Microsoft Intune, Endpoint Manager and beyond

Tuesday, December 31, 2024

How to Create a Dynamic Group for Autopilot Devices in Microsoft Intune

Dynamic groups in Azure Active Directory (Azure AD) enable automatic membership based on defined criteria. For Windows Autopilot devices, a dynamic group ensures that devices meeting specific attributes are automatically added, simplifying profile assignments and management.

Steps to Create a Dynamic Group for Autopilot Devices

Sign In to Microsoft Endpoint Manager Admin Center
Navigate to the intune.microsoft.com
Access Groups
- Go to Groups > All groups in the left-hand menu.
- Click New group to create a new dynamic group.
Configure Group Settings
- Group Type: Select Security.
- Group Name: Enter a meaningful name, e.g., Autopilot Devices.
- Description: Optionally, provide details about the group, e.g., "Dynamic group for Autopilot-enrolled devices."
Set Membership Type
Under the Membership type dropdown, select Dynamic Device.
Define the Dynamic Membership Rule
- Click Add dynamic query.
- In the Rule syntax field, use the following query to include all Autopilot devices:
```
(device.devicePhysicalIds -any (_ -eq "[ZTDId]"))
```
  Explanation:
  - device.devicePhysicalIds: Attribute containing the physical IDs of devices.
  - [ZTDId]: A tag assigned to devices registered for Windows Autopilot.
Save the Query
- Click Save to apply the dynamic membership rule.
- Click Create to finalize the group creation.
Verify Group Membership
- After creation, navigate to the group's Members tab.
- Confirm that Autopilot devices are automatically added based on the rule.

Importing "Offline" Hardware Hash into Microsoft Intune for Windows Autopilot

Windows Autopilot provides a seamless deployment experience for new devices in an organization. For devices that are not connected to the internet during deployment, you can manually extract and import the hardware hash into Microsoft Intune. This blog outlines the offline process using PowerShell.

Prerequisites

Windows PowerShell: Ensure the latest version of Windows PowerShell is installed.
Admin Permissions: Run PowerShell as an administrator.
Network Access: Required only for uploading the hardware hash file to Microsoft Intune.
Export Folder: Create a folder to store the exported CSV file, e.g., C:\Devices.

Steps to Export and Import Offline Hardware Hash

Install the Script
The Get-WindowsAutopilotInfo script is used to capture the hardware hash. Install it using the following command:
```
Install-Script -Name Get-WindowsAutopilotInfo
```
Set the Execution Policy
To run scripts that are not digitally signed, change the execution policy temporarily:
```
Set-ExecutionPolicy Unrestricted
```
Export the Hardware Hash
Use the script to export the hardware hash to a CSV file:
```
Get-WindowsAutopilotInfo.ps1 -OutputFile C:\Devices\Device1.csv
```
- What It Does:
  - Captures hardware details (hardware hash, serial number, etc.).
  - Saves the output to the specified file (C:\Devices\Device1.csv).
Upload the CSV File to Intune
- Log in to the Microsoft Endpoint Manager admin center.
- Navigate to Devices > Windows > Windows enrollment > Devices.
- Select Import and upload the CSV file containing the hardware hash.
Assign Deployment Profile
After the import is successful:
- Navigate to Deployment profiles under Windows enrollment.
- Assign the desired profile to the imported devices.
Restore Execution Policy
For security purposes, reset the execution policy:
```
Set-ExecutionPolicy Restricted
```

Importing "ONLINE" Hardware Hash into Microsoft Intune for Windows Autopilot

Windows Autopilot streamlines the deployment and management of new devices in an enterprise environment. One critical step in setting up Autopilot is importing the hardware hash into Microsoft Intune. This guide walks you through the process using PowerShell.

Prerequisites

Microsoft Intune License: Ensure your tenant is licensed for Intune.
Admin Permissions: You need appropriate permissions to add devices to Intune.
Windows PowerShell: Install the latest version of Windows PowerShell.
Network Access: Devices must have access to the internet during hash extraction.

Steps to Import Hardware Hash

Install the Required Script
The script Get-WindowsAutopilotInfo is used to gather hardware hashes. To install it, run the following command in an elevated PowerShell session:
```
Install-Script -Name Get-WindowsAutopilotInfo -Force
```
Gather Hardware Hash
Run the script to extract the hardware hash and upload it directly to Microsoft Intune:
```
Get-WindowsAutopilotInfo -Online
```
- What It Does:
  - Captures hardware details (hardware hash, serial number, model, etc.).
  - Uploads this information directly to the Autopilot deployment service in Intune.
Verify Device Registration
After executing the script, log in to the Microsoft Endpoint Manager admin center:
- Navigate to Devices > Windows > Windows enrollment > Devices.
- Ensure the imported device appears in the list with its hardware hash.
Assign an Autopilot Profile
Assign a pre-configured deployment profile to the imported device:
- Go to Devices > Windows > Windows enrollment > Deployment profiles.
- Select a profile and assign it to the imported device.

Thursday, February 18, 2021

HOW TO COLLECT AUTOPILOT LOGS FROM END USER DEVICE

Autopilot Logs Collection from End-User Device

##################################################

Open Command Prompt and run as Administrator

mdmdiagnosticstool.exe -area Autopilot -cab C:\temp\AP.cab
mdmdiagnosticstool.exe -area DeviceProvisioning -cab C:\temp\DP.cab

Open Powershell with Administrator

Set-ExecutionPolicy bypass
Install-Script -Name Get-AutopilotDiagnostics -Force
Get-AutopilotDiagnostics

Note: Copy and paste results in Notepad. Save

wget https://aka.ms/intunexml -outfile Intune.xml

wget https://aka.ms/intuneps1 -outfile IntuneODCStandAlone.ps1

PowerShell -ExecutionPolicy Bypass -File .\IntuneODCStandAlone.ps1

Saturday, June 6, 2020

Microsoft Autopilot Step by Step Implementation

Microsoft Autopilot Step by Step

What is Autopilot: - Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. ... Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, Microsoft Endpoint Configuration Manager, and other similar tools.

Requirements

· Windows 10, version 1703 or later

· New devices that have not been through Windows out-of-box experience

Microsoft Azure Configurations...

1. Go to Azure portal https://portal.azure.com

2. Navigate to Azure Active Directoryà DevicesàDevice Settings

3. Select Users may join devices to Azure AD for all and click Save

1. Go to https://endpoint.microsoft.com/#home

2. On the left navigation pane, choose Devicesà Windowsà Windows EnrolmentàDeployment Profiles

Microsoft Intune Configuration…

Setup Intune as the MDM authority

Azure portal, go to Microsoft Intune/Device Enrollment/Choose MDM Authority.

Select Intune MDM authority

Verify if it's set it up already… IntuneàDevice EnrolmentàOverview

Set Automatic Enrolment

Go to Microsoft IntuneàDevice Enrollment àWindows Enrollment select Automatic Enrollment

Select a group or if All MDM USERS can enroll devices. This can be restricted latter using enrolment restriction policies….

CREATING AUTOPILOT DEPLOYMENT PROFILE

Benefits:

· Automatically setup for work or school

· Customized Azure AD sign-in page

· Skip privacy settings and EULA

Open https://portal.azure.com

Navigate Microsoft IntuneàDevice EnrolmentàWindows EnrolmentàDeployment Profiles

Click Deployment Profiles

Create Profile

You can select Administrator if you want the user to have administrator access….

Click NEXT

Configure ENROLLMENT STATUS PAGE(ESP)

Create an ESP Profile

Click NEXT

Select All Users if possible or create a custom user group

Add Dynamic Query

(device.devicePhysicalIds -any _ -contains "[ZTDId]")

Import Hardware ID to Microsoft INTUNE

Copy below in a notepad and save as GetAutoPilotD.cmd

PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command C:\Temp\Autopilot\Get-WindowsAutoPilotInfo.ps1 -ComputerName $env:computername -OutputFile
C:\Temp\Autopilot\$env:computername.csv

Copy below in a notepad and save as Get-WindowsAutoPilotInfo.ps1

<#PSScriptInfo

.VERSION 1.3

.GUID ebf446a3-3362-4774-83c0-b7299410b63f

.AUTHOR Michael Niehaus

.COMPANYNAME Microsoft

.COPYRIGHT

.TAGS Windows AutoPilot

.LICENSEURI

.PROJECTURI

.ICONURI

.EXTERNALMODULEDEPENDENCIES

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

Version 1.0: Original published version.

Version 1.1: Added -Append switch.

Version 1.2: Added -Credential switch.

Version 1.3: Added -Partner switch.

.SYNOPSIS

Retrieves the Windows AutoPilot deployment details from one or more computers

.DESCRIPTION

This script uses WMI to retrieve properties needed by the Microsoft Store for Business to support Windows AutoPilot deployment.

.PARAMETER Name

The names of the computers. These can be provided via the pipeline (property name Name or one of the available aliases, DNSHostName, ComputerName, and Computer).

.PARAMETER OutputFile

The name of the CSV file to be created with the details for the computers. If not specified, the details will be returned to the PowerShell

pipeline.

.PARAMETER Append

Switch to specify that new computer details should be appended to the specified output file, instead of overwriting the existing file.

.PARAMETER Credential

Credentials that should be used when connecting to a remote computer (not supported when gathering details from the local computer).

.PARAMETER Partner

Switch to specify that the created CSV file should use the schema for Partner Center (using serial number, make, and model).

.EXAMPLE

.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER -OutputFile .\MyComputer.csv

.EXAMPLE

.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER -OutputFile .\MyComputer.csv -Append

.EXAMPLE

.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER1,MYCOMPUTER2 -OutputFile .\MyComputers.csv

.EXAMPLE

Get-ADComputer -Filter * | .\GetWindowsAutoPilotInfo.ps1 -OutputFile .\MyComputers.csv

.EXAMPLE

Get-CMCollectionMember -CollectionName "All Systems" | .\GetWindowsAutoPilotInfo.ps1 -OutputFile .\MyComputers.csv

.EXAMPLE

.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER1,MYCOMPUTER2 -OutputFile .\MyComputers.csv -Partner

[CmdletBinding()]

param(

[Parameter(Mandatory=$False,ValueFromPipeline=$True,ValueFromPipelineByPropertyName=$True,Position=0)][alias("DNSHostName","ComputerName","Computer")] [String[]] $Name = @($env:ComputerName),

[Parameter(Mandatory=$False)] [String] $OutputFile = "",

[Parameter(Mandatory=$False)] [Switch] $Append = $false,

[Parameter(Mandatory=$False)] [System.Management.Automation.PSCredential] $Credential = $null,

[Parameter(Mandatory=$False)] [Switch] $Partner = $false,

[Parameter(Mandatory=$False)] [Switch] $Force = $false

)

Begin

{

# Initialize empty list

$computers = @()

}

Process

{

foreach ($comp in $Name)

{

$bad = $false

# Get the common properties.

Write-Verbose "Checking $comp"

$serial = (Get-WmiObject -ComputerName $comp -Credential $Credential -Class Win32_BIOS).SerialNumber

# Get the hash (if available)

$devDetail = (Get-WMIObject -ComputerName $comp -Credential $Credential -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'")

if ($devDetail -and (-not $Force))

{

$hash = $devDetail.DeviceHardwareData

}

else

{

$bad = $true

$hash = ""

}

# If the hash isn't available, get the make and model

if ($bad -or $Force)

{

$cs = Get-WmiObject -ComputerName $comp -Credential $Credential -Class Win32_ComputerSystem

$make = $cs.Manufacturer.Trim()

$model = $cs.Model.Trim()

if ($Partner)

{

$bad = $false

}

else

{

$make = ""

$model = ""

}

# Getting the PKID is generally problematic for anyone other than OEMs, so let's skip it here

$product = ""

# Depending on the format requested, create the necessary object

if ($Partner)

{

# Create a pipeline object

$c = New-Object psobject -Property @{

"Device Serial Number" = $serial

"Windows Product ID" = $product

"Hardware Hash" = $hash

"Manufacturer name" = $make

"Device model" = $model

}

# From spec:

# "Manufacturer Name" = $make

# "Device Name" = $model

}

else

{

# Create a pipeline object

$c = New-Object psobject -Property @{

"Device Serial Number" = $serial

"Windows Product ID" = $product

"Hardware Hash" = $hash

}

# Write the object to the pipeline or array

if ($bad)

{

# Report an error when the hash isn't available

Write-Error -Message "Unable to retrieve device hardware data (hash) from computer $comp" -Category DeviceError

}

elseif ($OutputFile -eq "")

{

}

else

{

$computers += $c

}

End

{

if ($OutputFile -ne "")

{

if ($Append)

{

if (Test-Path $OutputFile)

{

$computers += Import-CSV -Path $OutputFile

}

if ($Partner)

{

$computers | Select "Device Serial Number", "Windows Product ID", "Hardware Hash", "Manufacturer name", "Device model" | ConvertTo-CSV -NoTypeInformation | % {$_ -replace '"',''} | Out-File $OutputFile

# From spec:

# $computers | Select "Device Serial Number", "Windows Product ID", "Hardware Hash", "Manufacturer Name", "Device Name" | ConvertTo-CSV -NoTypeInformation | % {$_ -replace '"',''} | Out-File $OutputFile

}

else

{

$computers | Select "Device Serial Number", "Windows Product ID", "Hardware Hash" | ConvertTo-CSV -NoTypeInformation | % {$_ -replace '"',''} | Out-File $OutputFile

}

Create Folder C:\Temp\Autopilot

Copy Files C:\Temp\Autopilot\Get-WindowsAutoPilotInfo.ps1 & C:\Temp\Autopilot\GetAutoPilotD.cmd

Run GetAutoPilotD.cmd using command as ADMIN and .csv will be created in the same folder with the computer name.