Windows Autopilot – Full automation for devices where you don’t have the HashID (new or existing)

Hi All

In this Blog Post I like to share my solution to add devices that are ordered from a vender/OEM without getting the HashID from the vendor direct to the Microsoft Store for Business or Intune.

There are still some vendors and OEM that are not able to provide the HashID to you as a customer. So, that you can upload the information in to MSfB / Intune and assign a Autopilot profile. This was the reason for me to create this blog, especially I have some projects where the customers ordered many devices and would like to use the Easy Setup in the OOBE Phase with Autopilot and all the enrollment goodies.

During writing this blogpost Michael Niehaus was publishing a new Autopilot PowerShell module version, now it is the Version 2.1 from here:

In this case I was writing all the steps down, and then I found a new way to upload the Data to Intune.

The big reason for doing this effort, is simple, if you use the fantastic script and module from Niehaus you have to login with an account to get access to the Intune Graph API for uploading the information to Intune. My biggest pain was to have no account information in a script. Also no plain password details, that is why I create the solution with Azure Automation, to store the account and the password in there.

At the end you can create a bootable USB stick that loads a real Windows 10 (Win PE or BootImages are not working to get the HashID), in the end you can easy add a shutdown to the script, and you know when the OS is shooting down the Information’s will be stored on a Azure Blob-Storage. For the finish we just automate the rest.

I hope that is interesting enough to read this Blog, have fun …


    1. Devices must be registered to the organization
    2. Company branding needs to be configured
    3. Network connectivity to cloud services used by Windows Autopilot
    4. Devices must pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
    5. Devices must have access to the internet
    6. Azure AD Premium P1 or P2
    7. Users must be allowed to join devices into Azure AD
    8. Microsoft Intune or other MDM services to manage your devices

Computergenerierter Alternativtext: . CSV Blob(.csv CSV load 660k *cess Key +0 3 csv 06be


UPDATE: After a few Weeks, this blog is Online, a Friend send me the Hand-Created Picture as a JPG and also as a VISIO file, here are the downloads for you,
and BIG THX to Pascal Vis from the Netherlands.
Click here for the Files

      1. Implementing Automation from Harvesting HashID’s from the Devices and store it on an Azure Blob Container
      2. Create an automation Process to load the Info’s direct to Intune
      3. Automate the assigenment from an Autopilot Profile to a Device Group
      4. Create a Bootable Media to start the automation from an Out of the Box Device
      5. Some details and configs in Intune that help you later on

  1. Implementing Automation from Harvesting HashID’s from the Devices

First, I Prepare my Azure Tenant to use some Services to help me automate that HashID grabbing from the Devices.

For this I found the Blogpost from Peter van der Woude for the Start: Thank you Peter for Sharing this example.

During some research for this Blogpost I also struggle in to another blog from Oliver Kieselbach; Thank you Oliver

I used this two Blogs as my inspiration and got the following result!

step by Step:

1.1 Add Azure Blob Storage

1.2 Configure Blob Storage and Container and grab the keys we need

1.3 Copy the Script take the script to use

1.4 Run the Script and see what happen

1.1 Add Azure Blob Storage

Open the Azure portal and navigate to Storage accounts

Open storage accounts and add a new one

Configure it, give it a good name, CREATE

Home Storage accounts Create storage account Storage accounts 'h MVP Create storage account The cost of your storage account depends cn the usage and the options you choose below. Edit columns Filter by name.„ NAME • More Learn more Name O autopilotinfos Deployment model O Resource manager Account kind O 810b storage Location West Europe Replication O Classic Locally redundant storage (CRS) Performance O Standard Premium Access tier (default) O Cool Secure transfer req Disabled Enabled Subscription o Microsoft Azure Sponsorship Resource group C) Create new @ use existing SCCMProd Virtual networks Cot-figure virtual networks O Disabled Enabled Data Lake Storage Gen2 (preview) o Fierzrchiczl namespace Disab led Enabled Pin to dashboard Automation options

Secure Transfer required = YES

Save the Storage account Name, we need it in the Variable $StorageAccountName = “autopilotinfos”

1.2 Configure Blob Storage and Container for our Use

Open the Blob Storage and add a Container

autopilotinfos p Search [C Overview Activity log - Containers Container Refresh Access control (IAM) Tags Diagnose and solve problems Storage Explorer (preview) SETTINGS Access keys Configuration a Encryption Shared access signature Firewalls and virtual networks Properties Automation script Containers New container Name collectcsv Public access level O Private (no anonymous Cancel

Save the Name of the Container we need it as the Variable $ContainerName = “collectcsv”

Go back to the Storage and open the Access Keys and copy the Key

Machine generated alternative text: autopilotinfos - Access keys p Search [C Overview Activity log Access control (IAM) Tags Diagnose and solve problems Storage Explorer (preview) SETTINGS Access keys Use access keys to authenticate your applications when making requests to this Azure storage account. Store yur access keys securely - for example, using Azure Key Vault - and don't share them. We recommend regenerating your access keys regularly. You are provided access keys so that you can maintain connections using one key while regenerating the other. When you regenerate yur access keys, you must update ary Azure resources and applications that access this storage account to use the new keys. This action will not interrupt access to disks from your virtual machines. Learn more Storage account name autopilotinfos keyl Key Connection strina Defaul

Save the Access key of the key1 we need it as the Variable $StorageAccountKey = “blablablajaddajadda”

1.3 Copy the Script take the script to use

Copy the Script from GitHub and add your Keys and Links:

(to run this script the Comuter needs Internet Access to download the Modules!)

Change the <StorageAccountKey>

Change the <StorageAccountName>

Change the <ContainerName>

1.4 Run the Script and see what happen

Run the script with the following Command with evaluated rights:powershell -executionPolicy bypass -file “AutoPilotInformation_to_AzureBlob.ps1”

Machine generated alternative text: Administrator: Windows PowerSheII K'indae.s PmerSheII Copyright (C) microsoft Corporation. All rights reserved. Installing package 'AzureRPI' Installing dependent package 'AzureRPI . Backup ' Installing package 'AzureRPI . Backup

The result should show you one or many Files in the Container

Home > Storage accounts > autopilotinfos - Containers > collectcsv collectcsv p Search [C Upload Refresh Location: collectcsv Overview Access Control (IAM) SETTINGS Delete Acquire lease Search blobs by prefix [case-sensitive; NAME NUC02.csv Break lease MODIFIED 7/4/2018, PM View snapshots ACCESS TIER Hot (Inferred) Create snapshot BLOB TYPE Block blob SIZE KiB Show deleted blobs LEASE STATE Available Access policy Properties

You can also open the script in PowerShell ISE and load all the variables and runGet-AzureStorageBlob -Container $ContainerName -Context $ctx | Select NameContainer Uri: NUcø2. https : // autopi loti nfos . blob. core. wi ndows . net/ col lectcsv Content Type 310bType alockalob Length 8186 application/ octet - stream Lastmodified 2B18-ø7-ø4 AccessTier Snapsh Ime Hot

Then you should see the file.

    1. Create an automation process to load the device information direct to Intune

In the next steps we would like to load the CSV files in to Intune trough the Graph IPA for this we like to use Azure Automation.

Here is my step by Step:

2.1 Create an Azure Automation Account

2.2 Create the Automation Account (Service)

2.3. Adding the PowerShell Modules to the RunBook

2.4 Import the Script

2.1 First we must create an Automation Account

Add a new one and give it a name (AutopilotImport)

Home Automation Acccunts Add Automation Account utomaüon ch MVP unts Edit columns Filter by name... PatchAutom ati on • More Add Automation Account Autopilotlmport Subscription Microsoft Azure Sponsorship Resource group C) Create new @ use existing Location West Europe Create Azure Run As account O The Run As account feature will create Run As account and a Classic Run As accountCick here to learn more about Run As accounts. Learn more about Automation pricing. Y] Pin to dashboard

Refresh the page and open the AutopilotImport account would be Visible

2.2 Create the Automation Account (Service)

For this you can use a separate account, or you can use a global Admin Account, if you add the password in the credential area, there is no chance to see that password again, it’s hidden.

That’s why I just used a global Admin Account

Add this account information to the credentials in the Azure Automation account

orne > Automation Accounts Automation Accounts colembcrg_ch MVP + Add Edit columns Auto pi loti m port - Credentials x Autopilotlmport Automation Account • • • More Search (Ctrl*" - Credentials Add a credential Ref rest Filter by name... Autopilotlmpo DSC node configurations No credentials found. UPDATE MANAGEMENT Update management PROCESS AUTOMATION Runb00ks BJ Jobs Runbooks gallery Hybrid worker groups Watcher tasks Schedules • Modules Modules gallery Credentials

Home > Automation Accounts Autopilotlmport • Cr ( New Credential AutopilotSeNice Description User name Password Confirm password

If you Like to use a Service account with maximum rights:

First we have to create an Account in AAD to is it only to import the CSV File, the only rights that this “Service” Accounts needs.

User Name O Autopilotlmport User name O API Profile O Not configured Properties O Default Groups O 0 groups selected Directory role user Password Show Password X Profile General First name Auto Pilot Last name Import Work info Job title Service Account Department Services

We create this account as a regular User. Do not forget to copy the Password.

Next step is going to Intune Blade and create a Intune Role

Home > Microsoft Intune > Intune roles - All roles Microsoft Intune p Search [C O Overview Quick start MANAGE Device enrollment Device compliance Device configuration Devices Mobile apps eBooks Conditional access On-premises access Groups Intune mles Software updates HELP AND SUPPORT Add Custom Role > permissions Remote tasks Intune roles - All roles Intune Search [C O Overview MANAGE All roles My permissions Audit logs HELP AND SUPPORT u Help and support + Add Refresh Intune's roles hel to assi n p Search for o role name Policy and Profile manager School Administrator Help Desk Operator Application Manager Read Only Operator Intune Role Administrator

Create a Role with the following rights:

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 0 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O O / 4 permissions enabled Device compliance policies O 0 / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 0 / 2 permissions enabled Endpoint protection reports O O / 1 permissions enabled X Enrollment programs Create device O Delete device O Read device O Sync device O Assign profile O Create profile O Delete profile O Read profile O Update profile O Create token O Delete token O Read token O Update token O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permssions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 0 / 4 permissions enabled Device compliance policies O 0 / S permissions enabled X Corporate device identifiers Create O Delete O Update O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 3 / 4 permissions enabled Device compliance policies O O / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 0 / 2 permissions enabled Endpoint protection reports O O / 1 permissions enabled Managed apps O X Device enrollment managers Update O

Permissions Android for work O O / 3 permissions enabled Enrollment programs O 10 / 13 permissions enabled Audit data O O / 1 permissions enabled Corporate device identifiers O 3 / 4 permissions enabled Device compliance policies O 0 / S permissions enabled Device configurations O O / S permissions enabled Device enrollment managers O 2 / 2 permissions enabled Endpoint protection reports o 0 / 1 permissions enabled Managed apps O O / 6 permissions enabled Managed devices O 0 / 3 permissions enabled Mobile apps O O / S permissions enabled X Managed devices Delete O Read O Update O

Assign that Role to the Usergroup where our Service User is placed.

Then we like to login at the Graph Website to check the Permissions.

Microsoft Graph Examp Graph Explorer Authentication Autopilotlmport modify permissions Sample Que-ies Getting Started Sigr Modify Permissions Select different permissions to try out Microsoft Graph API endpoints. DeviceManagementConfiguration.Read .AII Prew&w DeviceManagementConfiguration.ReadWrite.All Prewéw DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.AII Preview DeviceManagementManagedDevices.ReadWrite.All Prewéw DeviceManagementRBAC.Read .AII Prew&w DeviceManagementRBAC.ReadWrite.All Prewéw DeviceManagementServiceConfig.Read.All Preview DeviceManagementServiceConfig.ReadWrite.AII Preview Directory.AccessAsUser.All Prewéw GET GET GET GET GET GET my profile my photo my mail all the items in my drive items trending around me my manager

Add this account information to the Credentials in the Azure Automation Account instead of the Global Admin Account

AutopilotService R Name x Discard Delete AutopilotService Last modified 7/9/2018, 7:11 AM Description User name API Bcolemberg,ch Password Confirm password

2.3. Adding the PowerShell Modules to the RunBook

Add the Module to your RunBook

Autopilotlmport - Modules gallery p Autopilotl p Search IC tri WindowsA utoPiIOtI ntune UPDATE MANAGEMENT e module to manage AutoPilot devices usi s: PSModule Update management PROCESS AUTOMATION Runbooks Jobs Runbooks gallery Hybrid worker groups Watcher tasks SHARED RESOURCES Schedules • Modules Modules gallery

Home > Automation Accounts > Autopilotlmport - Modules gallery > WindowsAutoPiIotIntune WindowsÅutoPilotlntune PowerSheI' Module Import Sample module to Created by. mniehaus PSModule Leam more AutoPi10t devices using the Intune Graph API Version: 2_ I 464 downloads Last updated: 7/7/2018 View in powerShell Gallery Licensing Information (PowerSheII Gallery Default) Content rch to filter items„ Function Function Function Function Function Function Function Function Function Function Function Get-AuthToken Connect-AutoPiIotlntune Get-AutoPilotDevice Remove-AutoPilOtDevice Get-AutoPilotlmportedDevice Add-AutoPilotlmportedDevice Remove-AutoPilotlmportedDevice Get-AutoPilotProfile Get-AutoPilotOrganization ConvertTo•AutoPilotConfigurationJSON Import-AutoPiIotCSV

We need all these modules:

    • WindowsAutoPilotIntune
    • AzureAD
    • AzureAD.Storage
    • Azure
  • AzureRM.Storage

In the End you can see the Modules in the Modules Tab, The WindowsAutoplilotIntune should be in version 2.1 (at this time when the Blog was written)

Autopilotlmport - Modules Automation Account Refresh p Search (Ctrl UPDATE MANAGEMENT Update management PROCESS AUTOMATION Runbooks Jobs Runbooks gallery Hybrid worker groups Watcher tasks SHARED RESOURCES Add a module NAME Azure.Storage Update Azure Modules Browse gallery AzureRMAutomation AzureRM.Compute AzureRM.Profile Azu re RM. Resources AzureRM.sq1 Azure RM. Storage Microsoft.PowerS Core Microsoft. PowerShell.Diagnostics Microsoft, I Management Microsoft, ty Microsoft. PowerShell,Utility Microsoft.WSMan.Management OrchestratorAssetManagement.CmdIets WindowsAutoPilotlntune LAST MODIFIED 7/6/2018, 826 PM 7/6/2018, 833 PM 7/6/2018, 831 PM 7/6/2018, 830 PM 7/6/2018, 830 PM 7/6/2018, 832 PM 7/6/2018, 832 PM 7/6/2018, 833 PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, PM 7/6/2018, 04 PM 7/9/2018, 7:05 AM Available Available Available Available Available Available Available Available Available Available Available Available Available Available Available Available 1.03 1.03 1.03 1.21 1.03 1.03 1.03 1.03 1.0 2.1 X Schedules Module Modules gallery Credentials Connecti ons Certificates Variables

2.4 Import the Script

At the Github repository catch the Script:

(this script is working, and Exported from my Azure Automation Account, just fill in the change Variables, and then Import it to your tenant and try)

Be carefully and change the Variables that are highlighted in the Script that the Runbook is really Working.

During the Import of a Device we create a Json on the Fly and that means we have a little trick, we can define a field by our self and later on when we create the Dynamic group we can query this property.

The property is called “orderIdentifier”, if you like to change that it’s in the very end of the script:

Computergenerierter Alternativtext: ES]SON a" "seria1Number": " SSN" , "productKey": " SWPK "orderldenti fi er": "Import_existing" "a

This looks this way in the Intune Windows Enrollment Console:

MANUFACTURER Microsoft Corporati... Microsoft Corporati... DEPLOYMENT GROUP Import_existing Virtual Machine Virtual Machine PROFILE STATUS Not assig ned Assigned Not assigned

“Update, we now have the chance to convert the CSV File directly to a JSON file and upload it that way, this is a CMD-Let in the AutopilotInformation Module 2.1 script” this is already integrated in the Script I wrote

    1. Create an automation process to load the Info’s directly to Intune

In this are we like to add the Script for the import of the CSV-files to Intune trough the Graph API

Here is my step by Step:

3.1 Adding a RunBook to the Automation account

3.2 Testing the Runbook

3.3 Configure a Schedule when the Runbook is running


3.1 Adding a RunBook to the Automation account

To create the Runbook it is simple:

Home > Automation Accounts Autopilotlmport Auto n t p Search (Ctrl *i') Overview Activity I og Access control (IAM) Tags Autopilotlmport - Runbooks - Runbooks > Add X Add a runbook p Search runbookß.. Auto PilotTest TestA uth testscript Browse gallery AUTHORING STATUS Inedit Add Runbook Quick Create Create a new runbook Import Import an existing runbook LAST MODIFIED 7/11/2018 17:40 7/10/2018 1848 7/9/2018 17:26 Diagnose and solve problems CONFIGURATION Inventory Change tracking DSC nodes DSC configurations DSC configurations gallery DSC node configurations I.JPOATE MANAGEMENT Update management PROCESS AUTOMATION Runbooks

Add a runbook and give it a name and select the run book type:

Home > Automation Accounts > mtopilotlmport • Runbooks Add Runbook Quick Create Create a new runbook Import Import an existing runbook X > Add Runbook > Runbook Runbook ImportAutopiIotInfofromCSV PowerSheII Workflow Description Import the Informations from a Storage Based CSV and Import it to IntuneJ

After you select the Create button, it should open the properties of the created run book:

+ Add a Browse gallery p Search runbooks.. AutoPilotTest Refresh AUTHORING STATUS In edit LAST MODIFIED 7/11/2018 17:40

Go ahead and select the Edit

tion Accounts > Autopilotlmport - ImportAutopilotlnfofromCSV Overview Activity log Tags Diagnose and solve problems > ImportAutopiIOtInfOfromCSV > Edit PowerSheII Workflow RunbOOk Edit O Schedule Webhook Start v lew Delete Export Resource group sccMProd Status Recent Jobs STATUS NO jobs found. Account Autopilotlmport Runbook type PowerSheII Workflow RunbOOk

It opens the Edit workflow. (I got a workflow, it is better to troubleshoot, in case you get errors, just add to the script the writ-output and the variable, in the workflow you can see that ;-))

Just C&P the Script from GitHub and save and Publish the Script:

Home > Automation Accounts > Autopilotlmport - Runbooks > ImportAutopiIotInfofromCSV > Edit PowerSheII Workflow Runbook* Edit PowerShell Workflow Runbook* I m rtAutopi I nfOfromCSV R save "CMDLETS h RUNBOOKS *ASSETS Publish X Revert to published Check in 263 264 265 267 268 269 270 271 272 213 274 275 276 277 278 281 282 284 285 287 289 290 291 292 293 295 296 297 298 Test pane Feedback $au sult = [Mi crosoft. Identitymodel. Clients. ActiveDirectory. AuthenticationContextInteE if (SauthResu1t.Resu1t.AccessToken) { $authHeader @{ 'Content-Type• = 'application/json • Authorization ' Expi reson ' "Bearer + $authResult.Result.AccessToken - $authResult.Resu1t.ExpiresOn elseif ($authResu1t. Exception) { throw "An error occured getting access token: catch { throw $_. Exception. Message #endregion $ ($authResult. Exception. InnerExcep *region catch every file in the SotrageContainer and change it in to a Json and put it to Intune foreach($file in $files) #Creating $JSON Get-AzureStorageB10bContent -Container $containername -context $sourcecontext -blob $CSV = Import-CSV $file. Name the Json on the fly with change the Header Informations on Json $csv. 'Device Serial Number' $CSV. 'Hardware Hash' $CSV. •windows product ID' "serialNumber": "$SN

In the end you can use the test pane, to run it and test it.

3.2 Testing the Runbook

To test the script just press Start in the middle of the Window you can see what is going on:

Test utopi Iou nfofronKSV Start Stop Il Suspend Pa ameters No input parameters Run Settings Run on Azure {O Using a hybrid runbook worker can increase test performance Leam more Activity-level tracing This configuration is available only for graphical runbooks. e Resume O View last test Click 'Start • to begin the test run. Trace level None Basic Detailed

As the End result you should see completed, without any errors

Completed EAAAAgAAAAAAABEAAAEHAEUAmzmzm18QjnxXzR3NjFfmiA3NF8•.Æ11XzM4NT1+0AwXF COAFAAAAgBsACAAdABMACgA3 AAkCA*WKDQ3QA SZ 9 i9KpqjyQcGR-N+4aU7VssgP1.mce6ssmE8FH'BtQ3X2zZRHrfpZibV7FVn3jHgXLnXXz6a 38wL 347q E F e7 Zqp EQAw'OgzmTm2NzQ.McADwAaAE1pY3Jvc29mdCBDb3Jwb3JhdG1vbgAQABoATW13cm9zb2ze1 dX',ym11ExhcHRvcAASABmAU3VyZmFjZV9NYXBøb3AAEANAFN1cmZhY2UAFwAnAEQ6RiBC

And your Blob should be gone away:

autopibtinfos - Containers colleacsv Upload Refresh Location: collectcsv Delete Acquire Search blobs by prefix (case-sensitive) No blobs found.

3.3 Configure a Schedule when the Runbook is running

On the Runbook itself you can set a schedule:

Home Automation Accounts Autopilotlmport - Runbooks ImportCSVAutopilot RunbG)k p Search (Ctrl Overview Activity log Tags Diagrose and solve problems Jobs @ Schedules Webhooks Start View Edit O Schedule Web hook Account Autopilotlmport Runbook type Delete Resource group sccwrod In edit Recent Jobs STATUS No jobs found. PowerShell Workflow Runbook Export C) Refresh Location West Europe Last modified 7/14/2018 16:52


I just run it every hour:

Home > Automation Accounts > Schedule Runbook I mportCSVAutopilOt Schedule Autopilotlmport - Runbooks X ) Imm•rtCSVAutopiIot - Schedules Schedule > Schedule Runbook Link a schedule to your runbook parameters and run settlngs Modify run settings (Default: Azure) + Create a new schedule No schedules found. > Schedule > New Schedule New Schedule Run every Hour Description * Starts o 2018-07-14 Germany - Central European Time Rec urrence Once Recur every Set expiration Recurring

    1. Automate the assigenment from an Autopilot Profile to a Device Group

In this Part we go to Azure AD and create a new group, you can choose the naming for this by your Naming Concept, or feel free to use mine.

This would be a dynamic device group, that we can select the Property we set during the Import of the CSV file. In step 2.4 of this BlogPost.

I go to Azure AD and create a group with a assignment, I like to add the devices by script and use different Groups for different Autopilot profiles.

Here is my step by Step:

4.1 Create Azure AD Group

4.2 Create and Assign an Autopilot Profile

4.1 Create Azure AD Group

Go to your Azure Active Directory and select Groups:

+ Create a resource ¯ All services FAVORITES Dashboard Security Center Intune Azure Active Directory Enterprise applications Lab Accounts Mobile apps mvp Azure Active X p search Ovemew Getting started Users Groups Roles and administrators Enterprise applications Devices Groups - All groups - Azure Active All groups General Expiration Audit logs TROUBLESHOOTING suppoRT Troubleshoot New support request New group Name Search groups

Creating a new Group:

Group Group type Security Group name O ilot-User Group description O Intune dynamic Autipilot Group for Users Membership type O Dynamic Device Dynamic device members O Add dynamic query

You can see this is not a standard Property, but a sub-property from devicePhysicalIDs, however you need a copy & past Statement:

Dynamic membership rules Add dynamic membership rule Simple rule Advanced rule Add devices where devicePhysicaIIds account Enabled objectld displayName device0SType deviceOSVersion deviceCategory deviceManufacturer deviceModel deviceOwnership domainName enrollmentProfileName managementType organizationalUnit deviceld devicePhysicallds

Select Advanced rule:

Add dynamic membership rule Simple rule Advanced rule (devicedevicePhysicaIIds -any _ -eq


(device.devicePhysicalIds -any _ -eq “[OrderID]:Import_existing”)

The OrderID is the “orderIdentifier” and we added the “Import_existing”


It should be a Security Group, with a name from your naming concept and assign, select NO members.

Here we have an article from M. Niehaus about this:

If you created the query right and all works, you should see the new Autopilot added Devices:

sg-DM-Autopilot-User - Members Overview Properties Members « Add members NUC02

4.2 Create and Assign a Autopilot Profile

Go to your Intune Blade and Create an Autopilot Profile and assign that to the Created Group:

Microsoft Azure > Device enrollment • Wndows enrollment Create a resource All services * FAVORITES Dashboard Security Ce nter Intune Azure Active Directory Enterprise applications Lab Accounts Mobile apps App registrations Resource groups Home > Microsoft Intune Microsoft Intune Overview Quick start Device enrollment Device compliance Device configLiation Deuces Mobile apps eBooks Conditional access On-premises access p Search resources, services, and docs Device enrollment - Windows enrollment Search (Ctrl •n Overview Quick start Apple enrollment Android enrollment Windows enrollment Terms and conditions Enrollment restrictions Device categories Corporate device identifiers Device enrollment managers Use the following to help enroll Windows devices. General Windows Hello for Business Replace passwords with strong two-factor authentication. CNAME Validation Test company domain CNAME registration for Windows enrollment. Enrollment Status Page (Preview) Show app and profile installation statuses to users during device setup. Deployment Profiles Customize the Windows AutoPiIOt provisioning experience. Manage Windows AutoPiIOt devices.

Select the Deployment Profiles and create a new one:

Create profile Windows Autopilot deplosmænt profiles Automateslmportprofile Descri ption Optional Deployment mode User -Driven Join to Azure AD as Azure AD joined Out-of-box experience (OOBE) Defaults configured X Out-of-box experience (OOBE) Create profile Configure your AutoPilot devices using the settings below. The following options are automatically enabled for AutoPilot profiles: Skip Work or Home usage selection Skip OEM registration and OneDrive configuration Skip user authentication in 008E End user license agreement What does it mean to skip the EULA? Privacy Settings O User account type O S how Administrator Hide Hide Standard

We like to create a User-Driven Profile as we mentioned by creating the Group.

After Creating the Profile we open it and add our created Group to it:

Home Microsoft Intune > Device enrollment • Wndows enrollment > Windows Autopilot deployment profiles > Automateslmportprofile • Assignments > Select groups ?ployment profiles It profiles lets you customize the out-of-box experience for your devices. Leam More. JOIN TYPE Azure AD joined Azure AD joined Azure AD joined X AutomateslmportProfile - Assignments X p Search (Ctrl*" Overview Settings Assigned devices Assignments « R Save X Discard Select groups Automateslmportprofile has not been assigned Select groups Am AD + Invite lect O Sg- DM-AutopiIot-User

Copy the Name of the Group you are assigned (sg-DM-Autopilot-User) for use in step 4.3 to extend the Script

    1. Create a Bootable Media to start the automation from an Out of the Box Device

Use this Link to create the Bootable Media: with the Media Creation Tool

In the end, start this Windows from the Stick and add the PowerShell script to the Autorun:

Do not forget to set an auto shutdown in the very end of the Script.

And then please set an autologin User:


How to do this step by step, this will Posted in another Blogpost.

  1. Some details and Configs in Intune that help you later on

Note for the Optimization to import the CSV over the Run Book:

You can also create a webhook for this run book, that allows you to add that parameter to the very first script and when the script is finished, in the very end you can add the webhook, that means you can as soon as possible as the CSV File is generated on the Blob Storage Container, run the action to import that file 😉

Overview about Autopilot:

Referencing Groups Properties in group Queries:

Inspiration for the Blob (Thank you Peter):

Details from the Intune PoSh sample repo:



PoSh Module from Niehaus:

Ideas for the Storage creation:

Test it before use it, this Post “is as is”

Hope it helps and saves you some time to have a Beer….

(Some Thx to Dave Falkus and Athi Kugaseelan)


How to create an Easy Tasksequence for Win10 Servicing (inplace Upgrade)

Here we go with another post about the easy Tasksequence to manage inplace upgrade to the next Version of Windows 10 in your environment.


In a Config Manager driven Infrastructure, it’s the best you can do, to update your Windows 10 Clients by a OS-Deployment Tasksequence, for sure you can also Use the integrated Servicing feature.


I really like the Servicing mindset, but it has some limitations, these limitations are very often showstoppers and can halt the roll out of the latest version.

Limitations with Servicing:

  • x86/x64 bit download
  • Language Pack integration
  • Driver Handling (Bluetooth)
  • BISO / UEFI change
  • Control


In such cases we can use a Tasksequence instead, there are a lot of upsides doing so. You reach a much higher flexibility than you might expect.


  • Control (Status Messages)
  • Pre-steps to update drivers or uninstall applications
  • Setup.exe pre-run, with returned Error codes
  • Handle error codes and run steps
  • Post steps to install new applications
  • Post steps to configure settings you need
  • Language Pack handling with Pre and Post actions
  • x86/x64 control


In this case I created a Tasksequence that you can download. I’ve integrated the most important steps for you and tested it in my LAB and On-Site. It is also running in some environments productively already.


This Tasksequence has some challenges. We need to check first if the OS is ready to be updated, and then we need to first update a driver and after uninstalling an application. We then need to acquire the user language, to bring the right Language back to the system after the upgrade and finally install the latest version of the application on to the System.


If you like to check the installed OS language that you will use to update, you can just run this PoSh command


Get-WmiObject -Class win32_operatingsystem | select oslanguage

The Return Value would be 1033 or so.

All the Language Codes are Listed here:

In this Language you have to download the ISO file, with the right Language.


Here we go with the Step by Step guide to implement and run it:


First of all we create an upgrade OS Tasksequence with the Create Task Sequence Wizard.


ooo@ o


This will create a Tasksequence with some steps in it to use from Best Practice from the ConfigMgr PG


5g , & p e.t 一 , ado 一 ur 」 0 ; uotp 2 ßdn 一 , d 一 ℃ 3 b 60a 0 艹 巴 2 一 du 一


Now we have to have to implement steps for our own need’s and alter some of the generated steps.

First, let us check the basic readiness of the system to be upgraded.




In the next step we like to figure out the current user language.:

For this task we use a PowerShell script:



$tsenv = New-Object -ComObject Microsoft.SMS.TSEnvironment

$cultureInfo = Get-UICulture

$setLanguage = switch ($cultureInfo.LCID)


‘1031’ {“de_UI.xml”}

‘1033’ {“en_UI.xml”}

‘1036’ {“fr_UI.xml”}

‘1040’ {“it_UI.xml”}

Default {“de_UI.xml”}


$tsenv.Value(“OSLang”) = $setLanguage


This script you can run as a run command:

0 占 あ 、 い ur 上 & 当 1 う き 物 、 68 電 6 物 -0 一 ! 第 第 の 占 ur 全 ロ 一 お を も ど 第 き 0 ー 乙 ロ ラ さ 1 ロ 第 一 を do に


Here the command:

powershell.exe -executionpolicy bypass -file GetLanguage.ps1


(Thank you, Daniel Schaedler, for helping with the script!)


For using the variables, that are filled in the script, back in the TS, you can use the OSLang as variable and the properties xx_UI.xml. I use a file format as a property, in this case you can use this in a step of the TS to have the right file for the language.


As response in a Post step, you can add the following command in a run command step:

Computergenerierter Alternativtext: Properties Cptions Type: Commmd he: Run Cornrnand Line Set UI Language control intl Cpl. [3 Disable 64-bit file systan redrection •art h: Package. C] Time-cni trinutes): [3 Run this st<' as the foUoWng account 15


We will come back to this step later, with the explanation and how it works.



After this, you can use the variable in the TS, for any language you have installed, it is not dynamic, that means only languages supported in our own environment can be used for the update.

If users are free to install theier own language trough the Settings Center in the Regional Settings, you will have to change the script to be more variable. You also have to be flexible to download the languages which are needed from a share where you have place all language CAB files All this is possible but a lot more work for you as an admin, Changes which need to be changed with new versions and so on; a lot more work for you. In this case I expect that you inform user to manage these settings by himself, and after an update to the next feature update (Win10 Build) it’s always English, and the user can then install whatever language he desires.


In the next step we use “Upgrade Operating System”:

R 名 を ま ・ 4 ー 当 、 ・ 1 象 - 、 、 ま ま 10 0 、 ce 0 季 ◎ 【 第 幻 3 を d 02 ミ 0 ー 3 暑 汀 ) 、 'du お & 物 、 一 6 “ 年 - を d 民 物 を 7 響 9 警 者 は 当 3 ン 、 、 ま ー 10B 、 復 ー 85 写 る 〕 . 172 粤 一 U あ EPTI 言 OK


With “Perform Windows Setup compatibility scan without starting upgrade” you can handle the Error Codes. There is a blog post from Microsoft Michael Niehaus which explains how it works:

(You’ll see these return codes as large negative numbers, but they are much easier to look at in hex.)


No issues found:  0xC1900210 // Translated to Decimal 3247440400

Compatibility issues found (hard block):  0xC1900208 // Translated to Decimal 3247440392

Migration choice (auto upgrade) not available (probably the wrong SKU or architecture)· 0xC1900204 // Translated to Decimal 3247440388

Does not meet system requirements for Windows 10: 0xC1900200 // Translated to Decimal 3247440384

Insufficient free disk space: 0xC190020E // Translated to Decimal 3247440398



There is a built-in variable you can use to catch the error code for the next step, this variable’s name is: _SMSTSOSUpgradeActionReturnCode and the decimal value you need for success is 3247440400


With this you can create the step to Install Windows, just use in the ” Task Sequence Variable”

ー ト 第 市 と 00 、 、 0 一 こ 5 de 第 、 6 ト 響 第 & ( 戔 、 耄 第 p 里 医 亠 も ・ も 都 ・ ー 0 ロ 」 055 響 声 103 国 第 型 嚼 -0 ロ ー ま


Use the “Apply OS Image”

Type: Sßem Sy<em htage C) from a inar image D ackaqe Hage ndex @ App* operüg sß«n from rdün n.rce 3 • Wrows 10 Ertervise I-he m*tended Syspro for a BV300009. MS wnl M xml Sod bcun to this .


In this case you can also add your unattended.xml file with some configurations of your liking.

(Now we are back to use the language variable from the PowerShell script before)

If you have different languages, it is possible to integrate them first with DISM.exe to the install.wim file in your ISO source, and handle the installation of your languages with Collection / Device variables in the unattended.xml file, or you can install the language packages later in this TS, here is blog post from a long time ago to add language packs during TS: Also check the comments, there are some other solutions, which still work with Win10.


In the unattended.xml file you can also use the Variables for the Language selection.

If you also like to use the variable from the GetLanguage.ps1 script you have to change the values before:

We create a group for every Language to configure and add a Tasksequence variable, in the option of the group. We proceed to check the variable set in the script:

Task Sequence I Task Sequence Editor Add • Remove @ @ C. va- DECH YV'1Locde Options ths±le Cortnue error Add Condition • Remove X Remove All This run the following conditions are met Task Sequence vanable


And add in the separate steps the right variables for the Unattended.xml file

Task I Task Editor Lam DE-CH Type: Task Se Task the task

Finally we update the unattended.xml, with the variables:

Machine generated alternative text: <?xml version="1.0" encoding="utf-8"?> <unattend : < settings pass="specialize"> <component name="Microsoft-Windows-Internationa1-Core" < InputLoca1e>%InputL%</InputLoca1e> <SystemLoca1e>%Loc%</SystemLoca1e> <UILanguage>%UIL%</UILanguage> <UserLoca1e>%Loc%</UserLoca1e> <UILanguageFa11back>%4JIL%</UILanguageFa11back> </component> </settings> < settings pass="oobeSystem"> <component name="Microsoft-Windows-Internationa1-Core" processorArchitec processorArchitec


Save the file and create a package and use it in the “Apply OS Step” (see screenshot above)


If you don’t need any Unattended.xml, you can also use the same step as before (“Upgrade Operating System”) and use here the option to get the success or “error” Return code.

In this step, the OS would be downloaded again, if you don’t want to do that, you can also use the steps above without the TS. Just run every step manually as a run command line.

PS: Use the step “Download Package Content”




After we installed the OS, we come to the Post actions in the TS:

Integration of the language, that was installed prior to update. For this, I used a mix from the two solutions from Roger Zander on his blog (thanks for sharing Roger) and Thomas Kurth


Or install any new application you like, set some regkeys, etc.

Now we can clean up the OS! That means we have to delete the Windows.old folder and give the system ~20GB space back, so that other stuff can run without filling the Hard Drive. For this purpose I used the blog Martin has written:, It’s an article about how to clean up the disk with the cleaner tool that shipped with Windows (always use onboard tools when there is no need for 3rd party).

Here is the integration I have done to build the TS step by step. How it works, you can read on Martins Blog (Thank you for sharing)


For sure, in today’s Win10 deployment you usually find many Solutions like autopilot, Delivery Optimization, Servicing, etc. But old school still works great 😉



Hope it helps and saves you some time to enjoy a beer 🙂, this Post is as is, test it first and do your test in a LAB before implementing it to production.


Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal

Hi all, I was Just looking for the Automatic enrollment Process, in this case I realized that the Old Azure Portal redirects you to the new Azure Portal (Ibiza) and there is no more any setting possible in the Old Portal.

The steps to integrate the automatic AAD-Join and bring your device up and running in Microsoft Intune as a MDM Managed Device you have to add the following steps:

In the Old portal it was simple, have a look here:

But where those steps in the new Portal:

Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune “App” Visible, select the Microsoft Intune and configure the Blade

Overview Quick start Users and groups Enterprise applications Devices App registrations Application proxy Licenses AD Connect Custom domain names Mobility (MDM and MAM) Password reset Add application Microsoft Intune

Configure the Blade:

Configure R Save X Discard MDM user scope O MOM terms of use URL O MDM discovery URL O MOM complianæ URL O Restore default MOM URLs x Delete https://enrollm ent manag e icrosoft. co llmentserver/discover = Compliance

Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users.

That’s it, hot to save you some searching time, and gives you some time to have a beer instead.

If you like to read more details about the Enrollment Process, here is a Very good read from Niall:
(Thanks for Sharing)


Integrate the UNC Solution for Windows Defender in Config Manager

Hi Everyone, welcome to the new year 2018, hope you had a wonderful time over the holidays.
All the time I have problems to keep devices up to date when I use the Endpoint Protection or the Windows Defender Integration in Config Manager. Ok, this is just what Microsoft recommends implementing for enterprise customers. For sure it works, but most of the time the virus scan definitions on the clients are not up to date and sometimes it needs a user interaction to get the newest updates.The problem in this case is, that all the synchronizations which are needed when you have WSUS/SUP in place take to long. Also, the Deployment Package distribution to your DP’s and all the way down to the client OS “to the Playground” is taking long. On the client the ConfigMgr agent needs to download the newest definition and handles the Bits with the WSUS-Agent and the Windows Defender Agent. At the end the status message has to be sent up to the Database.


In my opinion there are too many agents and too many replicas need. If you keep in mind, that every 4 hours new Definition Update are released, then you see, that all the process need to be aligned very well.


In this case we use a PowerShell script to handle the Download of the new definitions. Then we use the Package and Program replications to DP’s and finally I use the UNC integration from the EP-Policy.


Here we go with the Step-by-Step integration:


Andre Picker has written a PowerShell Script to download the Definition Files:


Here I have an updated Version of it:


The Only thing you need to modify in the Script is the Path for the Download location


  # Define the target path
  $pathx86 = “C:\Temp\SchedTask\SCEPupdates\x86\”
  $pathx64 = “C:\Temp\SchedTask\SCEPupdates\x64\”


For the Script create a new Folder where the Script can be placed, to add them later to the Scheduled Tasks.


Quick access Desktop Downloads > ThisPC Local Disk(C:) temp > SchedTask Name SCEPupdates downloadscepupdates


You should also create a Folder in the same or a different location for the files that should be downloaded.

For that Folder, we need also a Share, I just use the Folder name with a $, also hold the default Permissions, like everyone; read.

SCEPugdates Properties General Sharing Security previous Versions Customize Network File and F Sharing SCEPupdates Not Shared Netmrk Path: Not Shared Share..„ Advanced Sharing Set custom permissions. create mulbple advanced sharing options Advanced Sharing. _ Advanced Sharing 91are name: tes$ Protedion cbmts ete Permissions for SCEPupdates$ x Add Renove Litit he Of "nutmeous only frum n_rces f Pens•onz Eveyme Cc—ire Now o o o o is older thal hours): f fie are seled a: defnt.on up"e sou•ce. pecfy the LINC p&hs OK

Now we can go to the Scheduled Task Manager and Add a Task:

(9 create Task General Triggers Actions Conditions Settings Download Defender Definitions Location: "Microsoft\Configuration Manager n istrator Description: Downloads the WI ndows Defender Definitions everl hours Security options When running the task, use the following user account: NT AUTHORITY,SYSTEM • Run only when user is logged on Run whether user is logged on or not x Change user or Groupm Do not store password. Thetask will only have access to local computer resources. Run with highest privileges Hidden Configure for: Windows Vista*. Windows Server 2Ü OK Cancel

It needs to be running as System

X ー 5 : ま 2 % ・ き 。 上 》 s ロ KepL 40u % 当 P26- - 1-101 & ど ち pui - 3 6utuuru 菴 do ロ 5 三 0 〔 ま 当 も w 。 を ご ) 3 」 。 一 囓 豊 pa ロ 、 4 【 一 ト ロ 日 - 日 【 0 ま 国 ミ 」 & 5 一 sunu セ ま - dc»s ロ 」 nog1 い ま - 新 8 国 動 ち p 動 工 暑 電 uo を 豊 動 石 6 動 8 u を 当 p ど u ・ 、 物 4 肴 を 。 0 必 を 0 p き 3 国 55 一 洋 MBN 必 言 ◎

Run the Task every Hour, and every Day

Create Task Geneal Triggers Actions Conditions When you create a task you must specify the action that Will occur when your task starts. Start a program powershdl.ue -ExecutionPoficy Bypass -file

Add the Action with


and the Command

-ExecutionPolicy Bypass -file “C:\temp\SchedTask\downloadscepupdates.ps1”

C' Create Task General Trigges Actions Conditions Settings Specify additional setings that affect the behavior Of the task. Allow task to be run on demand Run task as soon as possible after a scheduled start is missed If the task fails, restart evene Attempt to restart up to: Stop the task if it runs longer than: I minute v times 3 days If the running task does not end when requested, force it to Stop If the task is not scheduled to run again, delete it after: If the task is already running, then the following rule app lies: DO not start instance

For testing, you can run it the first time manually, to see that the files can be downloaded in the two folders (it can take a little while).

Task Scheduler (Local) v Task Scheduler Library v E-licrosoft configuration Ma, > Windows XbIGameSave Content Usa... ?cxnlcad Status Rea dy Trigg ers At every day Next Run Time %01.2018 P roperties Delete Last Run Time 05.012018 Last Run Result (OXO) Author Created Microsoft

I have exported the XML, you can download it here:


And just add/import it to your Scheduled Task, control any setting and run it for testing.


As next we go to the Antimalware Policy and change the order for the Sources. I just set the UNC Path as first option, as the second ConfigMgr and third MS Update and Microsoft Malware Protection Center. The last option is needed to protect the clients in the internet.

Default Antimalware Policy Scheduled scans Scan settings Default actions Real- time protection Exclusion settings Threat overrides Cloud Protection Service Definition updates The thä you this poky to al Pmtedicm the He•-nhy CIAom p&zies ovende poky Check for En$or-t 8 déntions a burs): (O — dis*le che& for 02m dén&ons daiy Oråy cot-fig_rable f Revs based check Configure Definition Update Sources Force dént•on cieM cortVLt« is than two SA n-rces md Er-dgont Prctection as a surce for up"es. ciets wil frorn * —native dénticn is than f fie ha-es are as a déntion ucoe necfy LINC T•is to frur. *wes from Wcroscft Lbd*es frun Wcros&t M*wue Prctection D '&ddes from OK

In addition I need to add the path to the share I created. It is the root folder, the client can handle the x86 and x64 Folder by himself.

X 5 を ed ソ っ 当 2 区 コ を を 一 20 2 」 & を O) S ー 耄 fid ッ 円 ` 5 円 ン 0 鬟 コ

Do not Forget to enable the UNC in the Client Settings:











This Step by Step is for a single Primary Site with no DP’s and no Branch-Cache or any bigger network with different Location.


If you would like to Implement that in a “Big” Environment with multi DP’s then you can add A Packages with no Program, and replicate it to all DP’s, use the Share integration from the Package and Just change or add the UNC Path’s, or maybe add a new Antimalware Policy with separate paths to the different UNC Shares and Deploy them to the right collections, that clients in separate Collections just use the correct path.


Here are the steps to create the Package:


The Creation of the Package is simple, just add the UNC Path to the sources root folder

and create the Package without a Program.

Then go to Properties of the Package and modify in the Data source tab the automatic update to every 2 hours and also enable the differential replication.

SCEPupdates properties D" Sarce Reportinq CortertLoc&ions Secuty Select whetherthis package cor1Ms sa.rce N«. f t does. irdid bc&iorl '"d .d&iorld souce fde ΤΜ "l.rce fdes Souce fd±r Occum 2 09.012018 Ρ." ή cher•t c.che Το ή c.che gter t h. *eudy ρ«" t. tha γαι rru_kiple "'h En±le Το tr#c baween b•nn• ody tha h. ch.--ged ή the οκ

In the Data Access Tab enable the copy content in this package to a share on the distribution point.

This will end up as a Folder that is shared in the Root of the DP

Computergenerierter Alternativtext: Home Local Disk (C:) Share View •T' > ThisPC > Local Disk(C:) Name Search Local Disk (C:) * Quick access Desktop Downloads Documents Pictures SCEPupdates SchedTask temp inetpub PerfLogs Program Files Program Files (x86) Remotelnstall SCCMContentLib SCEPUPDATE$ SMS_DP$ SMSPKG SCEPUPDATES Properties General Sharing Security Previous Versions Newolk Re and Folder Shamg SCEPUPDATES Network Path: "xepL0dateS x CIAorWze

Now you can use that share to add them in the Antimalware Policy as an additional source location

Computergenerierter Alternativtext: Default Antimalware Poli Scheduled scans Scan settings Default actions Real-time protection Exclusion settings Advanced Threat overrides Cloud Protection Service Definition updates conTlgure ueTlmtlon u This policy anows pu to configure I-INC file share sources for downloadng defintia-l updates. Sources wd' be contacted the order specified. f you disable or do configure this setting, the [st remain ZIP•ty by defaut and no 301_rces wd be contaded. I-INC path: 1 "scepupdateS ddinition updates, clients onb' from anernative sources f dérRion is older than hours): F I-INC fie shares are Set Paths selected as a defintion update source , speciy the I-INC Nhs:

That’s it…


Hope it helps and saves you some time to enjoy a beer 🙂, this Post is as is, test it first and do your test in a LAB before implementing it to Production.

a Wonderful Day

Here is also another cool solution to do updates during the Tasksequence in Config Manager or MDT, thank you Jörgen for Sharing.


How to Configure Teamviewer in Intune in the new Azure Portal

Hi all, I like to show you how to integrate TeamViewer in the new Azure Portal of Microsoft Intune.

There are some grate Post on the Road where other People have written some Posts for the old Silverlight Based Portal.

Here From Per Larsen:

Prajwal Desai:

(Thank you Guys for the Main Work)

To this Post are no additional Explanations needed how it works, here is only the Update to the new Portal.

Go to the new Azure Portal, and open your Intune Blade.

Go to the Devices Blade -> TeamViewer Connector

First Connect and then Log in to TeamViewer to authorize, this will open a Website and directs to TeamViewer-Website, you need to have an account there to log in, there is also a need to get the right License from TeamViewer Product.

TeamViewer is only Working on Windows 10 Devices and Android.

You have noting addition to do, nor install an app on the devices nor an app on the Computer you use for remote access.

If you like to open a Remote session to a User, go to the Devices Blade:

Go to Devices -> all devices -> select the Device you like to Remote connect.

The Properties of the Device will open, go to the right upper corner to “More” and then select “New Remote Assistance Session”

To let the admin initiate a new remote assistance request, grant the Request Remote Assistance permission.

That’s it.

If you need more Information’s in detail, on the docs are a Post on this:

Hope it helps and saves you some time to enjoy a beer 🙂

Here is also a youtube step by step guide from  Nathan O’Sullivan  thank’s for sharing 🙂


How to get onboard with Windows Insider for Business

Maybe you know, there is also available to become an Microsoft Windows 10 insider for Business. There is a separate Feedback hub ready to give MS feedback about Features you like to have in your Enterprise. (How cool is that)

Get ready and send MS Feedback that you can use for your Enterprise.

If you think ADK and GPO and so one is included, not really, but you can send your Feedback anyway and the Insider Team like to bring the information what you have to the right Product Group and maybe it’s in one of the following Builds and maybe in the next version of Windows 10.

Here I will show you to bring a Test Machine to the insider for Business, that your feedback comes to the right channel:

You have to have an organization account in Azure Active Directory (AAD) that is enabled to be an Insider:

A better Windows for billions o 
Pre•newfeatureS and ak our next t In 

Here is also like a step by step guide:

First Register your Company Account to become an Insider: (if you have done that, you will see this)

Thank you for registering with the 
Windows Insider Program 
Welcome! You're an important part of the global community of Windows business users, helping us help your organization get 
the best of Windows. 
Do you want to control Windows Insider Preview builds across your organization? 
You may register your organization's domain with the Windows Insider Program and then apply policies to control the frequency 
and type of Insider Previews across your organization's dom in. 
Install Windows 10 Insider Preview 
Open your PCs Settings (Start > Settings > Update & security > Windows Insider Program). To see this setting, you need to 
have administrator rights to your PC. 

After that you have to register your Domain as Part of Business Insiders, so the Account that you used to get the Insider for Business also can manage other Computers in your AD when they should become new Builds for testing and so on. (This user must be Global Admin in your AAD)

If you like to give Feedback, use the Insider Hub-App or this Link , just copy it and past it to your Browsers URL insiderhub://home/

Got back and Download your latest Insider Win 10 Version and install it to VM or a Computer, then go to the Settings and select “Windows Insider Program” Add your company Account, and you are In.

Find a setting 
Update & Security 
Windows Update 
Windows Defender 
Find my device 
For developers 
Windows Insider Program 
Windows Insider Program 
Get Insider Preview builds 
You're all set to get Insider Preview bui ds. 
Stop Insider Preview builds 
What kind of content would you like to receive? 
Get all of the latest Windows content, including regular new bui ds 
of the Windows operating system 
Active development of Windows 
What pace do you want to get new builds? 
Best for Insiders who enjoy being the first to identifry' issues, provide 
suggestions, and ideas to make Windows devices great. 
Note: It wil take some time to receive a build after changing yo 
Windows Insider account 
Work or school account

Here is also a Guide:

If you have any Problems, Post this in the Forum: or just Report it to the Feedback Hub App that’s already installed on your Client.

If you like to manage the Insider Computers in your Company, just Use the GPO’s or MDM to set every Device in to the right configuration:

So have fun in testing Preview Builds in your Company, and send Feedback, without Feedback there will no changes in the Future with your Needs or Wishes 😉

Please Be carefully, and test a Build first before you send it to everyone in the Company 😉


Patch, Hotfix, CU Informations in Ressource Explorer

Hi All, i found a very helpfull WMI Provider (and it’s out of the Box in the HW-Inventory, only to activate), that you can just select and Push the HW-Inventory to get the Informations in your SCCM Console.

You can just use this Infos to show wich client has installed what Patch, Hotfix or Cumulative Update, this is very usefull to get the infos as soon as possible to your SCCM Database, if you like you can also create a Report. In this Post i will show you what you have to enable and what infos you get, for the Reporting Part feel free to do that by your self.

Here is what we have to find:
Go to the Client settings in your SCCM Console and open the Hardware inventory




Find the Class Quick Fix Engineering (Win32_QuickFixEngineering)






Select the Properties you Need to know.
Save it.

Start a HW-Inventory on a client

Select the client in Devices and open the Ressource Explorer





Now you can see the new Class in the Ressource Explorer to see what Hotfix, Patch or CU is installed on the Client.






This infos are it is, test it first in you LAB

Hope it Helps and saves Time for a Beer 🙂


Syntaro; EMS-MDM addition Tool

Hi All, normally I do no product advertising on my blog, but now it’s time to tell you a story about a great product.

To make a long story short; we build this product to deploy EXE, MSI, Scripts to any MDM-Managed Win10 Device (Agent Less with Intune).

Content flaw ir with Micros ra to Client e Integration s SYNTARO Microsoft Intune MDMA'SI

I will tell you the story from the beginning. I’m working for a Company, calling baseVISION in Switzerland. We founded the company one and a half year ago. all of us are Config Manager enthusiast and we are also using Intune (now EMS) for a lot of customers. We started the idea to manage Win10 clients with the new fantastic MDM channel and don’t like to have any agent on the client. So, for our Company we life the Digital Transformation and we are working 100% in the cloud. This is an example, that it is possible to work that way with Microsoft Product. I’m proud to have that done, we have no on-prem Infrastructure, anything is running in Microsoft Azure.

So, the need to have more options and flexibility in our Intune tenant and our planned Intune projects increased. The limitations with single MSI was the biggest issue. We would like to deploy real Applications. The Windows Store has just not enough Apps, and for these Apps there are some other limitations. I really like the approach to only use Apps from the Store or LOB Apps on a device. The easy management of Windows Store Apps would be a big benefit for all businesses (Developers start publishing your apps there!).

But in the mean time we have to close the huge gap between managing client in SCCM as full managed client and managing devices as mobile device for use in Azure AD only.

We need a method to deliver any Applications to our Clients, which are only Managed through the Intune Channel. We were sitting together last year and talked a long time about that “Problem”, then we found an Idea that can be possible to implement without any Agent! Yess the Idea was Born. We started to bring the needs from our self and also from the Customer to the table and started designing a Product. We also hired a Developer Company to do the Frontend work. You know when IT-Pro and Developer talk together, it’s sometimes not really clear, what the Result will be.

Finally, we have our Product: SYNTARO. It’s a framework which will get more and more modules in it. All of them have the goal to make Lightweight Managed Client (LWMC) management easier.

We like to do work done the easy way, what every admin and company owner like and therefore our slogan is: We do it Light!

The Product Syntaro is Based on Azure Platform of course, it’s like a Framework that allows Partners to implement their own developed modules. That means the Frame is open for partners. It is like a Marketplace platform where everyone can build products and sell them. Details on

The first product in this marketplace is “Application Management”. The Application Management module was our first idea to have the possibility to manage windows 10 devices trough the MDM channel.

On the you can easy sign in with your own AAD-Account. Yes, you need to have any Azure AD subscription first, otherwise the products make no sense for you.

Be sure, that you login at the Syntaro portal the first time with a global admin, which allows the Syntaro Portal to register your Tenant in our platform. After that, you can handle your Admins in the Syntaro Portal. There is no separate User Account DB or something in the Backend in Syntaro, it just uses your AAD-Accounts. (great?)

You can read a step by step Guide on the Syntaro Wiki

Our First Modul: Application Management

First, you have to buy a few subscriptions in the marketplace. When you bought it, you must wait until we approved it. In future, this will be done automatically. But this gives us the option to give you also some free licenses for testing purposes.

When we have added the “Application Management” Subscriptions to your tenant, then you can use the module and create your own packages in your repository. That means, this is a trusted PowerShell Package Repository with your own packages, it’s not a untrusted location as for example Chocolatey. You know what you upload and from where you download it first.

A Step by step how to create MDM-MSI’s is also on the Wiki Page

By the Way, there is also a PackageProvider developed by Roger Zander. We have an integration with his repository. This can be used for freeware and opensource apps. But keep in mind, you should also help and add your freeware and opensource apps, which are currently not in his repository. apps to his

And Yes, to use this platform there is a fee, you know we investigated a lot of work in this solution and we also asked developers to implement it, this is not for free, that’s why we need it to sell. But to get you something back, we working on some free tools inside the Application Management Module.

Here are the Pricing:

If you have any idea what we can do different or better, feel free to use our User Voice:

If you need more Information to Use the Syntaro Framework and build your own Module, just use the Contact Page and we will come back to you as soon as possible.

Let’s try it out, hope it helps and makes another part of your life easier…


How to deploy Office 365 pro plus (Click to run) the modern Way

Hi all

If you like to install Office 2016 (O365 pro plus) with click to run? You like to install it the modern or future way with the Bits from the O365 Tenant that every User have access to and also can install on 4 additional Computers (at home). Then you are at the right spot here to learn how.

First of all we have some different sources that helps us to get the right Applications and also download them to deploy it with SCCM / Intune.

We have to learn and understand about the Versions and Build Numbers for the New Office way:

Or in German

On this link MS tells us we have 4 different Channels:

Channel Version Build Release date
Current 1705 8201.2102 June 13, 2017
First Release for Deferred 1705 8201.2102 June 13, 2017
Deferred 1701 7766.2092 June 13, 2017
Deferred1 1609 7369.2139 June 13, 2017

1 There are always two versions of Deferred Channel that are supported. Version 1701 contains newer features and is supported until January 2018. Version 1609 is supported only until September 2017.

There are also information’s about the Support duration for the different channels.

These versions and build numbers apply to the following Office 365 clients:

Office 365 ProPlus

Office 365 Business

Visio Pro for Office 365

Project Online Desktop Client

Here are also an overview about the Channels:

For some Version’s you have to be careful, they never become an next channel version, that means, if you like to prepare an Image (Capturing) and you have the wrong version of Office installed, they never get an update to next version trough the channels, so only use versions that have versions to the channels:

Release date June 13, 2017 June 7, 2017 June 1, 2017 May 18, 2017 May 9, 2017 Current Channel Version 1705 (Build 8201.2102) Version 1705 (Build 8201.2075) Version 1704 (Build 8067.2157) Version 1704 (Build 8067.2115) Version 1703 (Build 7967.2161) First Release for Deferred Channel Version 1705 (Build 8201.2102) Not applicable Not applicable Not applicable Version 1701 (Build 7766.2084) Deferred Channel Version 1701 (Build 7766.2092) Version 1609 (Build 7369.2139) Not applicable Not applicable Not applicable Version 1609 (Build 7369.2130)

For the different channels you need to know about the size of the Version, that you can calculate the diskspace in your environment, here we go:

This was Pre start information you need to know before you begin.

Now we like to start to configure the Setup and Runtime routine and implementing it to SCCM. A friend of mine (Ronni Pedersen), has done that in the past and published a document in the area

But in my case I need more than just one language, we have also to install German, French and Italian

In the Support area from Microsoft you will find additional Information’s about how to configure an Office CTR setup:

Here is what we need;

  • Setup.exe from the Office 365 Setup, this file is just a few MB big.
  • With the EXE and a XML file we can first download the sources we need from Microsoft download Server

In the last link about the Setup information’s, we can create a XML by our self or we go to: and create with a “wizard” our needed XML file.

Here a step by step Guide to create a XML:

  1. Machine generated alternative text: Welcome to the Office Click-To-Run Configuration XML Editor ALERT: New Version of the Office Deployment Tool (ODT) The latest version of the Office Deployment Tool (ODT) now supports using the Channel parameter in the configuration XML. This site will now use the Channel parameter instead of Branch. Previous versions of the Office Deployment Tool (ODT) will not recognize the Channel parameter and will ignore it and default to Deferred channel. To avoid this issue you must download and use the latest version of ODT. Office Deployment Tool (2016) Updated Branch Names Based on customer feedback, we've changed how we refer to our update branches. The name changes are as follows: • Current Branch is now called Current Channel • Current Branch for Business is now called Deferred Channel • First Release for Current Branch is now called First Release for Current Channel • First Release for Current Branch for Business is now called First Release for Deferred Channel Close Next
  2. Next
  3. Welcome to the Office Click-To-Run Configuration XML Editor This page provides a graphical method to generate and edit the Office Click-to-Run configuration.xml file. The configuration.xml file is used to specify Click-to-Run installation and update options. Reference for Click-to-Run configuration.xml file The Office Deployment Tool is a downloadable tool. (Office 365 ProPlus 2016, Office 365 ProPlus 2013) How to use this site Start Start a new configuration XML Upload an existing XML file • Select an available Template Configure Add or Remote Office Products • Configure Updates • Control installation behavior Save • Download the file, . Email it • Copy the text to save it. For more scripts and tools for automating Office ProPlus deployments you can go to the Office IT Pro Deployment Scripts respository it Don't Show This Again Close
  4. Close
  5. Select your Version in the left corner (2016)
  6. Then select the Product Version
  7. CD a Office 365 ProPlus Version Office 365 ProPIus (2016) Office 365 ProPIus (2013) Section Add Product Exclude Programs Remove Product Additional Options Updates Display Logging Properties Templates Tools Install Toolkit Configuration XML Editor Add Product Required Fields Product i Office 365 ProPlus Office 365 ProPIus Office 365 for Business Language Pack Visio for Office 365 Project for Office 365 Add Product Version Version Latest Build Latest Legacy Version Save Delete Product

Additional here you can also select Language Packs and/or Visio and Project, but you have to this later on, at the moment you can only select one to configure, and generate the XML, when your finish with the first, select the next one and in the end you can merge all together.

    1. Select your channel
    2. Add Product Required Fields Product @ Office 365 for Business Edition i 32-bit Channel @ Current Current Deferred First Release Current First Release Deferred Version Latest Build Latest Legacy Version
    3. With add Product
    4. Add Product Required Fields Product @ Office 365 for Business Edition i 32-bit Channel @ Current Language English (en-us) Add Product Add Remove Delete Product
    5. You will generate the XML
    6. Import Export e, Reset Email Comment S Undo e Redo Download Office C Add Product Required Fields Product @ Office 365 for Business Edition i 32-bit Channel @ Current Language i English (en-us) Edit Product <Configuration> <Add OfficeC1ientEdition="32" Channel="Current"> <Product ID="0365BusinessRetai1"> < Language ID="en-us" / > </Product> </Add> </Configuration> Add Remove Delete Product
    7. Then you can add all your languages you need

<Add OfficeClientEdition=”32″ Channel=”Current”>
<Product ID=”O365BusinessRetail”>
<Language ID=”en-us” />
<Language ID=”de-de” />
<Language ID=”fr-fr” />
<Language ID=”it-it” />

    1. Not only the Languages you can add at this point also Visio for example, for this product you need also to add every language again, in the end it looks like this.
    2. Import Export e, Reset Email • Comment S Undo e Redo Download Office Add Product Required Fields Product @ Visio for Office 365 Edition i 32-bit Channel @ Current Language English (en-us) Edit Product Version Version Latest Build Latest Legacy Version Save Add Remove Delete Product <Configuration> <Add OfficeC1ientEdition="32" Channel="Current"> <Product ID="0365BusinessRetai1"> < Language ID="en-us" < Language ID- 'fr_fr" < Language ID=' < Language ID="it-it" </Product> <Product ID="VisioProRetai1"> < Language ID="it-it" _ l' de—de" < Language ID- 'fr_fr" < Language ID=' < Language ID="en-us" < / Product> </Add> < [Configuration>
    3. Select the Version you plan to rollout, and also the build number you like
    1. Version Version 1705 Build 8201.2102 Legacy Version Save
    2. But there is more, in the left side you can also select exclude and then choose your office Product and set the exclusion, if you don’t like to install the full office.
    3. Version Office 365 ProPIus (2016) Office 365 ProPIus (2013) Section Add Product Exclude Programs Remove Product Additional Options Updates Display Logging Properties Templates Tools Install Toolkit Exclude Office Programs Product Office 365 for Business Access Excel OneNote OneDrive Publisher Save Included Included Included Included Excluded Groove Lync Outlook Excluded Included Included PowerPoint Included Word Included
    4. Press Save and your XML get updated

<Add OfficeClientEdition=”32″ Channel=”Current”>
<Product ID=”O365BusinessRetail”>
<Language ID=”en-us” />
<Language ID=”de-de” />
<Language ID=”fr-fr” />
<Language ID=”it-it” />
<ExcludeApp ID=”Groove” />
<ExcludeApp ID=”Publisher” />
<Product ID=”VisioProRetail”>
<Language ID=”it-it” />
<Language ID=”de-de” />
<Language ID=”fr-fr” />
<Language ID=”en-us” />

    1. If you like to manage the servicing with Configuration Manager, go to advanced Options
    2. Import Export e, Reset Email • Comment S Undo e Redo Download Office Version Office 365 ProPIus (2016) Office 365 ProPIus (2013) Section Add Product Exclude Programs Remove Product Additional Options Updates Display Logging Properties Templates Tools ID=" it- Install Toolkit Additional Options Enable Configuration Manager support Enabled SourcePath @ Network, local, or HTTP path DownloadPath @ Network, local, or HTTP path Save <Configuration> <Add OfficeC1ientEdition="32" Channel="Current" <Product ID="0365BusinessRetai1"> < Language ID="en-us" / > < Language ID="de-de" / > < Language ID="fr-fr" / > < Language ID="it-it" / > <Exc1udeApp ID="Groove" / > <Exc1udeApp ID="Pub1isher" / > </Product> <Product ID="VisioProRetai1"> < Language < Language < Language < Language it" -de" fr" en-
    3. Don’t forget the Updates

Import Export e Reset Email Comment S Undo e Redo Download Office Version Office 365 ProPIus (2016) Office 365 ProPIus (2013) Section Add Product Exclude Programs Remove Product Additional Options Updates Display Logging Properties Templates Tools Install Toolkit Updates Enable Updates Channel @ First Release Deferred UpdatePath @ Network, local, or HTTP path TargetVersion i Deadline @ Select a date... Save <Configuration> <Add OfficeC1ientEdition="32" Channel="Current"> <Product ID="0365BusinessRetai1"> < Language ID="en-us" / > <Language ID="de-de" / > < Language ID="fr-fr" / > < Language ID="it-it" / > <Exc1udeApp ID="Groove" / > <Exc1udeApp ID="Pub1isher" / > < / Product> <Product ID="VisioProRetai1"> Remove < Language < Language <Language <Language < / Product> </Add> -"TRUE" / > < [Configuration> ID=" it-it" <Updates Channel="FirstRe1easeDeferred" Enabled

    1. Hide any Screen during deployment
    2. Version Office 365 ProPIus (2016) Office 365 ProPIus (2013) Section Add Product Exclude Programs Remove Product Additional Options Updates Display Logging Properties Templates Display Display Level G) None Accept EULA False Save Remove -1
    3. Add anything you need and always use the Save button, in the end you get a XML like this

<Add OfficeClientEdition=”32″ Channel=”Current” OfficeMgmtCOM=”TRUE”>
<Product ID=”O365BusinessRetail”>
<Language ID=”en-us” />
<Language ID=”de-de” />
<Language ID=”fr-fr” />
<Language ID=”it-it” />
<ExcludeApp ID=”Groove” />
<ExcludeApp ID=”Publisher” />
<Product ID=”VisioProRetail”>
<Language ID=”it-it” />
<Language ID=”de-de” />
<Language ID=”fr-fr” />
<Language ID=”en-us” />
<Updates Channel=”FirstReleaseDeferred” Enabled=”TRUE” />
<Property Name=”AUTOACTIVATE” Value=”1″ />
<Property Name=”FORCEAPPSHUTDOWN” Value=”FALSE” />
<Property Name=”SharedComputerLicensing” Value=”0″ />
<Property Name=”PinIconsToTaskbar” Value=”FALSE” />
<Display Level=”None” AcceptEULA=”FALSE” />

  1. Now you can save this file as Configuration.xml in the same share you have your setup.exe from office
  2. In this case you can easy run this command setup.exe /download configuration.xml

    1. The download well end in the same directory as the setup.exe is started, and will create a separate subfolder. The Subfolder will be named with a Number, this number will match the Build number of your Office Version.
    2. If the download is completed, you can generate the Application Package in SCCM in the Guide That Ronni has written for the community.
  3. The next part is to have the right command, in this case we will use, the same command as we had for the download, instead of /download we use setup.exe /configure configuration.xml
  4. In case you like to have a Uninstall command, you can easy create a uninstall.xml file with the following sections
  5. This will remove the whole Office from your device with the command setup.exe /configure uninstall.xml


<Remove All=”TRUE” />


That’s it, hope you have fun and remember, this Article is as is, test it before run in Production, have Fun and enjoy a beer for the time you can save with this….


How to Deploy Office 2016 pro the classic Way

Hi all

If you like to install Office 2016 without click to run, you like to install it the classic way with the Bits from the ISO-File.
In my case i downloaded the ISO’s:
– SW_DVD5_Office_Professional_Plus_2016_W32_English_MLF_X20-41353.ISO (ENU is my Basic Language)
– SW_DVD9_Office_Multi_Lang_Pack_2016_W32_MultiLang_Disk_1_MLF_X20-42853.ISO ( i need MUI install with more Languages)

Have also downloaded the KMS-Key and added to my KMS Server, this is not part of this Post.

I extracted both ISO’s to one Network Folder \\sccm\app$\Office2016\EN and \\sccm\app$\Office2016\MUI
In the Root you will find the Setup.exe, start the CMD as admin and type \\sccm\app$\Office2016\EN\setup.exe /admin
When you run the OCT i will Look Like this:

After that the Office Customization Tool (OCT) will open and you can configure all the settings you need, for super silent installation i followed the Steps from Ronni Pedersen: in this Guide

After you have implemented your settings, safe the ENU.msp in the Folder Updates.

in this moment we are ready to install Office 2016 Pro as a regular Install set on a Machine with just running the setup.exe without any Parameter, you can use this with SCCM, MDT, Intune (tested) and maybe others (not tested).

But we like to install a Multi Language Office that is based on the OS Language:

  1. Open the \\sccm\app$\Office2016\MUI and copy all the Folders with the Language ending like,, to the folder \\sccm\app$\Office2016\EN (yes i know the Folder is Named EN, we will rename it later)
  2. for the 4 Languages, en-us, fr-fr, de-de and it-it i get in the root folder 91 items
  3. next i read this Artikel about to handle the Language:
    1. Here we have the following, intressting Part:
    2. You can also use the Import feature when you have created an initial Setup customization .msp file for an Office 2013 product (for example, Office Professional Plus 2013) and then you later want to modify the installation to add language packs. In such cases, you first add the language packs to the network installation point that contains the Office product source files. Then you run the OCT from the root of the network installation point, create a new Setup customization file for the same product (in this example, Office Professional Plus 2013), and then import the original customization .msp file that you created previously for Office Professional Plus 2013. To import an .msp customization file, in the OCT, open the File menu, and then choose Import. In the Open dialog box, select the previously created customization .msp file that you want to update. On the File menu, choose Save As. Specify a unique name for the .msp file, and then choose Save. Importing the previously created .msp file into the OCT will update the .msp file and include the added languages.
    3. In this case we have to open the  Office Customization Tool (OCT) again (setup.exe /admin)
    4. this time it will Look Like this:
    5. Select the Same as you had in the first run (Microsoft Office Professional Plus 2016 (32-bit)
    6. After that go to import the msp that you configured before ENU.msp in the first run
    7. Than save it again as a new msp in the same folder \\sccm\app$\Office2016\EN\updates as like Install_MUI.msp
    8. if you do that, the msp will register the additional files and folders
    9. now we have to create the classic XML-File with the Language settings, based on this Artikel:
    10. the only settings we need is the header for the Product and the additional Languages we like to install
      <Configuration Product=”ProPlus”>
      <AddLanguage Id=”de-de” ShellTransform=”yes”/>
      <AddLanguage Id=”en-us” />
      <AddLanguage Id=”fr-fr” />
      <AddLanguage Id=”it-it” />
    11. save this File in \\sccm\app$\Office2016\EN\proplus.ww as like configMUI.xml
      there are also some other xml example files (just have a look in it to understand Office Config a little more)
    12. that’s it
    13. Now w need the right command to run to install this Classic Office 2016 setup with the additional Languages in on run
    14. setup.exe /config proplus.ww\configMUI.xml

That’s it, hope that helps, this Artikel is as is, test it before run in Production, have Fun and enjoy a beer….



Get every new post delivered to your Inbox

Join other followers:

Skip to toolbar