Automatically import Windows Autopilot Devices into Intune

Share This Post

Share on facebook
Share on linkedin
Share on email

Importing Windows Autopilot devices into Intune can be a giant task. Collecting hardware hashes of every device, importing them into Microsoft Endpoint Manager and assigning users to these devices manually will take up precious time you probally want to use for other tasks.

Learning to automate repetitive tasks in your environment is key to your own growth. I always encourage everyone to learn to automate these set of tasks as they will allow you to free time to persue other tasks or challenges that lie ahead of you.

Collecting the hardware hash of your device

In the old days, and something which is still being utilized to this very day, we used to target a task sequence via Configuration Manager / SCCM to all unknown computers to perform an OS build which was compliant to the org’s policies and settings. However, in Microsoft Endpoint Manager we cannot allow every device to register to the company and access resources. Therefor such a task sequence is out of the question in Intune.

To control access to the org and make sure the devices from the company, or the devices which should get access to company resources, are compliant, we need to collect their hardware hash and import them into Intune. Afterwards, we can use Windows Autopilot to either join or register their device to Azure AD. In the case of existing devices which cannot be regeneralized, we can perform a manual registration.

Depending on your situation, you only need to register existing devices since your vendor should be responsible for uploading the hardware hash on your behalf to your tenant when you procure the device from them.

Importing the hardware hash automatically online

The Get-WindowsAutoPilotInfo module can retrieve the hardware hash for you and export it to a CSV file. Via some clever Powershell scripting you can add an entry for each device on your network to a network file, and afterwards import them into Intune manually. 

This will save you some time entering credentials to authenticate towards Microsoft Azure, I will cover this in another post.

This method will directly upload the hardware hash to Intune by connecting to the Microsoft Azure AD tenant online. hence making this process very simple for any employee with the proper role to add device into intune. 

You can either prep a client and within OOBE run the seperate powershell commands to import the hardware hash, or you can either go through the basic OOBE setup and run the Powershell script within Windows, which you can find on my github page. 

To open up a powershell window, press Shift + F10 on the OOBE and type in Powershell to open a PS console.

On the left, you can find a screenshot of the Powershell window in the OOBE setup process. 

First off, we need to allow running unknown scripts from Powershell. We can do that with the following command:

Set-ExecutionPolicy -ExecutionPolicy bypass -Force

Secondly, we need to find the Get-WindowsAutoPilotInfo script in the Powershell Gallery Repository. This can be done with the Find-Script command. However, before we can start with finding the script to upload our hardware hash to Intune, we need to install the NuGet module since this is required for getting the script to our device.

Install-Packageprovider -Name NuGet -MinimumVersion 2.8.5.201 -force

Next, we’ll load the script into a variable so that we can perform a conditional check on it. For me, a best practice is to load everything you can into a variable to perform a conditional check and to throw an error if something does not go the usual way. Running scripts, and specifically older scripts as you may find this blog post in some time in the future, may not work as intended since in the time span of writing the script and you executing the script, somethings might be changed and therefor no longer work.

$Script = Find-Script -Name Get-WindowsAutoPilotInfo

Since the script should be loaded into the variable $Script, we will check if the script has been found and in turn also start to install the script to our machine.

I perform a check on the name of the script, since it should always remain the same. If however the name of the script changes an error will be thrown to provide us with the details that the script cannot be found. 

if ($Script.name -eq “Get-WindowsAutoPilotInfo”){
    write-host “”
    write-host “The script to upload this machine’s hardware ID has been found and can be used.”
}
else {
    write-host “”
    throw “The script to upload this machine’s hardware ID has not been found. The script will exit.”
}

In turn, let’s install the script to our machine.

When installing scripts this way, we need to set the PATH Environment Variable for Powershell to C:\Program Files\WindowsPowershell\Scripts. With our -force command this will be automatically approved.

Since we are installing a script from an untrusted repository, this as well needs to be validated by the user. The -force command once again automatically does this for us.

Install-Script -Name $Script.name -force

Using the -online parameter with the Get-WindowsAutoPilotInfo.ps1 script, we need to provide the credentials to connect to your Azure Tenant. After authenticating towards this tenant the hash will automatically be uploaded to your Intune environment.

Get-WindowsAutoPilotInfo.ps1 -Online

You will get the Permissions Requested message to perform the activity of uploading the hardware hash. You need to check the box “Consent on behalf of your organization” the first time and choose to Accept.

We then have to wait for the device to succesfully import itself to Intune. It will perform self-checks to see if the hardware hash can be found in the Intune tenant by looking for the serial number.

After the import has been succesfull, I tend to automatically regeneralize the machine so that at reregistration, we can enter the Identity of the user and the machine will be joined to Azure.

cmd.exe /c “%WINDIR%\system32\sysprep\sysprep.exe /generalize /reboot /oobe”

Check if your device has been succesfully imported

Login to your MEM portal and navigate to Home > Devices > Enroll devices > devices to see if the device has succesfully been imported. 

Note: It can take some time before the device is shown in the portal. If you do not see it directly, please wait some time.

Schrijf je in op onze nieuwsbrief.

Ben je nieuwsgierig naar de mogelijkheden?

Laat ons een berichtje achter en houd contact.

Ben je nieuwsgierig
naar de mogelijkheden?

Laat ons een berichtje achter en houd contact.

Andere posts

Beveiliging

Social Engineering en hoe dit werkt

Social Engineers weten welke knoppen ze moeten drukken om iemand iets te laten uitvoeren wat zij willen. Hun beproefde technieken werken al te vaak op

Windows

Windows 11 nieuwe File Explorer

De opkomende release van Microsoft’s nieuwe Windows 11 bevat een volledige cosmetische aanpassing van File Explorer met verschillende grote aanpassingen als je deze vergelijkt met