Today, we're going to explore the wonderful world of Automation. This time for uploading the Windows Autopilot Hardware Hast to Intune - of course using the power of PowerShell. Say goodbye to manual registrations with the need to enter an Administrator and hello to a more straightforward automated registration for Autopilot! 🚀
Table of Contents
Understanding the Script
Here's a breakdown of the steps involved in automating these installations:
Set the Execution Policy
To get started, we need to set the execution policy using the Set-ExecutionPolicy command. Think of it as the bouncer at the PowerShell club, ensuring that our script can run smoothly without any restrictions. We don't want any party crashers, right? 😄
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -ForceCode language: PowerShell (powershell)Install required components
Now, let's bring in the necessary ingredients for our automation recipe. We'll use the Install-PackageProvider command to install the NuGet package provider. This handy provider helps us easily acquire other packages we need for the Autopilot and Intune magic to happen.
Install-PackageProvider -Name NuGet -Force | Out-NullCode language: PowerShell (powershell)Install script and module
It's time to bring in the stars of our show! We'll use the Install-Script command to install the awesome script called "Get-WindowsAutoPilotInfo". This script helps us gather all the juicy Autopilot information we need. But wait, there's more! We also need the WindowsAutopilotIntune module, which can be installed with the Install-Module command. It's like having the perfect cast for our tech blockbuster! 🎥🍿
Install-Script -Name Get-WindowsAutoPilotInfo -Force | Out-Null
Install-Module -Name WindowsAutopilotIntune -Force | Out-NullCode language: PHP (php)Prompt for the Group Tag
Now, let's add a little spice to our automation recipe. We'll prompt you, the wizard behind the screen, to enter a Group Tag for uploading. This Group Tag helps categorize the uploaded data and makes your life a whole lot easier when managing multiple uploads. You can enter a Group Tag to keep things organized, or simply press Enter to continue without one. Your call, maestro! 🎵
$GroupTag = Read-Host "To upload with a Group Tag, enter the Group Tag now. Otherwise, press Enter to continue without a Group Tag."Code language: PHP (php)Get Windows Autopilot Info
Drumroll, please! It's time to gather all the Autopilot secrets using the script we installed earlier. We'll use the Get-WindowsAutoPilotInfo command with the parameters stored in our hash table called $AutopilotParams. This command will retrieve the Autopilot information from the online service using your specified credentials and group tag (if provided) and handles the registration.
Sit back, relax, and let the magic happen! ✨
$AutopilotParams = @{
Online = $true
TenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
AppId = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
AppSecret = "xxxx~xxxxxxxxxxxxxx~xxxxxxxxxxxxxxxxxxxxx"
GroupTag = "$GroupTag"
}
Get-WindowsAutoPilotInfo @AutopilotParamsCode language: PowerShell (powershell)
Remember to customize the parameters with your own credentials and group tags to make the magic work seamlessly for your specific setup. Happy automating and may your IT adventures always be filled with joy and triumph! 🎉🔥
The App Registration
The App registration allows us to run the script without an interactive authentication.
Creating the App registration
To create the App registration with the necessary permissions head over to Entra.
Applications > App registrations > + New registration
Here you give the App a nice name and click "Register".
On the Homescreen of the app you can copy/paste the App ID and Tenant ID to your script.
Creating the App secret
In the App navigate to "Certificates & secrets" and click "+ New client secret".
Here you define a Name for teh Secret and a lifetime. The maximum is 2 years.
Copy the created Secret Value into your script. The Value will be shown only once, after that you cannot retrieve is a second time.
Assign permissions to our App
In the tab "API permissions" we can remove the already present "User.Read" permission and add "DeviceManagementServiceConfig.ReadWrite.All".
This is the least permission to allow an Autopilot registration.
After adding the permission it's very important to approve it:
Create an EXE from the Script
To advise users to run the Script with a right click and "Eun with PowerShell" is not always going to work. For a more convenient user experience you can use the PowerShell Module "ps2exe" to create a EXE.
# Module Installation
Install-Module -Name ps2exe
# Convert to EXE
ps2exe -inputFile "C:\..\Autopilot-Registration.ps1" -outputFile "C:\..\Autopilot-Registration.exe"Code language: PHP (php)
Great post! The link to Download the Script @GitHub is not working for me.
Thanks and the link is fixed now 🙂
Hey Florian, I'm running this on a demo VM and it keeps reading "Waiting for 1 of 1 to be imported"
is that to be expected?
thanks!
(it ended up working , it was just slow)
thanks a lot
This is quite nice. What I am getting is access token expired errors, despite the fact that I have set it to 2 years, and on a few machines it still fails to run 🙁
On others the get-windowsautopilot command cannot be instantly loaded - so I just pasted the code of that one into the body of your small script. No need to download it on every client 🙂 Although it's burnt-in.
Wonder why some computers say the app secret has expired though 🙁
just correcting myself, the secret is 2 years, but the access token expired comes up randomly on some machines and not on others. :S
Never had that problem, maybe something in the network?
Hello Florian
Little thing I had to add to the script to get it working in some scenarios :
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
this was useful for me to trigger this script from Level.io for example