Automation of gathering and importing Windows Autopilot information

2018-08-01T08:35:38+01:00

Hello,

I’m trying to use the solution, but it seems the Start-command function executes multiple times on my test device. (I have about a hundred powershell.exe running when it start’s at those parts, )
Any idea what could be wrong with that function?

Reply

2018-08-01T08:40:19+01:00

Hi Nicolas,

this is strange as the script itself does not have any loop inside. So I guess there is something wrong with the execution of the script itself. How do you execute the script? Did you try manually and did you get the same results then?

best,
Oliver

Reply

2018-08-01T08:42:19+01:00

Hello Oliver,

yes i tried manually with powershell prompt or ISE, same results as I got the problem when using the intune extension.

I’ll continue to check why that function it behaving strangly.

Thanks,

Nicolas.

2018-08-01T08:47:24+01:00

I run the script in system context in my test environment via Intune Management Extension and it is working well. When you are using ISE does it throw any error during execution?

2018-08-01T08:51:48+01:00

Yes i throwed me an error… it couldn’t download the Get-WindowsAutoPilotInfo.ps1 because I made a stupid case error in the name.

Thanks for your help.

Nicolas.

Reply

2018-08-01T08:52:44+01:00

You’re welcome!

Reply

2018-08-01T09:11:24+01:00

I still have the problem, and no clue for the moment. I have copied the content of the function inside the code, and then it’s working. I’ll use that workaround for the moment.

2018-08-05T21:14:12+01:00

Thank you for a great article, your advice will be very helpful for me.

Reply

2018-08-05T21:15:30+01:00

Great 👍 good to hear.

Reply

2018-08-10T10:48:49+01:00

Hey Oliver,

Thanks for this, setting it up as I write.

For others that might have the same issue:
Noticed Find-AzureRMResource is not a part of AzureRM.Resources anymore, but part of .NET core, which fails when trying to import the module to my Automation account. The runbook will fail since it can’t find the cmdlet.

Anyways, Get-AzureRMResource is the new cmdlet.

Reply

2018-08-10T10:50:49+01:00

Oh good to know, I need to have a look into this, thanks for the info!

Reply

Pingback: Gathering Existing Devices Windows Autopilot Device IDs – Modern EUC Blog

2019-07-22T09:36:01+01:00

Hello Oliver,

Thanks for the great article. All your articles are of top notch quality.
Just wanted to see if we can build a solution probably an Azure runbook or a powershell, which will help us to figure out the machines that went through Autopilot and not through manual setup. Is there any attributes we can check in Graph API autopilot endpoint to figure out this. I know that there is registry entries to see per machine. Trying to figure out if any automation is possible.

Thnx,
Noble

Reply

2019-07-22T11:56:41+01:00

Hi Noble,

I would go for an approach like this: http://rzander.azurewebsites.net/bitlocker-management-with-azure-storage-table/
Write a PowerShell script to run this on the devices and gather all needed information from the clients and calculate your result about Autopilot. Then upload the result to a table storage in Azure. If you like to use these results further, then you could easily write a Azure PowerShell Runbook to query the table storage and do whatever you like. That would be my approach here 👍

best,
Oliver

Reply

2019-07-27T12:49:56+01:00

Thanks Oliver. I’ll definitely build this and update you.

2020-04-29T14:42:18+01:00

Hi Oliver, Thanks for the script it is good stuff. When I am testing this script on a local machine before I push this out via Intune, it runs but looks to never compelte I have to manually stop PS ISE and go back in . When I stepped through the code it seems to be having trouble on $scriptPath = [System.IO.Path]::GetDirectoryName($MyInvocation.MyCommand.Path).

This produces an error as below:

Exception calling “GetDirectoryName” with “1” argument(s): “The path is not of a legal form.”
At line:6 char:1
+ $scriptPath = [System.IO.Path]::GetDirectoryName($MyInvocation.MyComm …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentException

Any ideas?

Reply

2020-04-29T16:22:39+01:00

Hi Gavin,

🙂 yup this is by design. $MyInvocation will only work if you run the PowerShell as a script or function. Meaning you have to save it as e.g. test.ps1 and run it. Just copying it into ISE and click run will produce this error. $MyInvocation is populated only for scripts, function, and script blocks.

Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_automatic_variables

best,
Oliver

Reply

2020-04-29T16:52:02+01:00

Ok I understnad however when I run this in an administrator PS shell window on a local machine the script also never completes and there is no error produced. I am wondering if you have a solution to test this first before deploying via intune management extension. I have also tried using PSEXEC to run this script (as a .ps1) and still I get the same result… The script never finishes. I noticed that actually it gets the “Get-WindowsAutoPilotInfo from the blob storage I configured but never gets the AzCopy.Zip, which means to me that its getting stuck “Start-Command” bit. I have created a test config profile now in Itune to see what happens as well.

2020-08-18T15:43:01+01:00

This is awesome but for me I am not sure what happens after you upload the hardware hashes. Doesn’t the device need to be wiped again so that the device will start using the hash? There is no mention of that in the article

Reply

2020-08-23T17:03:12+01:00

Hey Ivor,

the initial idea of the blog post was for a migration project of Windows 7 to Windows 10. I used MDT to create a Deployment USB media (removable drive) for that and built up a Standard Task Sequence to deploy Windows 10 for this. We took care of the right drivers and in the end we let the device start the OOBE again (sysprep.exe /oobe /reboot|shutdown). Now this device was ready for OOBE and was delivered to the user. In the meantime the import was done in the backend and everything is registered. Downside if you migrate a device directly in front of the user and want to start directly into Autopilot it may be not registered. For this situation I suggest to look at the new -online switch in the Get-WindowsAutopilot.ps1 script. For an ad hoc migration you could then fire up Shift + F10 open the command, use the script with -online and wait until registered and then proceed with the OOBE.

best,
Oliver

Reply

2020-08-18T15:45:55+01:00

Oliver how about resetting the device at the end. Lets say you have all the hashes you need on the blob and then imported into Autopilot. Doesn’t the device need to be reset for autopilot to kick in?

Reply

2020-08-23T17:06:08+01:00

Hey mcnamai,

I used a Standard MDT Task Sequence and added sysprep.exe /oobe /reboot|shutdown to the end. This way the device started into OOBE again an the user could run through the regular OOBE without an Reset. We actually did the wipe and reload before so we just want to start into OOBE. With MDT I sued the command above with ConfigMgr have a look here: https://docs.microsoft.com/en-us/archive/blogs/mniehaus/speeding-up-windows-autopilot-for-existing-devices

best,
Oliver

Reply

2021-07-14T23:16:00+01:00

Hi Oliver,

It looks like the script needs an update? I tried with the runbook, but got this error: ( The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’)

An error occured getting access token: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’. Trace ID: ad9ceb91-9dd5-48de-a44b-69d4eb6f7200 Correlation ID: df83bb72-af21-4448-b34e-b5cc96a59689 Timestamp: 2021-07-14 22:06:36Z —> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).

Thanks!

Reply

2021-07-21T16:21:33+01:00

You are right! It‘s a rather old post. I‘ve seen you have worked out a solution in the meantime. Very good work 👍

Reply

Pingback: Powershell Script to Auto Upload and Process Autopilot 4k Hardware Info - Rui Qiu's Blog

2021-07-21T16:44:44+01:00

yes, the fix for that issue is to edit the manifest to set “allowPublicClients” to true. thanks for your original post so I can get this sorted out 🙂 love your blogs!

Reply

2021-07-21T16:45:53+01:00

Thanks for the nice words!

Reply

2022-05-12T11:33:25+01:00

Hello Oliver,
first of all, thank you. I can start from here to build my own solution. Basically I need to collect device hash information from devices already enrolled (manually – no AutoPilot) in Intune. So I was thinking to use Intune for deploying a PowerShell scripts for gathering hashes and save them to Azure Blob Storage. Then I can download these hashes (CSV) and import them to Intune, manually. What about ?

Reply

2022-06-27T14:03:20+01:00

Hi,

The article is quite old, so now I would do it a little simpler with your requirement. Just read the AP hash and publish it. Have a look at the ScheduleAndUploadBitLockerKeyProtectorType.ps1 script in my Intune GitHub repo. There is a script sample included how to push something to an azure storage table. You don’t need the scheduled task of it, just the inline script to write to the storage table. It should be a simple script in the end.

best,
Oliver

Reply

2022-11-24T22:57:45+01:00

Hello Oliver,

We have 1000 windows10 workgroup devices. There are not connected on domain or cloud.
We want to get hardware hashes from these devices to process autopilot.

Is it a good idea to push this PS mention above and share with users on email.
Is this script can be run by a standard user?
or any better idea?

Thanks,
Mr Intune

Reply

2022-12-14T10:15:18+01:00

Hi Mr.Intune,

The Autopilot script needs to run in an administrative context. Otherwise, it will not receive the Hardware Hash details. So, you need to find a way to execute it on the devices in system or admin context.

best,
Oliver

Reply

Pingback: Import Autopilot devices based on specific criteria – Modern Workplace, Consultancy and Education | Udirection

Pingback: Automate Autopilot Uploads with Azure Automation Runbooks – Mike's MDM Blog

Pingback: Remove Windows Autopilot devices in Intune based on specific criteria – Modern Workplace, Consultancy and Education | Udirection

Pingback: Import or remove Windows Autopilot devices in Intune based on specific criteria – Modern Workplace, Consultancy and Education | Udirection

	<#
	Version: 1.0
	Author: Oliver Kieselbach
	Script: Get-WindowsAutoPilotInfoAndUpload.ps1

	Description:
	Get the AutoPilot information and copy it to an Azure Blob Storage. Use existing AzCopy.exe and
	Get-WindowsAutoPilotInfo.ps1 files or download them from an Azure Blob Storage named 'resources'.
	If used with an MDT offline media the hash can be written to the offline media as well.

	Release notes:
	Version 1.0: Original published version.

	The script is provided "AS IS" with no warranties.
	#>

	# Supporting archive files needs to be in Blob Storage
	#
	# Get-WindowsAutoPilotInfo.ps1
	# AzCopy.zip

	Function Start-Command {
	Param([Parameter (Mandatory=$true)]
	[string]$Command,
	[Parameter (Mandatory=$true)]
	[string]$Arguments)

	$pinfo = New-Object System.Diagnostics.ProcessStartInfo
	$pinfo.FileName = $Command
	$pinfo.RedirectStandardError = $true
	$pinfo.RedirectStandardOutput = $true
	$pinfo.CreateNoWindow = $true
	$pinfo.UseShellExecute = $false
	$pinfo.Arguments = $Arguments
	$p = New-Object System.Diagnostics.Process
	$p.StartInfo = $pinfo
	$p.Start() \| Out-Null
	$p.WaitForExit()
	[pscustomobject]@{
	stdout = $p.StandardOutput.ReadToEnd()
	stderr = $p.StandardError.ReadToEnd()
	ExitCode = $p.ExitCode
	}
	}

	# base parameters
	$containerUrl = "https://ZZZZ.blob.core.windows.net"
	$blobStorageResources = "resources"
	$blobStorageHashes = "hashes"
	$sasToken = "XXXX"

	$scriptPath = [System.IO.Path]::GetDirectoryName($MyInvocation.MyCommand.Path)
	$fileName = "$env:computername.csv"
	$outputPath = Join-Path $env:windir "temp\AutoPilotScript"
	$outputFile = Join-Path $outputPath $fileName

	if (-not (Test-Path $outputPath)) {
	New-Item –Path $outputPath –ItemType Directory \| Out-Null
	}

	# define to search in current script directory for needed files
	$autoPilotScript = Join-Path $scriptPath "Get-WindowsAutoPilotInfo.ps1"
	$azCopyExe = Join-Path $scriptPath "AzCopy.exe"

	if (-not (Test-Path $autoPilotScript)) {
	# download Get-WindowsAutoPilotInfo.ps1 from BlobStorage
	Start-BitsTransfer –Source "$containerUrl/$blobStorageResources/Get-WindowsAutoPilotInfo.ps1" –Destination $outputPath

	# re-define variable to output path as we downloaded the files just in time
	$autoPilotScript = Join-Path $outputPath "Get-WindowsAutoPilotInfo.ps1"
	}

	# Gather the AutoPilot Hash information
	Start-Command –Command "$psHome\powershell.exe" –Arguments "-ex bypass -file `"$autoPilotScript`" -ComputerName $env:computername -OutputFile `"$outputFile`"" \| Out-Null

	if (-not (Test-Path $azCopyExe)) {
	# download AzCopy from BlobStorage
	Start-BitsTransfer –Source "$containerUrl/$blobStorageResources/AzCopy.zip" –Destination $outputPath

	Add-Type –assembly "system.io.compression.filesystem"
	[io.compression.zipfile]::ExtractToDirectory($(Join-Path $outputPath "AzCopy.zip"), $(Join-Path $outputPath "AzCopy"))

	# re-define variable to output path as we downloaded the files just in time
	$azCopyExe = Join-Path $outputPath "AzCopy\AzCopy.exe"
	}

	# Copy the hash information to the Blob Storage
	$url = "$containerUrl/$blobStorageHashes"
	$result = Start-Command –Command "`"$azCopyExe`"" –Arguments "/Source:`"$outputPath`" /Dest:$url /Pattern:$fileName /Y /Z:`"$(Join-Path $outputPath "AzCopy")`" /DestSAS:`"$sasToken`""


	# We try to copy the hash information to the scriptpath as the device might be installed from MDT offline media
	# ScriptPath would be pointing to the removable media for the offline install. In failure case we could use the gathered
	# information from the offline media to try the upload again.
	# this can easily be enabled/disabled by defining $offlineMediaCopy = $true/$false
	$offlineMediaCopy = $false
	if ($offlineMediaCopy) {
	try {
	if ($result.stdout.Contains("Transfer successfully: 1")) {
	$path = $(Join-Path $scriptPath "autopilot-script-success")
	if (-not (Test-Path $path)) {
	New-Item –Path $path –ItemType Directory \| Out-Null
	}
	Copy-Item –Path $outputFile –Destination $path –Force –ErrorAction SilentlyContinue \| Out-Null
	}
	else {
	$path = $(Join-Path $scriptPath "autopilot-script-failed")
	if (-not (Test-Path $path)) {
	New-Item –Path $path –ItemType Directory \| Out-Null
	}
	Copy-Item –Path $outputFile –Destination $path –Force –ErrorAction SilentlyContinue \| Out-Null
	}
	}
	catch [system.exception]
	{}
	}


	# Cleanup
	Remove-Item –Path $(Join-Path $outputPath "AzCopy.zip") –Force \| Out-Null
	Remove-Item –Path $(Join-Path $outputPath "AzCopy") –Recurse –Force \| Out-Null

	# we keep a copy of the hash in the filesystem (temp) just in case something went wrong, you can uncomment and delete the hash information also
	#Remove-Item -Path $(Join-Path $scriptPath "Get-WindowsAutoPilotInfo.ps1") -Force \| Out-Null
	#Remove-Item -Path $outputFile -Force \| Out-Null

Automation of gathering and importing Windows Autopilot information

Architecture

Guide to build the new solution

Enhanced client-side script part

Sample output of the Runbook

Important observations during testing

Further information

35 replies to Automation of gathering and importing Windows Autopilot information

Leave a Reply Cancel reply

Architecture

Guide to build the new solution

Enhanced client-side script part

Sample output of the Runbook

Important observations during testing

Further information

Share this:

Related

35 replies to Automation of gathering and importing Windows Autopilot information

Leave a Reply Cancel reply