(14) Windows Autopilot - Export and Import Device Hash to MEM

This is something I have used over the last 3 to 4 years, this helps automate the exporting and importing of the device hash to MEM (Microsoft Endpoint Manager). There are other ways of doing it manually which I kindly show in this post as well.

The following that will be covered here:

1. Create an Azure App Registration

2. Update the Azure App Registration with the API Permissions

3. Create a secret for the Azure App Registration

4. Update the PowerShell script with the values gathered.

5. Where can I use this PowerShell script?

6. Other ways to export and import the device hash into MEM

Create an Azure App Registration

1. Navigate to https://portal.azure.com then select Azure Active Directory

2. Select App Registrations

3. Select New Registrations

4. Enter a name for the App Registration, in this case: MR B SOE Way - Autopilot Unattended

As this is a single tenant, then Accounts in this organization directory only is selected. If you have multitenant, you select the others based on your environment.

Then select Register

Update the Azure App Registration with the API Permissions

1. In the recently created App Registration, select API Permissions then select Add a permission. A popup will appear on the right, select Microsoft Graph.

2. Select Application Permissions

3. In the Select Permissions, search for: DeviceManagementServiceConfig.ReadWrite.All Expand the dropdown and select as higlighted. Then select Add Permission

4. As the permission has been, it needs to be granted. This must be done with a Global Administrator account or similar permissions. Then select Grant admin consent then select Yes.

5. It will then show up as successful.

Create a secret for the Azure App Registration

1. Under the same App Registration, select Certificates & Secrets then select New Client Secret. A pop-up will appear on the right, enter a Description and select Expires. I usually set it 24 months. Then select Add.

2. Once it has been done, ensure to copy the "Value" of the screen. As soon as you navigate to another tab, the secret value will disappear.

3. Next make a copy of the following on Notepad or Sticky Notes, you will need:

Application (client) ID of the Azure AD App

Directory (tenant) ID

Application Secret

Update the PowerShell script with the values gathered

1. To update the following values using this script which can be found here in my github repo.

2. Once you have obtained the scripts, you need to enter the following that includes the:

Application (client) ID of the Azure AD App

Directory (tenant) ID

Application Secret

Where can I use this PowerShell script?

There are a number of ways it can used:

1. Manually - during OOBE for a new device or existing device

Ensure to run PowerShell as administrator

Followed by running: set-executionpollicy bypass then "Y" to execute

2. MECM (SCCM) Task Sequence - for a custom task sequence or existing task sequence

You can view my recorded video from a past life of mine: https://www.youtube.com/watch?v=5axrLvE8jYw&t=120s

3. MECM (SCCM) PowerShell - can be uploaded to Scripts with MECM and deployed

Recorded video of mine: https://www.youtube.com/watch?v=ggDOHfxIRTI&t=51s (Part 1)

Recorded video of mine: https://www.youtube.com/watch?v=MuxiQbB7hnM (Part 2)

4. MEM (Microsoft Endpoint Manager) - if devices were joined with Company Portal, this can be pushed out via PowerShell from MEM.

Other ways to export and import the device hash into MEM

Semi-Automatic:

1. During OOBE, press Shift + F10 to load to command prompt then type in PowerShell then press Enter.

2. Type in: set-executionpolicy unrestricted -force then press Enter

3. Type in: install-script get-windowsautopilotinfo then press Enter

4. Select 'Y' and press Enter for all 3 prompts

5. Type in: get-windowsautopilotinfo.ps1 -online then press Enter

6. When the prompt shows up, type in:

Username: enter in your UPN

Password: UPN Password

Your 'Mobile Authenticator' will request for an approval (if MFA is setup)

Manual - OOBE: From your device:

1. Prepation from your own device, run PowerShell as administrator

2. Type in the following:

Save-Script -Name Get-WindowsAutoPilotInfo -Path c:\temp

3. Copy the temp folder to a USB for example D:\ and plug it into the device

On new device:

1. During OOBE, press Shift + F10 to load to command prompt then type in PowerShell then press Enter.

2. In the PowerShell field, CD to the D:\Temp

3. Type in the following: .\Get-WindowsAutopilotInfo.ps1 -OutputFile C:\temp\IntunePc1.csv [Note: Ensure to change the name of the .csv file]

4. Copy that IntunePc1.csv and upload to https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/AutoPilotDevicesBlade with Import, give it 5 mins and it will show up.