the report and have a look at the data shown in this report. In the footer, you have also some register tabs to split the information in different sections:

Would you like to save the report or dashboard on your own workspace? This is difficult, but you have the option to share the dashboard / report and use it from there.

If you would like to build your very own reports, use the connector from the security center “Build custom dashboards”.

This dashboard provides you only with a preview and shows only data from the last 30 days.

Part 2

To understand how the connector works, read the instructions below. Please note that the docs page is no longer matching the today’s Power Bi Desktop:

Download and Install Power BI for Desktop

Start using ATP data with Power BI:

  • Open the Power BI Desktop application after the installation has finished
  • As a first step, use the same credentials as in first part to log in (This is to connect your Power BI online sources) 
  • Select “Get data”
  • Choose “More…”
  • By typing the word “Graph“ the option “Microsoft Graph Security (Beta)” appears.
  • Select “Microsoft Graph Security (Beta)” and connect.
  • Select “continue” on the preview connector wizard
  • In the next wizard, select the version of graph (1.0) in the version 1 of graph are elements and paths which are no more changing. If you like to play with some options coming, choose “Beta”. But be carefully, these settings can change daily.
  • The log-on-mask to login to graph will appear. Since the information you connect is sensitive, you have to use an account with admin rights in the WADATP Security Center (or in minimum read rights).
  • Afterwards, the “Navigator” wizard pops up and you have to select all “Display Options”
  • As soon as the data is loaded, some information to select will appear.
  • This looks like:

In my opinion, this information is not very helpful since it is mainly used to control and remediate alerts.

If you connect to the Power BI online services, you can connect to the data from the first part in this blog:

To use the data from Power BI, open Power BI Desktop:

  • Open the Power BI Desktop application after the installation. Use again the credentials as in first part to log in (This is to connect your Power BI online sources) 
  • Select “Get data”
  • Choose “Power BI Datasets”
  • As a next step, select “My workspace”
  • Select “Windows Defender Advanced Threat Protection” and click “Load”
  • Two new tables will appear:
  • This enables you to easily create your own report:


Here are my two templates for your report, hope it helps:

Have FUN creating your own reports! I hope this helps and saves you time which can be used for drinking a beer 😉


New Course is ready, MMD from 0 to Production in 5-Days

Modern Managed Devices from zero to production 


Mobile devices can be found everywhere in today’s world. They should be managed in an enterprise environment like any other computer. 

In this training you will learn how to manage devices from the cloud with Microsoft Intune. 

Devices in today’s world can work from anywhere and whenever users want. This shift changes security requirements and the way these devices are managed. Therefore, you need to learn how to manage these types of devices. Learn how you can handle end users to make your life better, instead of completing a device and solving all the problems outside your organization.  

Learn to identify business cases, to generate use cases and to provide the right workload with the right technology to the modern workers. This course focuses on managing and securing devices with Microsoft EM&S Suite. The expert and double MVP Mirko Colemberg has developed this five-day practical laboratory based on practical experience. 

Practical Labs:
50 percent of the time is devoted to practical labs and exercises. Another 20 percent are used for use case and workload concepts with appropriate methods for working in production environments. 

Key Learnings:
Creation and implementation of all required settings for using Azure AD and EM&S by yourself and from scratch.  
Transition from business cases to use cases and embedding workloads into the appropriate technology.  
Implementation of the appropriate technology with all the settings needed to get workloads done. 
Getting to know all the different settings that help to implement a working environment based on concrete cases from a company:  

  • Get Azure AD running 
  • Application Management 
  • Modern OSD  
  • Best Practices for the Security Basis 
  • Analytics 
  • Troubleshooting 

Target audience:
This course is aimed at IT Professionals who need a deeper understanding of the modern workplace with Windows and Azure Services and want to expand their knowledge. This course also provides background information on business / use cases to take the right actions to implement the right opportunities for the right workload. 


  • Basic knowledge how network and internet works
  • Knowledge about processes with business and use cases
  • Powershell basic
  • Read about: OMA-URI (CSP) and Graph/AIP

300 Advanced 

Material Goodies:

  • Lab manual (online on Azure AD)  
  • Slide decks (PDFs), Lab documents  
  • A Surface-Go-device  
  • Access to a Teams-group on a private channel for all participants: 
    • to share your experiences
    • chat 
    • wiki
    • script sharing
    • from time to time an online meeting for important updates

Days: 5

German and English

At the moment, this course in available at Digicomp in Zurich, Switzerland. Handouts are in English, but the course will be held in German:  

Manage Devices with all the tools of Microsoft Azure 

Kurs: Modern Managed Devices from Zero to Production («MMDZP») 
Mobile Geräte sind in der heutigen Welt überall zu finden. Sie sollten in einer Unternehmensumgebung wie jeder andere Computer verwaltet werden.

If you like to organize a class near you, just ask me i can deliver this Course in English all over the Planet.


Sennheiser Device testing 😊

Hi all

This time, I’m at the MCT Global Summit in Germany (Cologne) and it is the first time I’m writing a blog post about a product. This means, everything I’m writing is my personal opinion and can differentiate to your opinion about those devices.

I got the chance from the sponsor “Sennheiser” to test every day another headset while having also some Skype meetings during the week. I promised to test the devices and write a report about them. To be honest, for the past years I’ve been using my Bose in-ear noise-cancelling headphones almost every day and I am more than happy with them. But since I am an open-minded person, I like it to try and test other things. And the best is, I didn’t have to buy them to test new devices.

    1. Headphone: Sennheiser SC 6×5 USB

Bildergebnis für Sennheiser SC 6x5 USB

Sound quality:

The quality of the sound is different. In a call, unwanted noises for the people who are talking and also background noises from the other attendees are filtered. Additionally, there is also a difference when you listen to music. These speakers are suitable for business and private.


The Headset has an S4B extender, with which you can answer a call, hang up and also adjust the volume + / -.


This headset has a very long cable. Especially when you pack the headset into your backpack, it can result in a mess. The reason for this long cable is that the headphone was originally planned to be used with a desktop tower where you must plug in the headphone to an USB port in the back of the tower. In my opinion, a modern workstation has mostly an USB port in front of the computer. So there is only limited need for such a long cable.


If you are looking for a device to use permanently on the workstation at your office, this headset meets your needs. I used a Jabbra headset at home for a long time and for many meetings. After testing this device and only taking the call and sound quality into consideration, I would definitively prefer the Sennheiser one. Since I always hated to deal with a mess of cable, I personally would buy the wireless version which is as well available in this series. Its token has a range of 100 meters.

    1. Headphone: Sennheiser MB660 uc ms

Bildergebnis für MB660 uc ms

Sound quality:

The quality of sound is just amazing and also the call quality is on another level than I have ever heard before. This device has a noise-cancelling-function; as soon as you enable it, there is no more surround sound or click to hear – totally different to what I am used to from my Bose in-ear noise-cancelling headphones which I have been using for years. If you put the Bose in-ear noise-cancelling headphones and start the noise-cancelling-function, you still hear clicks and it also feels like a vacuum in your head. But with the MB660 it is completely different: It just starts and the noises around you just go away as if by magic.


The over-the-ear headset comes with a nice box to store anything in it. Furthermore, it has a jack cable and also a USB dongle for Bluetooth connection in case your device has no BT. I had also a talk with the seller at the booth about this dongle, especially why we need that since nowadays every tablet or notebook has already BT. He explained me that the transport of the voice from the headphone to the computer is crypted with this BT connect and it is not possible to overtake and listen to the conversation. This means that you can use regular BT for listening to music and for business calls you can use the connect with the dongle.


There is also no handling needed with cables since it is wireless. On the side of the right ear shell you have touch to volume up and down and on the left ear shell you can change the sound optimization for call, disco, cinema and so on. You get also a 2mono jack connector to stereo, as we all know from the airplanes.

Bildergebnis für airplane double stereo adapter


In a nutshell, if you travel sometimes by plane and also want to use the headset for working or maybe traveling by train and also want to use it for fun in your private vacation time, this is one of my favorites since it really is an all-in set.

Maybe I can test some other device from Sennheiser in the future and post some information about them. I really like what they produce!


Onboarding Clients to WDATP with Intune

Hi all,

I had a Theater Session at Ignite 2018 about how to onboard Clients and Servers to WDATP (Windows Defender Advanced Thread Protection). During this session, I asked the audience if they want to have a 20-minute demo session or just have a look at the slides. The choice was clear: Everyone voted for the demo session.

Personally, I like to have sessions which are fully packed with demos. In these sessions you learn the most, but in this case the story for a session gets lost and also the jokes during the session are difficult to made.

If you would like to watch the session first, here we go:

How to onboard your clients to Windows Defender Advanced Threat Protection  – THR3088


Please consider, that there are some changes for onboarding (around minute 9:00) since it is the explanation about onboarding with Intune. Especially in minute 11:30, the explanation is for the new material that I will write down here.

In the Intune Version for Microsoft Intune – Week of October 1, 2018:

Have a look at

Here we have some new information in Intune:

Log in to your Intune Tenant over the and click on Intune / Device compliance / Windows Defender ATP.

As you saw in the session, you have to connect your Intune to the Security Center first and afterwards you can see the connection status “Available”. When you are connected, you can also see the doughnut chart which informs you about devices without ATP agent.

Home > Microsoft Intune > Device compliance - Windows Defender ATP Microsoft Intune O Overview Quick start Manage x Device compliance - Windows Defender ATP Delete O Overview Manage Policies Notifications Locations Monitor Device compliance Devices without compliance PO... Setting compliance Policy compliance Audit logs Windows health attestation rep... Threat agent status Compliance policy settings Windows Defender ATP Mobile Threat Defense Partner device management Help and support Help and support R save X Discard Connection status O Available Last synchronized 10/6/2018, 10:30:52 AM u Device enrollment Device compliance Device configuration Devices Client apps eBooks Conditional access On-premises access Users Groups Roles Software updates Help and support u Help and support Troubleshoot Connect Windows devices version 10.015063 and above to Windows Defender ATP O Block unsupported OS versions O Number of days until partner is unresponsive O Open the Windows Defender ATP admin console Create a trial acccnJnt for Windows Defender ATP Windows 10 devices need to be configured with Windows Defender ATP to obtain their health state. Create a device configuration profile to configure ATP agent List of devices without ATP agent Windows Defender Advanced Threat Protection wdh ATP nent ATP

When you click on the link “Create a device configuration profile to configure the ATP Agent” below the doughnut chart, you will be routed directly to the Intune / Device configuration / Profiles where you can perform the following steps:

    1. Create a new profile
    2. Chose a name
    3. Select the platform “Windows10 and later”
    4. Select the profile type “Windows Def ATP”
    5. Select “Configure”

Create profile * Name New Onboarding to ATP Description Platform Windows 10 and later * Profile type Windows Defender ATP (Windows 10 Des... v Settings Configure Scope (Tags) O scope(s) selected x Windows Advanced Threat Protection Windows 10 and Later Sample sharing for all files O Expedite telemetry reporting frequency O x Enable Enable Not configured Not configured

As you can see, you don’t have to upload the Intune Onboarding script anymore since the only two options are “Sample sharing for all files” and “Expedite telemetry reporting frequency”. Just enable both and that’s it.

To onboard every client to your environment, you just have to assign the profile to a device group or all device groups.

If you now have a look at your old created profile with the onboarding file, you can still see there the file you uploaded, but there is no more a need to use it. In case you have the new profile assigned to all your devices, you can easily delete the old profile.

Machine generated alternative text: 1 ATP OnBoarding - Properties Device configuration profile p Search (Ctrl +/,I o Overview Manage Properties Assignments Monitor Device status User status Per-setting status x Save X Discard 1 ATP OnBoarding Description Enter a description.. * Platform Windows 10 and later * Profile type Windows Defender ATP (Windows 10 Des... v Settings 3 configured Scope (Tags) 0 scope(s) selected Windows Advanced Threat Protection Windows 10 and later Windows Defender ATP client configuration package type O Onboard ing O Onboard Configurati Upload a signed con client Sele a file c ge: 'nows en er .on ur t' n Remove ard the Windows Defender ATP Sample sharing for all files O Expedite telemetry reporting frequency O Enable Enable Not configured Not configured

It is now very easy, right?

But please test it out, so it is really running in your production, before you delete the old profile.

Hope it helps and saves you some time to have a beer….


Community HUB in Technical Preview

In Config Manager TP1809/1810 is new a Community Hub. The implementation of this means that the community members have the possibility to share Powershell Scripts with each other.

There will be coming more in the future such as CI’s and Reports that you can upload and share with others. It’s pretty cool, that you can share stuff in SCCM directly.

By the way, this BlogPost is written with the CB TP1810 Version; in the final Version may be some differences.


Right now, Microsoft only supporting authentication of users that are in the MSFT AAD tenant. So, all the MVP’s and any Microsoft field employees only, can upload scripts!

Here I like to start showing you the new Feature to help sharing to the Community. (wait for the final version)

You can have a look into your existing script library, add a new Script or make sure you have approved an script in the library:

Software Library Library Overview Application Management Software Updates Operating Systems Windows I O Servicing Microsoft 365 Servicing Office 365 Client Management Ssri*s: * What's New Assets and Compliance Software Library Monitoring Community Cherview Scripts Scripts 3 items Start Mode WinRM Get OS Version Check Notepad shorcut on DT Version Author LAB\administrm Si-HOng Lamm LAB\administrm Type PowerS Approval State Waiting for Approver LABIadministrator LAB\administrator Approver Commer

As a second step you can click on the Community Workspace and select “Hub”:

Hub Home 2 Results My Hub Sign in mentation Feedback * What's New Assets and Compliance Software Library v. Administration Community Get OS Version Sindhuri Yamala This is a sample public script. Start Mode WinRM Mirko Colemberg Check the Service McKie for W,nRM

Here you can see the scripts which are already published by other community members.

(By the way you can see that I was the first who submitted a script :-))

Next step is to log in with your AAD or MSFT (later one also Live-ID) account by clicking the “sign in” button in the upper right corner. A similar window pops up because, to log you in to an Azure-Portal.

Sign in Start Mode WinRM M irko Colemberg Check the Setvice Mode for w,nRM

Microsoft Anmelden E-Mail, Telefon oder Skype Sie können nicht auf Ihr Konto zugreifen? Zurück Weiter

As a next step, you can upload your approved script from your library by selecting “My Hub” and then choosing “Add an item”.

Mirko Colemberg My Hub Home Add an item

A new window will pop up where you can select the approved script from your SCCM repository.

Tip: At the moment, you can only select “Scripts”, but in the future there are coming more options such as CI’s and also reports.

dd an item Type: Scri Name: Description: Keep It Private Add u othewise mned wit* and in and (2) that t. t. rowse Cancel

Use the “Browse”-Button to find the script you like to share. Therefore, a new window will pop up:

Select script Please select a script to contribute Name Start Mode WinRM Check Notepad shorcut on DT x OK Cancel

It’s important to know that you will only see approved scripts!

Select the script you would like to upload and click “OK”. You will be redirected to the previous windows. Enter a name for the script and don’t forget to fill in a description. Otherwise the upload will fail.

dd an item Type: Description: Scri t v Browse This Scrit is to check a Shortcut on the Clients desktop] C] Keep It Private dd U m*k.d a ÉmÜ; and C2J represent that to •e t. Cancel

If you select the option “Keep It Private”, it will only show up in your console. You have to login first with your account, then in the “Home” tab with all the other scripts or if you select “My Hub” you can see only your scripts.

“Keep It Private” means, you are the only one, that can see your script, but you have to login first:

Open the Console and go to Community / Hub

Without login it looks like this (you can only see all the Public scripts):

Home 2 Results My Hub Sign in Get OS Version Sindhun Yamala This is a sample public script 10 Start Mode WinRM Mirko Colemberg Check the Ser.'ice Mode for WinRM

Login and select “My Hub”:

Home Add an item My Hub Mirko Colemberg Check Notepad shom M.rko Colemberg

And with the Login on the “Home” tab you can see all scripts (public and yours):

Home 3 Results My Hub Get OS Version Sindhuri Yamala This is a sample public script 10 Start Mode WinRM Mirko Colemberg Check the Service Mode for o Mirko Colemberg Check Notepad Mir-ko Colemberg

After this little explanation we go back to the next step…

Now you can select the script that you like:

Check Notepad shorcut on DT Mirko Colemberg I Downloads O | (0) Download Overview A Ratings & Reviews Check Notepad shorcut on DT test Type: Script Created by: Mirko Colem berg Created on: 10/04/2018 Changed Date: 10/04/2018 Downloaded: O Rating: 5.00 (O)

(the “Q & A” and the “Ratings & Reviews” are in “coming soon” status)

When you select “Download” the script will show up in your script repository.

Check Notepad shorcut on DT Mirko Colemberg I Downloads O | (O) Download Download Success!! x

In the end you can go back to the Software Library and check if the script is there:

Overview Application Management Software U pdates Operating Systems Windows I O Servicing Microsoft 365 Servicing Office 365 Client Management Scripts Scripts 4 items Start Mode WinRM Check Notepad shorcuton Get OS Version Check Notepad shorcut on DT Version Author LABNadministrator LAB\AdministratOr Si-Hong Lam LAB\administrator Type PowerS... PowerS„ . Approval State Approved Waiting for approval Waiting for apprcw•al Apprcwed Approver LAB\administrator LABS,administrator Approver Comment Last update Time 2509.2018 15:33 05.10.2018 09:01 31072018 2101 1709.20180840

Check the name, the approval state (“Waiting for Approval”) and have also a look on the date. The account is all the time the one you used to log in to the console.

As a last step approve the script and use it.

Hope this helps to save some time which you can use for other task or to enjoy a beer

Normally I write test it first, but this Feature is still in TP, that means it’s only for testing. :



How to remove Apps from the Microsoft Store for Business

Since the Store for Business is in Place i use it often, but there is one thing i really don’t like in the Store for Business, you can add as many Apps (free and Buy) as you like to your Private Store that you can Use for your Employees. But to remove any of that Apps to delete from the Private Store is not really implemented with a simple “remove” button in the Private Store.

But wait, there is a Way to remove that Apps from your Private Store to keep them clean and only Manage the Apps that you really need, and not Managing Apps that you added by the wrong selection.

Here is how we remove app from the Private Store in the Microsoft Store for Business;

  1. Login to the with your global admin Credentials
  2. Go to manage -> Products & services and have a look for your App you like to remove
  3. Select the App and:

a. Have a look on the User Assignment, this should be empty, otherwise you have to delete the assignment [MVP] Manage CamCard cc Free • Online • Licenses Find a solution provider Product Details Unlimited licenses O used Private Store Collections Users Assign to Users Search user by name or email Name No licenses have been assigned for this app.

b. Also have a look that the App is no more in any Private Store Collections

Private Store Collections Users + Add collection Name gmbh test In collection Not in collection Not in collection

4. Next Step would be; go to Order History and find your App

5. Select the Order Link on the App

6. Now you can see the App Details and in the Actions column select Refund

Order details Order date 12/16/15 Total items (1) Item CamCard cc . Online Order # cabb43b1-f480-45dO-9548-b751f39f3fa3 Sold to MVP Status Complete Publisher IntSig International Holding Limited Purchased by Mirko Colemberg Quantity Unlimited Total CHFO.OO Refund Actions

7. This will show you a pop up message where you can “refund” the App

Refund order All licenses for this order will be removed from inventory Cancel Refund Refund This order has been refunded OK

8. After that the status of the Order Details changes to:

Order # df583b22-367f-42a3-8aaf-ea8744532e6b Status Refunded Purchased by Mirko Colemberg

9. Finally your App is gone from the Private Store [MVP] Manage Find a solution provider Manage / Products & services / Apps & software Products & services Apps & software Volume licensing Benefits New LOB Apps camcard 88 Card view Name 'TX No results found. Refine results: Product type: All v Application type: All Available quantity Subscription type:

Happy testing, be carefully, sometimes a “delete” (Refund) Job takes over night to delete that App from your Store, there is no need to refund it again and again, just wait 24h. 🙂

Hope it helps to cleanup your Private Store, have fun and enjoy a Beer


Windows Autopilot – Full automation for devices where you don’t have the HashID (new or existing)

Hi All

In this Blog Post I like to share my solution to add devices that are ordered from a vender/OEM without getting the HashID from the vendor direct to the Microsoft Store for Business or Intune.

There are still some vendors and OEM that are not able to provide the HashID to you as a customer. So, that you can upload the information in to MSfB / Intune and assign a Autopilot profile. This was the reason for me to create this blog, especially I have some projects where the customers ordered many devices and would like to use the Easy Setup in the OOBE Phase with Autopilot and all the enrollment goodies.

During writing this blogpost Michael Niehaus was publishing a new Autopilot PowerShell module version, now it is the Version 2.1 from here:

In this case I was writing all the steps down, and then I found a new way to upload the Data to Intune.

The big reason for doing this effort, is simple, if you use the fantastic script and module from Niehaus you have to login with an account to get access to the Intune Graph API for uploading the information to Intune. My biggest pain was to have no account information in a script. Also no plain password details, that is why I create the solution with Azure Automation, to store the account and the password in there.

At the end you can create a bootable USB stick that loads a real Windows 10 (Win PE or BootImages are not working to get the HashID), in the end you can easy add a shutdown to the script, and you know when the OS is shooting down the Information’s will be stored on a Azure Blob-Storage. For the finish we just automate the rest.

I hope that is interesting enough to read this Blog, have fun …


    1. Devices must be registered to the organization
    2. Company branding needs to be configured
    3. Network connectivity to cloud services used by Windows Autopilot
    4. Devices must pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
    5. Devices must have access to the internet
    6. Azure AD Premium P1 or P2
    7. Users must be allowed to join devices into Azure AD
    8. Microsoft Intune or other MDM services to manage your devices

Computergenerierter Alternativtext: . CSV Blob(.csv CSV load 660k *cess Key +0 3 csv 06be


UPDATE: After a few Weeks, this blog is Online, a Friend send me the Hand-Created Picture as a JPG and also as a VISIO file, here are the downloads for you,
and BIG THX to Pascal Vis from the Netherlands.
Click here for the Files

      1. Implementing Automation from Harvesting HashID’s from the Devices and store it on an Azure Blob Container
      2. Create an automation Process to load the Info’s direct to Intune
      3. Automate the assigenment from an Autopilot Profile to a Device Group
      4. Create a Bootable Media to start the automation from an Out of the Box Device
      5. Some details and configs in Intune that help you later on

  1. Implementing Automation from Harvesting HashID’s from the Devices

First, I Prepare my Azure Tenant to use some Services to help me automate that HashID grabbing from the Devices.

For this I found the Blogpost from Peter van der Woude for the Start: Thank you Peter for Sharing this example.

During some research for this Blogpost I also struggle in to another blog from Oliver Kieselbach; Thank you Oliver

I used this two Blogs as my inspiration and got the following result!

step by Step:

1.1 Add Azure Blob Storage

1.2 Configure Blob Storage and Container and grab the keys we need

1.3 Copy the Script take the script to use

1.4 Run the Script and see what happen

1.1 Add Azure Blob Storage

Open the Azure portal and navigate to Storage accounts

Open storage accounts and add a new one

Configure it, give it a good name, CREATE

Home Storage accounts Create storage account Storage accounts 'h MVP Create storage account The cost of your storage account depends cn the usage and the options you choose below. Edit columns Filter by name.„ NAME • More Learn more Name O autopilotinfos Deployment model O Resource manager Account kind O 810b storage Location West Europe Replication O Classic Locally redundant storage (CRS) Performance O Standard Premium Access tier (default) O Cool Secure transfer req Disabled Enabled Subscription o Microsoft Azure Sponsorship Resource group C) Create new @ use existing SCCMProd Virtual networks Cot-figure virtual networks O Disabled Enabled Data Lake Storage Gen2 (preview) o Fierzrchiczl namespace Disab led Enabled Pin to dashboard Automation options

Secure Transfer required = YES

Save the Storage account Name, we need it in the Variable $StorageAccountName = “autopilotinfos”

1.2 Configure Blob Storage and Container for our Use

Open the Blob Storage and add a Container

autopilotinfos p Search [C Overview Activity log - Containers Container Refresh Access control (IAM) Tags Diagnose and solve problems Storage Explorer (preview) SETTINGS Access keys Configuration a Encryption Shared access signature Firewalls and virtual networks Properties Automation script Containers New container Name collectcsv Public access level O Private (no anonymous Cancel

Save the Name of the Container we need it as the Variable $ContainerName = “collectcsv”

Go back to the Storage and open the Access Keys and copy the Key

Machine generated alternative text: autopilotinfos - Access keys p Search [C Overview Activity log Access control (IAM) Tags Diagnose and solve problems Storage Explorer (preview) SETTINGS Access keys Use access keys to authenticate your applications when making requests to this Azure storage account. Store yur access keys securely - for example, using Azure Key Vault - and don't share them. We recommend regenerating your access keys regularly. You are provided access keys so that you can maintain connections using one key while regenerating the other. When you regenerate yur access keys, you must update ary Azure resources and applications that access this storage account to use the new keys. This action will not interrupt access to disks from your virtual machines. Learn more Storage account name autopilotinfos keyl Key Connection strina Defaul

Save the Access key of the key1 we need it as the Variable $StorageAccountKey = “blablablajaddajadda”

1.3 Copy the Script take the script to use

Copy the Script from GitHub and add your Keys and Links:

(to run this script the Comuter needs Internet Access to download the Modules!)

Change the <StorageAccountKey>

Change the <StorageAccountName>

Change the <ContainerName>

1.4 Run the Script and see what happen

Run the script with the following Command with evaluated rights:powershell -executionPolicy bypass -file “AutoPilotInformation_to_AzureBlob.ps1”

Machine generated alternative text: Administrator: Windows PowerSheII K'indae.s PmerSheII Copyright (C) microsoft Corporation. All rights reserved. Installing package 'AzureRPI' Installing dependent package 'AzureRPI . Backup ' Installing package 'AzureRPI . Backup

The result should show you one or many Files in the Container

Home > Storage accounts > autopilotinfos - Containers > collectcsv collectcsv p Search [C Upload Refresh Location: collectcsv Overview Access Control (IAM) SETTINGS Delete Acquire lease Search blobs by prefix [case-sensitive; NAME NUC02.csv Break lease MODIFIED 7/4/2018, PM View snapshots ACCESS TIER Hot (Inferred) Create snapshot BLOB TYPE Block blob SIZE KiB Show deleted blobs LEASE STATE Available Access policy Properties

You can also open the script in PowerShell ISE and load all the variables and runGet-AzureStorageBlob -Container $ContainerName -Context $ctx | Select NameContainer Uri: NUcø2. https : // autopi loti nfos . blob. core. wi ndows . net/ col lectcsv Content Type 310bType alockalob Length 8186 application/ octet - stream Lastmodified 2B18-ø7-ø4 AccessTier Snapsh Ime Hot

Then you should see the file.

    1. Create an automation process to load the device information direct to Intune

In the next steps we would like to load the CSV files in to Intune trough the Graph IPA for this we like to use Azure Automation.

Here is my step by Step:

2.1 Create an Azure Automation Account

2.2 Create the Automation Account (Service)

2.3. Adding the PowerShell Modules to the RunBook

2.4 Import the Script

2.1 First we must create an Automation Account

Add a new one and give it a name (AutopilotImport)

Home Automation Acccunts Add Automation Account utomaüon ch MVP unts Edit columns Filter by name... PatchAutom ati on • More Add Automation Account Autopilotlmport Subscription Microsoft Azure Sponsorship Resource group C) Create new @ use existing Location West Europe Create Azure Run As account O The Run As account feature will create Run As account and a Classic Run As accountCick here to learn more about Run As accounts. Learn more about Automation pricing. Y] Pin to dashboard

Refresh the page and open the AutopilotImport account would be Visible

2.2 Create the Automation Account (Service)

For this you can use a separate account, or you can use a global Admin Account, if you add the password in the credential area, there is no chance to see that password again, it’s hidden.

That’s why I just used a global Admin Account

Add this account information to the credentials in the Azure Automation account

orne > Automation Accounts Automation Accounts colembcrg_ch MVP + Add Edit columns Auto pi loti m port - Credentials x Autopilotlmport Automation Account • • • More Search (Ctrl*" - Credentials Add a credential Ref rest Filter by name... Autopilotlmpo DSC node configurations No credentials found. UPDATE MANAGEMENT Update management PROCESS AUTOMATION Runb00ks BJ Jobs Runbooks gallery Hybrid worker groups Watcher tasks Schedules • Modules Modules gallery Credentials

Home > Automation Accounts Autopilotlmport • Cr ( New Credential AutopilotSeNice Description User name Password Confirm password

If you Like to use a Service account with maximum rights:

First we have to create an Account in AAD to is it only to import the CSV File, the only rights that this “Service” Accounts needs.

User Name O Autopilotlmport User name O API Profile O Not configured Properties O Default Groups O 0 groups selected Directory role user Password Show Password X Profile General First name Auto Pilot Last name Import Work info Job title Service Account Department Services

We create this account as a regular User. Do not forget to copy the Password.

Next step is going to Intune Blade and create a Intune Role

Home > Microsoft Intune > Intune roles - All roles Microsoft Intune p Search [C O Overview Quick start MANAGE Device enrollment Device compliance Device configuration Devices Mobile apps eBooks Conditional access On-premises access Groups Intune mles Software updates HELP AND SUPPORT Add Custom Role > permissions Remote tasks Intune roles - All roles Intune Search [C O Overview MANAGE All roles My permissions Audit logs HELP AND SUPPORT u Help and support + Add Refresh Intune's roles hel to assi n p Search for o role name Policy and Profile manager School Administrator Help Desk Operator Application Manager Read Only Operator Intune Role Administrator

Create a Role with the following rights:

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 0 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O O / 4 permissions enabled Device compliance policies O 0 / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 0 / 2 permissions enabled Endpoint protection reports O O / 1 permissions enabled X Enrollment programs Create device O Delete device O Read device O Sync device O Assign profile O Create profile O Delete profile O Read profile O Update profile O Create token O Delete token O Read token O Update token O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permssions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 0 / 4 permissions enabled Device compliance policies O 0 / S permissions enabled X Corporate device identifiers Create O Delete O Update O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 3 / 4 permissions enabled Device compliance policies O O / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 0 / 2 permissions enabled Endpoint protection reports O O / 1 permissions enabled Managed apps O X Device enrollment managers Update O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 3 / 4 permissions enabled Device compliance policies O 0 / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 2 / 2 permissions enabled Endpoint protection reports o 0 / 1 permissions enabled Managed apps O O / 6 permissions enabled Managed devices O 0 / 3 permissions enabled Mobile apps O O / S permissions enabled X Managed devices Delete O Read O Update O

Assign that Role to the Usergroup where our Service User is placed.

Then we like to login at the Graph Website to check the Permissions.

Microsoft Graph Examp Graph Explorer Authentication Autopilotlmport modify permissions Sample Que-ies Getting Started Sigr Modify Permissions Select different permissions to try out Microsoft Graph API endpoints. DeviceManagementConfiguration.Read .AII Prew&w DeviceManagementConfiguration.ReadWrite.All Prewéw DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.AII Preview DeviceManagementManagedDevices.ReadWrite.All Prewéw DeviceManagementRBAC.Read .AII Prew&w DeviceManagementRBAC.ReadWrite.All Prewéw DeviceManagementServiceConfig.Read.All Preview DeviceManagementServiceConfig.ReadWrite.AII Preview Directory.AccessAsUser.All Prewéw GET GET GET GET GET GET my profile my photo my mail all the items in my drive items trending around me my manager

Add this account information to the Credentials in the Azure Automation Account instead of the Global Admin Account

AutopilotService R Name x Discard Delete AutopilotService Last modified 7/9/2018, 7:11 AM Description User name API Bcolemberg,ch Password Confirm password

2.3. Adding the PowerShell Modules to the RunBook

Add the Module to your RunBook

Autopilotlmport - Modules gallery p Autopilotl p Search IC tri WindowsA utoPiIOtI ntune UPDATE MANAGEMENT e module to manage AutoPilot devices usi s: PSModule Update management PROCESS AUTOMATION Runbooks Jobs Runbooks gallery Hybrid worker groups Watcher tasks SHARED RESOURCES Schedules • Modules Modules gallery

Home > Automation Accounts > Autopilotlmport - Modules gallery > WindowsAutoPiIotIntune WindowsÅutoPilotlntune PowerSheI' Module Import Sample module to Created by. mniehaus PSModule Leam more AutoPi10t devices using the Intune Graph API Version: 2_ I 464 downloads Last updated: 7/7/2018 View in powerShell Gallery Licensing Information (PowerSheII Gallery Default) Content rch to filter items„ Function Function Function Function Function Function Function Function Function Function Function Get-AuthToken Connect-AutoPiIotlntune Get-AutoPilotDevice Remove-AutoPilOtDevice Get-AutoPilotlmportedDevice Add-AutoPilotlmportedDevice Remove-AutoPilotlmportedDevice Get-AutoPilotProfile Get-AutoPilotOrganization ConvertTo•AutoPilotConfigurationJSON Import-AutoPiIotCSV

We need all these modules:

    • WindowsAutoPilotIntune
    • AzureAD
    • AzureAD.Storage
    • Azure
  • AzureRM.Storage

In the End you can see the Modules in the Modules Tab, The WindowsAutoplilotIntune should be in version 2.1 (at this time when the Blog was written)

Autopilotlmport - Modules Automation Account Refresh p Search (Ctrl UPDATE MANAGEMENT Update management PROCESS AUTOMATION Runbooks Jobs Runbooks gallery Hybrid worker groups Watcher tasks SHARED RESOURCES Add a module NAME Azure.Storage Update Azure Modules Browse gallery AzureRMAutomation AzureRM.Compute AzureRM.Profile Azu re RM. Resources AzureRM.sq1 Azure RM. Storage Microsoft.PowerS Core Microsoft. PowerShell.Diagnostics Microsoft, I Management Microsoft, ty Microsoft. PowerShell,Utility Microsoft.WSMan.Management OrchestratorAssetManagement.CmdIets WindowsAutoPilotlntune LAST MODIFIED 7/6/2018, 826 PM 7/6/2018, 833 PM 7/6/2018, 831 PM 7/6/2018, 830 PM 7/6/2018, 830 PM 7/6/2018, 832 PM 7/6/2018, 832 PM 7/6/2018, 833 PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, 04 PM 7/9/2018, 7:05 AM Available Available Available Available Available Available Available Available Available Available Available Available Available Available Available Available 1.03 1.03 1.03 1.21 1.03 1.03 1.03 1.03 1.0 2.1 X Schedules Module Modules gallery Credentials Connecti ons Certificates Variables

2.4 Import the Script

At the Github repository catch the Script:

(this script is working, and Exported from my Azure Automation Account, just fill in the change Variables, and then Import it to your tenant and try)

Be carefully and change the Variables that are highlighted in the Script that the Runbook is really Working.

During the Import of a Device we create a Json on the Fly and that means we have a little trick, we can define a field by our self and later on when we create the Dynamic group we can query this property.

The property is called “orderIdentifier”, if you like to change that it’s in the very end of the script:

Computergenerierter Alternativtext: ES]SON a" "seria1Number": " SSN" , "productKey": " SWPK "orderldenti fi er": "Import_existing" "a

This looks this way in the Intune Windows Enrollment Console:

MANUFACTURER Microsoft Corporati... Microsoft Corporati... DEPLOYMENT GROUP Import_existing Virtual Machine Virtual Machine PROFILE STATUS Not assig ned Assigned Not assigned

“Update, we now have the chance to convert the CSV File directly to a JSON file and upload it that way, this is a CMD-Let in the AutopilotInformation Module 2.1 script” this is already integrated in the Script I wrote

    1. Create an automation process to load the Info’s directly to Intune

In this are we like to add the Script for the import of the CSV-files to Intune trough the Graph API

Here is my step by Step:

3.1 Adding a RunBook to the Automation account

3.2 Testing the Runbook

3.3 Configure a Schedule when the Runbook is running


3.1 Adding a RunBook to the Automation account

To create the Runbook it is simple:

Home > Automation Accounts Autopilotlmport Auto n t p Search (Ctrl *i') Overview Activity I og Access control (IAM) Tags Autopilotlmport - Runbooks - Runbooks > Add X Add a runbook p Search runbookß.. Auto PilotTest TestA uth testscript Browse gallery AUTHORING STATUS Inedit Add Runbook Quick Create Create a new runbook Import Import an existing runbook LAST MODIFIED 7/11/2018 17:40 7/10/2018 1848 7/9/2018 17:26 Diagnose and solve problems CONFIGURATION Inventory Change tracking DSC nodes DSC configurations DSC configurations gallery DSC node configurations I.JPOATE MANAGEMENT Update management PROCESS AUTOMATION Runbooks

Add a runbook and give it a name and select the run book type:

Home > Automation Accounts > mtopilotlmport • Runbooks Add Runbook Quick Create Create a new runbook Import Import an existing runbook X > Add Runbook > Runbook Runbook ImportAutopiIotInfofromCSV PowerSheII Workflow Description Import the Informations from a Storage Based CSV and Import it to IntuneJ

After you select the Create button, it should open the properties of the created run book:

+ Add a Browse gallery p Search runbooks.. AutoPilotTest Refresh AUTHORING STATUS In edit LAST MODIFIED 7/11/2018 17:40

Go ahead and select the Edit

tion Accounts > Autopilotlmport - ImportAutopilotlnfofromCSV Overview Activity log Tags Diagnose and solve problems > ImportAutopiIOtInfOfromCSV > Edit PowerSheII Workflow RunbOOk Edit O Schedule Webhook Start v lew Delete Export Resource group sccMProd Status Recent Jobs STATUS NO jobs found. Account Autopilotlmport Runbook type PowerSheII Workflow RunbOOk

It opens the Edit workflow. (I got a workflow, it is better to troubleshoot, in case you get errors, just add to the script the writ-output and the variable, in the workflow you can see that ;-))

Just C&P the Script from GitHub and save and Publish the Script:

Home > Automation Accounts > Autopilotlmport - Runbooks > ImportAutopiIotInfofromCSV > Edit PowerSheII Workflow Runbook* Edit PowerShell Workflow Runbook* I m rtAutopi I nfOfromCSV R save "CMDLETS h RUNBOOKS *ASSETS Publish X Revert to published Check in 263 264 265 267 268 269 270 271 272 213 274 275 276 277 278 281 282 284 285 287 289 290 291 292 293 295 296 297 298 Test pane Feedback $au sult = [Mi crosoft. Identitymodel. Clients. ActiveDirectory. AuthenticationContextInteE if (SauthResu1t.Resu1t.AccessToken) { $authHeader @{ 'Content-Type• = 'application/json • Authorization ' Expi reson ' "Bearer + $authResult.Result.AccessToken - $authResult.Resu1t.ExpiresOn elseif ($authResu1t. Exception) { throw "An error occured getting access token: catch { throw $_. Exception. Message #endregion $ ($authResult. Exception. InnerExcep *region catch every file in the SotrageContainer and change it in to a Json and put it to Intune foreach($file in $files) #Creating $JSON Get-AzureStorageB10bContent -Container $containername -context $sourcecontext -blob $CSV = Import-CSV $file. Name the Json on the fly with change the Header Informations on Json $csv. 'Device Serial Number' $CSV. 'Hardware Hash' $CSV. •windows product ID' "serialNumber": "$SN

In the end you can use the test pane, to run it and test it.

3.2 Testing the Runbook

To test the script just press Start in the middle of the Window you can see what is going on:

Test utopi Iou nfofronKSV Start Stop Il Suspend Pa ameters No input parameters Run Settings Run on Azure {O Using a hybrid runbook worker can increase test performance Leam more Activity-level tracing This configuration is available only for graphical runbooks. e Resume O View last test Click 'Start • to begin the test run. Trace level None Basic Detailed

As the End result you should see completed, without any errors

Completed EAAAAgAAAAAAABEAAAEHAEUAmzmzm18QjnxXzR3NjFfmiA3NF8•.Æ11XzM4NT1+0AwXF COAFAAAAgBsACAAdABMACgA3 AAkCA*WKDQ3QA SZ 9 i9KpqjyQcGR-N+4aU7VssgP1.mce6ssmE8FH'BtQ3X2zZRHrfpZibV7FVn3jHgXLnXXz6a 38wL 347q E F e7 Zqp EQAw'OgzmTm2NzQ.McADwAaAE1pY3Jvc29mdCBDb3Jwb3JhdG1vbgAQABoATW13cm9zb2ze1 dX',ym11ExhcHRvcAASABmAU3VyZmFjZV9NYXBøb3AAEANAFN1cmZhY2UAFwAnAEQ6RiBC

And your Blob should be gone away:

autopibtinfos - Containers colleacsv Upload Refresh Location: collectcsv Delete Acquire Search blobs by prefix (case-sensitive) No blobs found.

3.3 Configure a Schedule when the Runbook is running

On the Runbook itself you can set a schedule:

Home Automation Accounts Autopilotlmport - Runbooks ImportCSVAutopilot RunbG)k p Search (Ctrl Overview Activity log Tags Diagrose and solve problems Jobs @ Schedules Webhooks Start View Edit O Schedule Web hook Account Autopilotlmport Runbook type Delete Resource group sccwrod In edit Recent Jobs STATUS No jobs found. PowerShell Workflow Runbook Export C) Refresh Location West Europe Last modified 7/14/2018 16:52


I just run it every hour:

Home > Automation Accounts > Schedule Runbook I mportCSVAutopilOt Schedule Autopilotlmport - Runbooks X ) Imm•rtCSVAutopiIot - Schedules Schedule > Schedule Runbook Link a schedule to your runbook parameters and run settlngs Modify run settings (Default: Azure) + Create a new schedule No schedules found. > Schedule > New Schedule New Schedule Run every Hour Description * Starts o 2018-07-14 Germany - Central European Time Rec urrence Once Recur every Set expiration Recurring

    1. Automate the assigenment from an Autopilot Profile to a Device Group

In this Part we go to Azure AD and create a new group, you can choose the naming for this by your Naming Concept, or feel free to use mine.

This would be a dynamic device group, that we can select the Property we set during the Import of the CSV file. In step 2.4 of this BlogPost.

I go to Azure AD and create a group with a assignment, I like to add the devices by script and use different Groups for different Autopilot profiles.

Here is my step by Step:

4.1 Create Azure AD Group

4.2 Create and Assign an Autopilot Profile

4.1 Create Azure AD Group

Go to your Azure Active Directory and select Groups:

+ Create a resource ¯ All services FAVORITES Dashboard Security Center Intune Azure Active Directory Enterprise applications Lab Accounts Mobile apps mvp Azure Active X p search Ovemew Getting started Users Groups Roles and administrators Enterprise applications Devices Groups - All groups - Azure Active All groups General Expiration Audit logs TROUBLESHOOTING suppoRT Troubleshoot New support request New group Name Search groups

Creating a new Group:

Group Group type Security Group name O ilot-User Group description O Intune dynamic Autipilot Group for Users Membership type O Dynamic Device Dynamic device members O Add dynamic query

You can see this is not a standard Property, but a sub-property from devicePhysicalIDs, however you need a copy & past Statement:

Dynamic membership rules Add dynamic membership rule Simple rule Advanced rule Add devices where devicePhysicaIIds account Enabled objectld displayName device0SType deviceOSVersion deviceCategory deviceManufacturer deviceModel deviceOwnership domainName enrollmentProfileName managementType organizationalUnit deviceld devicePhysicallds

Select Advanced rule:

Add dynamic membership rule Simple rule Advanced rule (devicedevicePhysicaIIds -any _ -eq


(device.devicePhysicalIds -any _ -eq “[OrderID]:Import_existing”)

The OrderID is the “orderIdentifier” and we added the “Import_existing”


It should be a Security Group, with a name from your naming concept and assign, select NO members.

Here we have an article from M. Niehaus about this:

If you created the query right and all works, you should see the new Autopilot added Devices:

sg-DM-Autopilot-User - Members Overview Properties Members « Add members NUC02

4.2 Create and Assign a Autopilot Profile

Go to your Intune Blade and Create an Autopilot Profile and assign that to the Created Group:

Microsoft Azure > Device enrollment • Wndows enrollment Create a resource All services * FAVORITES Dashboard Security Ce nter Intune Azure Active Directory Enterprise applications Lab Accounts Mobile apps App registrations Resource groups Home > Microsoft Intune Microsoft Intune Overview Quick start Device enrollment Device compliance Device configLiation Deuces Mobile apps eBooks Conditional access On-premises access p Search resources, services, and docs Device enrollment - Windows enrollment Search (Ctrl •n Overview Quick start Apple enrollment Android enrollment Windows enrollment Terms and conditions Enrollment restrictions Device categories Corporate device identifiers Device enrollment managers Use the following to help enroll Windows devices. General Windows Hello for Business Replace passwords with strong two-factor authentication. CNAME Validation Test company domain CNAME registration for Windows enrollment. Enrollment Status Page (Preview) Show app and profile installation statuses to users during device setup. Deployment Profiles Customize the Windows AutoPiIOt provisioning experience. Manage Windows AutoPiIOt devices.

Select the Deployment Profiles and create a new one:

Create profile Windows Autopilot deplosmænt profiles Automateslmportprofile Descri ption Optional Deployment mode User -Driven Join to Azure AD as Azure AD joined Out-of-box experience (OOBE) Defaults configured X Out-of-box experience (OOBE) Create profile Configure your AutoPilot devices using the settings below. The following options are automatically enabled for AutoPilot profiles: Skip Work or Home usage selection Skip OEM registration and OneDrive configuration Skip user authentication in 008E End user license agreement What does it mean to skip the EULA? Privacy Settings O User account type O S how Administrator Hide Hide Standard

We like to create a User-Driven Profile as we mentioned by creating the Group.

After Creating the Profile we open it and add our created Group to it:

Home Microsoft Intune > Device enrollment • Wndows enrollment > Windows Autopilot deployment profiles > Automateslmportprofile • Assignments > Select groups ?ployment profiles It profiles lets you customize the out-of-box experience for your devices. Leam More. JOIN TYPE Azure AD joined Azure AD joined Azure AD joined X AutomateslmportProfile - Assignments X p Search (Ctrl*" Overview Settings Assigned devices Assignments « R Save X Discard Select groups Automateslmportprofile has not been assigned Select groups Am AD + Invite lect O Sg- DM-AutopiIot-User

Copy the Name of the Group you are assigned (sg-DM-Autopilot-User) for use in step 4.3 to extend the Script

    1. Create a Bootable Media to start the automation from an Out of the Box Device

Use this Link to create the Bootable Media: with the Media Creation Tool

In the end, start this Windows from the Stick and add the PowerShell script to the Autorun:

Do not forget to set an auto shutdown in the very end of the Script.

And then please set an autologin User:


How to do this step by step, this will Posted in another Blogpost.

  1. Some details and Configs in Intune that help you later on

Note for the Optimization to import the CSV over the Run Book:

You can also create a webhook for this run book, that allows you to add that parameter to the very first script and when the script is finished, in the very end you can add the webhook, that means you can as soon as possible as the CSV File is generated on the Blob Storage Container, run the action to import that file 😉

Overview about Autopilot:

Referencing Groups Properties in group Queries:

Inspiration for the Blob (Thank you Peter):

Details from the Intune PoSh sample repo:



PoSh Module from Niehaus:

Ideas for the Storage creation:

Test it before use it, this Post “is as is”

Hope it helps and saves you some time to have a Beer….

(Some Thx to Dave Falkus and Athi Kugaseelan)


Get every new post delivered to your Inbox

Join other followers:

%d bloggers like this:
Skip to toolbar