blog.colemberg.ch

Windows Autopilot – Full automation for devices where you don’t have the HashID (new or existing)

by

mirko colemberg
in , ,

Hi All

In this Blog Post I like to share my solution to add devices that are ordered from a vender/OEM without getting the HashID from the vendor direct to the Microsoft Store for Business or Intune.

There are still some vendors and OEM that are not able to provide the HashID to you as a customer. So, that you can upload the information in to MSfB / Intune and assign a Autopilot profile. This was the reason for me to create this blog, especially I have some projects where the customers ordered many devices and would like to use the Easy Setup in the OOBE Phase with Autopilot and all the enrollment goodies.

During writing this blogpost Michael Niehaus was publishing a new Autopilot PowerShell module version, now it is the Version 2.1 from here:

https://www.powershellgallery.com/packages/WindowsAutoPilotIntune/2.1

In this case I was writing all the steps down, and then I found a new way to upload the Data to Intune.

The big reason for doing this effort, is simple, if you use the fantastic script and module from Niehaus you have to login with an account to get access to the Intune Graph API for uploading the information to Intune. My biggest pain was to have no account information in a script. Also no plain password details, that is why I create the solution with Azure Automation, to store the account and the password in there.

At the end you can create a bootable USB stick that loads a real Windows 10 (Win PE or BootImages are not working to get the HashID), in the end you can easy add a shutdown to the script, and you know when the OS is shooting down the Information’s will be stored on a Azure Blob-Storage. For the finish we just automate the rest.

I hope that is interesting enough to read this Blog, have fun …

Prerequisites

    1. Devices must be registered to the organization
    2. Company branding needs to be configured
    3. Network connectivity to cloud services used by Windows Autopilot
    4. Devices must pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
    5. Devices must have access to the internet
    6. Azure AD Premium P1 or P2
    7. Users must be allowed to join devices into Azure AD
    8. Microsoft Intune or other MDM services to manage your devices

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot

Computergenerierter Alternativtext: . CSV Blob(.csv CSV load 660k *cess Key +0 3 csv 06be
Autopilot

UPDATE: After a few Weeks, this blog is Online, a Friend send me the Hand-Created Picture as a JPG and also as a VISIO file, here are the downloads for you,
and BIG THX to Pascal Vis from the Netherlands.
Click here for the Files

      1. Implementing Automation from Harvesting HashID’s from the Devices and store it on an Azure Blob Container
      2. Create an automation Process to load the Info’s direct to Intune
      3. Automate the assigenment from an Autopilot Profile to a Device Group
      4. Create a Bootable Media to start the automation from an Out of the Box Device
      5. Some details and configs in Intune that help you later on

  1. Implementing Automation from Harvesting HashID’s from the Devices

First, I Prepare my Azure Tenant to use some Services to help me automate that HashID grabbing from the Devices.

For this I found the Blogpost from Peter van der Woude for the Start: https://www.petervanderwoude.nl/post/get-windows-autopilot-device-information-of-microsoft-intune-managed-devices/ Thank you Peter for Sharing this example.

During some research for this Blogpost I also struggle in to another blog from Oliver Kieselbach; https://oliverkieselbach.com/2017/11/16/gather-windows-10-autopilot-info-in-azure-blob-storage-during-wipe-and-reload/ Thank you Oliver

I used this two Blogs as my inspiration and got the following result!

step by Step:

1.1 Add Azure Blob Storage

1.2 Configure Blob Storage and Container and grab the keys we need

1.3 Copy the Script take the script to use

1.4 Run the Script and see what happen

1.1 Add Azure Blob Storage

Open the Azure portal and navigate to Storage accounts

Open storage accounts and add a new one

Configure it, give it a good name, CREATE

Home Storage accounts Create storage account Storage accounts 'h MVP Create storage account The cost of your storage account depends cn the usage and the options you choose below. Edit columns Filter by name.„ NAME • More Learn more Name O autopilotinfos Deployment model O Resource manager Account kind O 810b storage Location West Europe Replication O .core.windows.net Classic Locally redundant storage (CRS) Performance O Standard Premium Access tier (default) O Cool Secure transfer req Disabled Enabled Subscription o Microsoft Azure Sponsorship Resource group C) Create new @ use existing SCCMProd Virtual networks Cot-figure virtual networks O Disabled Enabled Data Lake Storage Gen2 (preview) o Fierzrchiczl namespace Disab led Enabled Pin to dashboard Automation options

Secure Transfer required = YES

Save the Storage account Name, we need it in the Variable $StorageAccountName = “autopilotinfos”

1.2 Configure Blob Storage and Container for our Use

Open the Blob Storage and add a Container

autopilotinfos p Search [C Overview Activity log - Containers Container Refresh Access control (IAM) Tags Diagnose and solve problems Storage Explorer (preview) SETTINGS Access keys Configuration a Encryption Shared access signature Firewalls and virtual networks Properties Automation script Containers New container Name collectcsv Public access level O Private (no anonymous Cancel

Save the Name of the Container we need it as the Variable $ContainerName = “collectcsv”

Go back to the Storage and open the Access Keys and copy the Key

Machine generated alternative text: autopilotinfos - Access keys p Search [C Overview Activity log Access control (IAM) Tags Diagnose and solve problems Storage Explorer (preview) SETTINGS Access keys Use access keys to authenticate your applications when making requests to this Azure storage account. Store yur access keys securely - for example, using Azure Key Vault - and don't share them. We recommend regenerating your access keys regularly. You are provided access keys so that you can maintain connections using one key while regenerating the other. When you regenerate yur access keys, you must update ary Azure resources and applications that access this storage account to use the new keys. This action will not interrupt access to disks from your virtual machines. Learn more Storage account name autopilotinfos keyl Key Connection strina Defaul

Save the Access key of the key1 we need it as the Variable $StorageAccountKey = “blablablajaddajadda”

1.3 Copy the Script take the script to use

Copy the Script from GitHub and add your Keys and Links:

https://github.com/slaet/IntuneScripts/blob/master/AutoPilotInformation_to_AzureBlob.ps1

(to run this script the Comuter needs Internet Access to download the Modules!)

Change the <StorageAccountKey>

Change the <StorageAccountName>

Change the <ContainerName>

1.4 Run the Script and see what happen

Run the script with the following Command with evaluated rights:powershell -executionPolicy bypass -file “AutoPilotInformation_to_AzureBlob.ps1”

Machine generated alternative text: Administrator: Windows PowerSheII K'indae.s PmerSheII Copyright (C) microsoft Corporation. All rights reserved. Installing package 'AzureRPI' Installing dependent package 'AzureRPI . Backup ' Installing package 'AzureRPI . Backup

The result should show you one or many Files in the Container

Home > Storage accounts > autopilotinfos - Containers > collectcsv collectcsv p Search [C Upload Refresh Location: collectcsv Overview Access Control (IAM) SETTINGS Delete Acquire lease Search blobs by prefix [case-sensitive; NAME NUC02.csv Break lease MODIFIED 7/4/2018, PM View snapshots ACCESS TIER Hot (Inferred) Create snapshot BLOB TYPE Block blob SIZE 7.gg KiB Show deleted blobs LEASE STATE Available Access policy Properties

You can also open the script in PowerShell ISE and load all the variables and runGet-AzureStorageBlob -Container $ContainerName -Context $ctx | Select NameContainer Uri: NUcø2. https : // autopi loti nfos . blob. core. wi ndows . net/ col lectcsv Content Type 310bType alockalob Length 8186 application/ octet - stream Lastmodified 2B18-ø7-ø4 AccessTier Snapsh Ime Hot

Then you should see the file.

    1. Create an automation process to load the device information direct to Intune

In the next steps we would like to load the CSV files in to Intune trough the Graph IPA for this we like to use Azure Automation.

Here is my step by Step:

2.1 Create an Azure Automation Account

2.2 Create the Automation Account (Service)

2.3. Adding the PowerShell Modules to the RunBook

2.4 Import the Script

2.1 First we must create an Automation Account

Add a new one and give it a name (AutopilotImport)

Home Automation Acccunts Add Automation Account utomaüon ch MVP unts Edit columns Filter by name... PatchAutom ati on • More Add Automation Account Autopilotlmport Subscription Microsoft Azure Sponsorship Resource group C) Create new @ use existing Location West Europe Create Azure Run As account O The Run As account feature will create Run As account and a Classic Run As accountCick here to learn more about Run As accounts. Learn more about Automation pricing. Y] Pin to dashboard

Refresh the page and open the AutopilotImport account would be Visible

2.2 Create the Automation Account (Service)

For this you can use a separate account, or you can use a global Admin Account, if you add the password in the credential area, there is no chance to see that password again, it’s hidden.

That’s why I just used a global Admin Account

Add this account information to the credentials in the Azure Automation account

orne > Automation Accounts Automation Accounts colembcrg_ch MVP + Add Edit columns Auto pi loti m port - Credentials x Autopilotlmport Automation Account • • • More Search (Ctrl*" - Credentials Add a credential Ref rest Filter by name... Autopilotlmpo DSC node configurations No credentials found. UPDATE MANAGEMENT Update management PROCESS AUTOMATION Runb00ks BJ Jobs Runbooks gallery Hybrid worker groups Watcher tasks Schedules • Modules Modules gallery Credentials

Home > Automation Accounts Autopilotlmport • Cr ( New Credential AutopilotSeNice Description User name Password Confirm password

If you Like to use a Service account with maximum rights:

First we have to create an Account in AAD to is it only to import the CSV File, the only rights that this “Service” Accounts needs.

User Name O Autopilotlmport User name O API @colemberg.ch Profile O Not configured Properties O Default Groups O 0 groups selected Directory role user Password Show Password X Profile General First name Auto Pilot Last name Import Work info Job title Service Account Department Services

We create this account as a regular User. Do not forget to copy the Password.

Next step is going to Intune Blade and create a Intune Role

Home > Microsoft Intune > Intune roles - All roles Microsoft Intune p Search [C O Overview Quick start MANAGE Device enrollment Device compliance Device configuration Devices Mobile apps eBooks Conditional access On-premises access Groups Intune mles Software updates HELP AND SUPPORT Add Custom Role > permissions Remote tasks Intune roles - All roles Intune Search [C O Overview MANAGE All roles My permissions Audit logs HELP AND SUPPORT u Help and support + Add Refresh Intune's roles hel to assi n p Search for o role name Policy and Profile manager School Administrator Help Desk Operator Application Manager Read Only Operator Intune Role Administrator

Create a Role with the following rights:

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 0 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O O / 4 permissions enabled Device compliance policies O 0 / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 0 / 2 permissions enabled Endpoint protection reports O O / 1 permissions enabled X Enrollment programs Create device O Delete device O Read device O Sync device O Assign profile O Create profile O Delete profile O Read profile O Update profile O Create token O Delete token O Read token O Update token O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permssions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 0 / 4 permissions enabled Device compliance policies O 0 / S permissions enabled X Corporate device identifiers Create O Delete O Update O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 3 / 4 permissions enabled Device compliance policies O O / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 0 / 2 permissions enabled Endpoint protection reports O O / 1 permissions enabled Managed apps O X Device enrollment managers Update O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 3 / 4 permissions enabled Device compliance policies O 0 / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 2 / 2 permissions enabled Endpoint protection reports o 0 / 1 permissions enabled Managed apps O O / 6 permissions enabled Managed devices O 0 / 3 permissions enabled Mobile apps O O / S permissions enabled X Managed devices Delete O Read O Update O

Assign that Role to the Usergroup where our Service User is placed.

Then we like to login at the Graph Website to check the Permissions.

Microsoft Graph Examp Graph Explorer Authentication Autopilotlmport API@colemberg.ch modify permissions Sample Que-ies Getting Started Sigr Modify Permissions Select different permissions to try out Microsoft Graph API endpoints. DeviceManagementConfiguration.Read .AII Prew&w DeviceManagementConfiguration.ReadWrite.All Prewéw DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.AII Preview DeviceManagementManagedDevices.ReadWrite.All Prewéw DeviceManagementRBAC.Read .AII Prew&w DeviceManagementRBAC.ReadWrite.All Prewéw DeviceManagementServiceConfig.Read.All Preview DeviceManagementServiceConfig.ReadWrite.AII Preview Directory.AccessAsUser.All Prewéw GET GET GET GET GET GET my profile my photo my mail all the items in my drive items trending around me my manager

Add this account information to the Credentials in the Azure Automation Account instead of the Global Admin Account

AutopilotService R Name x Discard Delete AutopilotService Last modified 7/9/2018, 7:11 AM Description User name API Bcolemberg,ch Password Confirm password

2.3. Adding the PowerShell Modules to the RunBook

Add the Module to your RunBook

Autopilotlmport - Modules gallery p Autopilotl p Search IC tri WindowsA utoPiIOtI ntune UPDATE MANAGEMENT e module to manage AutoPilot devices usi s: PSModule Update management PROCESS AUTOMATION Runbooks Jobs Runbooks gallery Hybrid worker groups Watcher tasks SHARED RESOURCES Schedules • Modules Modules gallery

Home > Automation Accounts > Autopilotlmport - Modules gallery > WindowsAutoPiIotIntune WindowsÅutoPilotlntune PowerSheI' Module Import Sample module to Created by. mniehaus PSModule Leam more AutoPi10t devices using the Intune Graph API Version: 2_ I 464 downloads Last updated: 7/7/2018 View in powerShell Gallery Licensing Information (PowerSheII Gallery Default) Content rch to filter items„ Function Function Function Function Function Function Function Function Function Function Function Get-AuthToken Connect-AutoPiIotlntune Get-AutoPilotDevice Remove-AutoPilOtDevice Get-AutoPilotlmportedDevice Add-AutoPilotlmportedDevice Remove-AutoPilotlmportedDevice Get-AutoPilotProfile Get-AutoPilotOrganization ConvertTo•AutoPilotConfigurationJSON Import-AutoPiIotCSV

We need all these modules:

    • WindowsAutoPilotIntune
    • AzureAD
    • AzureAD.Storage
    • Azure
  • AzureRM.Storage

In the End you can see the Modules in the Modules Tab, The WindowsAutoplilotIntune should be in version 2.1 (at this time when the Blog was written)

Autopilotlmport - Modules Automation Account Refresh p Search (Ctrl UPDATE MANAGEMENT Update management PROCESS AUTOMATION Runbooks Jobs Runbooks gallery Hybrid worker groups Watcher tasks SHARED RESOURCES Add a module NAME Azure.Storage Update Azure Modules Browse gallery AzureRMAutomation AzureRM.Compute AzureRM.Profile Azu re RM. Resources AzureRM.sq1 Azure RM. Storage Microsoft.PowerS Core Microsoft. PowerShell.Diagnostics Microsoft, I Management Microsoft, ty Microsoft. PowerShell,Utility Microsoft.WSMan.Management OrchestratorAssetManagement.CmdIets WindowsAutoPilotlntune LAST MODIFIED 7/6/2018, 826 PM 7/6/2018, 833 PM 7/6/2018, 831 PM 7/6/2018, 830 PM 7/6/2018, 830 PM 7/6/2018, 832 PM 7/6/2018, 832 PM 7/6/2018, 833 PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, 04 PM 7/9/2018, 7:05 AM Available Available Available Available Available Available Available Available Available Available Available Available Available Available Available Available 1.03 1.03 1.03 1.21 1.03 1.03 1.03 1.03 1.0 2.1 X Schedules Module Modules gallery Credentials Connecti ons Certificates Variables

2.4 Import the Script

At the Github repository catch the Script:

https://github.com/slaet/IntuneScripts/blob/master/ImportCSVAutopilot.ps1

(this script is working, and Exported from my Azure Automation Account, just fill in the change Variables, and then Import it to your tenant and try)

Be carefully and change the Variables that are highlighted in the Script that the Runbook is really Working.

During the Import of a Device we create a Json on the Fly and that means we have a little trick, we can define a field by our self and later on when we create the Dynamic group we can query this property.

The property is called “orderIdentifier”, if you like to change that it’s in the very end of the script:

Computergenerierter Alternativtext: ES]SON a" "seria1Number": " SSN" , "productKey": " SWPK "orderldenti fi er": "Import_existing" "a

This looks this way in the Intune Windows Enrollment Console:

MANUFACTURER Microsoft Corporati... Microsoft Corporati... DEPLOYMENT GROUP Import_existing Virtual Machine Virtual Machine PROFILE STATUS Not assig ned Assigned Not assigned

“Update, we now have the chance to convert the CSV File directly to a JSON file and upload it that way, this is a CMD-Let in the AutopilotInformation Module 2.1 script” this is already integrated in the Script I wrote

    1. Create an automation process to load the Info’s directly to Intune

In this are we like to add the Script for the import of the CSV-files to Intune trough the Graph API

Here is my step by Step:

3.1 Adding a RunBook to the Automation account

3.2 Testing the Runbook

3.3 Configure a Schedule when the Runbook is running

  

3.1 Adding a RunBook to the Automation account

To create the Runbook it is simple:

Home > Automation Accounts Autopilotlmport Auto n t p Search (Ctrl *i') Overview Activity I og Access control (IAM) Tags Autopilotlmport - Runbooks - Runbooks > Add X Add a runbook p Search runbookß.. Auto PilotTest TestA uth testscript Browse gallery AUTHORING STATUS Inedit Add Runbook Quick Create Create a new runbook Import Import an existing runbook LAST MODIFIED 7/11/2018 17:40 7/10/2018 1848 7/9/2018 17:26 Diagnose and solve problems CONFIGURATION Inventory Change tracking DSC nodes DSC configurations DSC configurations gallery DSC node configurations I.JPOATE MANAGEMENT Update management PROCESS AUTOMATION Runbooks

Add a runbook and give it a name and select the run book type:

Home > Automation Accounts > mtopilotlmport • Runbooks Add Runbook Quick Create Create a new runbook Import Import an existing runbook X > Add Runbook > Runbook Runbook ImportAutopiIotInfofromCSV PowerSheII Workflow Description Import the Informations from a Storage Based CSV and Import it to IntuneJ

After you select the Create button, it should open the properties of the created run book:

+ Add a Browse gallery p Search runbooks.. AutoPilotTest Refresh AUTHORING STATUS In edit LAST MODIFIED 7/11/2018 17:40

Go ahead and select the Edit

tion Accounts > Autopilotlmport - ImportAutopilotlnfofromCSV Overview Activity log Tags Diagnose and solve problems > ImportAutopiIOtInfOfromCSV > Edit PowerSheII Workflow RunbOOk Edit O Schedule Webhook Start v lew Delete Export Resource group sccMProd Status Recent Jobs STATUS NO jobs found. Account Autopilotlmport Runbook type PowerSheII Workflow RunbOOk

It opens the Edit workflow. (I got a workflow, it is better to troubleshoot, in case you get errors, just add to the script the writ-output and the variable, in the workflow you can see that ;-))

Just C&P the Script from GitHub and save and Publish the Script:

Home > Automation Accounts > Autopilotlmport - Runbooks > ImportAutopiIotInfofromCSV > Edit PowerSheII Workflow Runbook* Edit PowerShell Workflow Runbook* I m rtAutopi I nfOfromCSV R save "CMDLETS h RUNBOOKS *ASSETS Publish X Revert to published Check in 263 264 265 267 268 269 270 271 272 213 274 275 276 277 278 281 282 284 285 287 289 290 291 292 293 295 296 297 298 Test pane Feedback $au sult = [Mi crosoft. Identitymodel. Clients. ActiveDirectory. AuthenticationContextInteE if (SauthResu1t.Resu1t.AccessToken) { $authHeader @{ 'Content-Type• = 'application/json • Authorization ' Expi reson ' "Bearer + $authResult.Result.AccessToken - $authResult.Resu1t.ExpiresOn elseif ($authResu1t. Exception) { throw "An error occured getting access token: catch { throw $_. Exception. Message #endregion $ ($authResult. Exception. InnerExcep *region catch every file in the SotrageContainer and change it in to a Json and put it to Intune foreach($file in $files) #Creating $JSON Get-AzureStorageB10bContent -Container $containername -context $sourcecontext -blob $CSV = Import-CSV $file. Name the Json on the fly with change the Header Informations on Json $csv. 'Device Serial Number' $CSV. 'Hardware Hash' $CSV. •windows product ID' "serialNumber": "$SN

In the end you can use the test pane, to run it and test it.

3.2 Testing the Runbook

To test the script just press Start in the middle of the Window you can see what is going on:

Test utopi Iou nfofronKSV Start Stop Il Suspend Pa ameters No input parameters Run Settings Run on Azure {O Using a hybrid runbook worker can increase test performance Leam more Activity-level tracing This configuration is available only for graphical runbooks. e Resume O View last test Click 'Start • to begin the test run. Trace level None Basic Detailed

As the End result you should see completed, without any errors

Completed EAAAAgAAAAAAABEAAAEHAEUAmzmzm18QjnxXzR3NjFfmiA3NF8•.Æ11XzM4NT1+0AwXF COAFAAAAgBsACAAdABMACgA3 AAkCA*WKDQ3QA SZ 9 i9KpqjyQcGR-N+4aU7VssgP1.mce6ssmE8FH'BtQ3X2zZRHrfpZibV7FVn3jHgXLnXXz6a 38wL 347q E F e7 Zqp EQAw'OgzmTm2NzQ.McADwAaAE1pY3Jvc29mdCBDb3Jwb3JhdG1vbgAQABoATW13cm9zb2ze1 dX',ym11ExhcHRvcAASABmAU3VyZmFjZV9NYXBøb3AAEANAFN1cmZhY2UAFwAnAEQ6RiBC

And your Blob should be gone away:

autopibtinfos - Containers colleacsv Upload Refresh Location: collectcsv Delete Acquire Search blobs by prefix (case-sensitive) No blobs found.

3.3 Configure a Schedule when the Runbook is running

On the Runbook itself you can set a schedule:

Home Automation Accounts Autopilotlmport - Runbooks ImportCSVAutopilot RunbG)k p Search (Ctrl Overview Activity log Tags Diagrose and solve problems Jobs @ Schedules Webhooks Start View Edit O Schedule Web hook Account Autopilotlmport Runbook type Delete Resource group sccwrod In edit Recent Jobs STATUS No jobs found. PowerShell Workflow Runbook Export C) Refresh Location West Europe Last modified 7/14/2018 16:52

 

I just run it every hour:

Home > Automation Accounts > Schedule Runbook I mportCSVAutopilOt Schedule Autopilotlmport - Runbooks X ) Imm•rtCSVAutopiIot - Schedules Schedule > Schedule Runbook Link a schedule to your runbook parameters and run settlngs Modify run settings (Default: Azure) + Create a new schedule No schedules found. > Schedule > New Schedule New Schedule Run every Hour Description * Starts o 2018-07-14 Germany - Central European Time Rec urrence Once Recur every Set expiration Recurring

    1. Automate the assigenment from an Autopilot Profile to a Device Group

In this Part we go to Azure AD and create a new group, you can choose the naming for this by your Naming Concept, or feel free to use mine.

This would be a dynamic device group, that we can select the Property we set during the Import of the CSV file. In step 2.4 of this BlogPost.

I go to Azure AD and create a group with a assignment, I like to add the devices by script and use different Groups for different Autopilot profiles.

Here is my step by Step:

4.1 Create Azure AD Group

4.2 Create and Assign an Autopilot Profile

4.1 Create Azure AD Group

Go to your Azure Active Directory and select Groups:

+ Create a resource ¯ All services FAVORITES Dashboard Security Center Intune Azure Active Directory Enterprise applications Lab Accounts Mobile apps colemberg.ch mvp Azure Active X p search Ovemew Getting started Users Groups Roles and administrators Enterprise applications Devices Groups - All groups - Azure Active All groups General Expiration Audit logs TROUBLESHOOTING suppoRT Troubleshoot New support request New group Name Search groups

Creating a new Group:

Group Group type Security Group name O ilot-User Group description O Intune dynamic Autipilot Group for Users Membership type O Dynamic Device Dynamic device members O Add dynamic query

You can see this is not a standard Property, but a sub-property from devicePhysicalIDs, however you need a copy & past Statement:

Dynamic membership rules Add dynamic membership rule Simple rule Advanced rule Add devices where devicePhysicaIIds account Enabled objectld displayName device0SType deviceOSVersion deviceCategory deviceManufacturer deviceModel deviceOwnership domainName enrollmentProfileName managementType organizationalUnit deviceld devicePhysicallds

Select Advanced rule:

Add dynamic membership rule Simple rule Advanced rule (devicedevicePhysicaIIds -any _ -eq

 

(device.devicePhysicalIds -any _ -eq “[OrderID]:Import_existing”)

The OrderID is the “orderIdentifier” and we added the “Import_existing”

 

It should be a Security Group, with a name from your naming concept and assign, select NO members.

Here we have an article from M. Niehaus about this: https://blogs.technet.microsoft.com/mniehaus/2018/06/13/autopilot-profile-assignment-using-intune/

If you created the query right and all works, you should see the new Autopilot added Devices:

sg-DM-Autopilot-User - Members Overview Properties Members « Add members NUC02

4.2 Create and Assign a Autopilot Profile

Go to your Intune Blade and Create an Autopilot Profile and assign that to the Created Group:

Microsoft Azure > Device enrollment • Wndows enrollment Create a resource All services * FAVORITES Dashboard Security Ce nter Intune Azure Active Directory Enterprise applications Lab Accounts Mobile apps App registrations Resource groups Home > Microsoft Intune Microsoft Intune Overview Quick start Device enrollment Device compliance Device configLiation Deuces Mobile apps eBooks Conditional access On-premises access p Search resources, services, and docs Device enrollment - Windows enrollment Search (Ctrl •n Overview Quick start Apple enrollment Android enrollment Windows enrollment Terms and conditions Enrollment restrictions Device categories Corporate device identifiers Device enrollment managers Use the following to help enroll Windows devices. General Windows Hello for Business Replace passwords with strong two-factor authentication. CNAME Validation Test company domain CNAME registration for Windows enrollment. Enrollment Status Page (Preview) Show app and profile installation statuses to users during device setup. Deployment Profiles Customize the Windows AutoPiIOt provisioning experience. Manage Windows AutoPiIOt devices.

Select the Deployment Profiles and create a new one:

Create profile Windows Autopilot deplosmænt profiles Automateslmportprofile Descri ption Optional Deployment mode User -Driven Join to Azure AD as Azure AD joined Out-of-box experience (OOBE) Defaults configured X Out-of-box experience (OOBE) Create profile Configure your AutoPilot devices using the settings below. The following options are automatically enabled for AutoPilot profiles: Skip Work or Home usage selection Skip OEM registration and OneDrive configuration Skip user authentication in 008E End user license agreement What does it mean to skip the EULA? Privacy Settings O User account type O S how Administrator Hide Hide Standard

We like to create a User-Driven Profile as we mentioned by creating the Group.

After Creating the Profile we open it and add our created Group to it:

Home Microsoft Intune > Device enrollment • Wndows enrollment > Windows Autopilot deployment profiles > Automateslmportprofile • Assignments > Select groups ?ployment profiles It profiles lets you customize the out-of-box experience for your devices. Leam More. JOIN TYPE Azure AD joined Azure AD joined Azure AD joined X AutomateslmportProfile - Assignments X p Search (Ctrl*" Overview Settings Assigned devices Assignments « R Save X Discard Select groups Automateslmportprofile has not been assigned Select groups Am AD + Invite lect O Sg- DM-AutopiIot-User

Copy the Name of the Group you are assigned (sg-DM-Autopilot-User) for use in step 4.3 to extend the Script

    1. Create a Bootable Media to start the automation from an Out of the Box Device

Use this Link to create the Bootable Media: https://www.thewindowsclub.com/windows-10-media-creation-tool-create-installation-media-upgrade with the Media Creation Tool

In the end, start this Windows from the Stick and add the PowerShell script to the Autorun:

https://github.com/slaet/IntuneScripts/blob/master/AutoPilotInformation_to_AzureBlob.ps1

Do not forget to set an auto shutdown in the very end of the Script.

And then please set an autologin User:

https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage

Or

https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/create-a-kiosk-image

How to do this step by step, this will Posted in another Blogpost.

  1. Some details and Configs in Intune that help you later on

Note for the Optimization to import the CSV over the Run Book:

You can also create a webhook for this run book, that allows you to add that parameter to the very first script and when the script is finished, in the very end you can add the webhook, that means you can as soon as possible as the CSV File is generated on the Blob Storage Container, run the action to import that file 😉

Overview about Autopilot:

https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot

Referencing Groups Properties in group Queries:

https://blogs.technet.microsoft.com/mniehaus/2018/06/13/autopilot-profile-assignment-using-intune/

Inspiration for the Blob (Thank you Peter):

https://www.petervanderwoude.nl/post/get-windows-autopilot-device-information-of-microsoft-intune-managed-devices/

Details from the Intune PoSh sample repo:

https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/intune_enrollment_windowsautopilotdeviceidentity_create

and

https://developer.microsoft.com/en-us/graph/graph-explore

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod?view=powershell-6

and

https://github.com/microsoftgraph/powershell-intune-samples/blob/master/DeviceConfiguration/DeviceConfiguration_Import_FromJSON.ps1

PoSh Module from Niehaus:

https://www.powershellgallery.com/packages/WindowsAutoPilotIntune/2.1

Ideas for the Storage creation:

http://www.itprotoday.com/microsoft-azure/copy-content-one-azure-storage-account-another

Test it before use it, this Post “is as is”

Hope it helps and saves you some time to have a Beer….

(Some Thx to Dave Falkus and Athi Kugaseelan)

Comments

One response to “Windows Autopilot – Full automation for devices where you don’t have the HashID (new or existing)”

  1. Marcel Karch Avatar
    Marcel Karch

    Hello Mirko thanks for your great post

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers:

%d bloggers like this: