Update 14/06/2023 – I have created a Community version and added it to the PowerShell gallery so we can all add fixes, improvements and updates as a community effort. Read more here or download them with the commands below
Install-Script -Name get-windowsautopilotinfocommunity
Install-Module -Name WindowsAutopilotIntuneCommunity
The Get-WindowsAutopilot script is in the toolbox or every Intune administrator, it does have over 48 million downloads after-all!
Update: Microsoft have updated the official version, but at this point it still has a few bugs so I have included an installer to add the module and script
The current 3.5 version created by the great Michael Niehaus still works perfectly 90% of the time, but if you are using the -online parameter and want to add to an AzureAD group, you may find it is giving you an error. This is due to the AzureAD PowerShell module being deprecated (you can find out more here)
Whilst we wait for an official Microsoft update, I have created a fork of the script and updated it to use the MgGraph module instead to replace any references to either AzureAD or the MSGraph modules.
As the script also imported the windowsautopilotinfo PowerShell module from the PSGallery, just replacing the script still causes errors so I have also re-written the functions in the module and embedded them directly into the single script.
It will still work with an app registration, but again now uses the MgGraph module.
To download directly on the machine, run this command:
Invoke-RestMethod -Uri https://raw.githubusercontent.com/andrew-s-taylor/WindowsAutopilotInfo/main/get-windowsautopilotinfo.ps1 -OutFile c:\temp\get-windowsautopilotinfo.ps1
I am not adding this to the PowerShell gallery as I do not want to confuse things when the official script is updated, but you can find the forked version on GitHub:
If you have any issues with it, please let me know either in the comments, contact form or on GitHub.
Hi Andrew and nice edition,
I just came across this post and I was wondering whether we could use an Intune script to upload the HardwareIDs of devices that are currently in use but we may want to convert over to AutoPilot in the future. Is this possible or will it require more permissions and stuff?
Thank you
Hi,
Absolutely, you can use this for existing devices, it will simply add them into Autopilot devices in Intune. No extra permissions needed
Ok, thank you.
Would you suggest this method or the method you described here? https://andrewstaylor.com/2023/06/13/authenticating-to-new-get-windowsautopilotinfo/
For instance, sth like this would probably work, right?
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PowerShell.exe -ExecutionPolicy Bypass
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
get-windowsautopilotinfo.ps1 -online -TenantID 12345 -appid 12345 -appsecret 12345
Thank you
Yes, that will work fine. Once you have completed enrollment, remove the secret though to be on the safe side.
If you devices are AD joined, you could also Hybrid GPO join and add to autopilot that way
Ok, thank you. I am cloud-only, so I will just remove the secret and delete the script once done ๐
Hi again Andrew,
Probably stupid question about the link I shared previously, but if i don’t want to use groups, then just DeviceManagementServiceConfig.ReadWrite.All will be enough to read and upload from USB to Intune, right?
Thank you
Hi,
Yes, that should be enough for what you need
I’m getting some intermittent authentication errors… I’m trying to run this on devices with Shift+F10 from the OOBE screen.
I have two files, a cmd that just calls the ps1
powershell.exe -executionpolicy bypass -file .\autopilot.ps1
And the autopilot.ps1
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Confirm:$false -Force:$true
Install-Script get-windowsautopilotinfocommunity -Confirm:$false -Force:$true
get-windowsautopilotinfocommunity -Online -TenantId “aaa” -AppId “bbb” -AppSecret “ccc”
shutdown.exe /s /t 10
The error it self just says “Connect-MgGraph : The provided access token has expired. Set a valid access token”… then it seems to connect anyway, because i get the message that says its connected to my tenant using app-based auth, and the serial number of the device. It later throws up “Invoke-MgGraphRequest : Authentication needed. Please call Connect-MgGraph”… at the end, it exits with Get-AutopilotDevice : Microsoft.Graph.Powershell.AuthenticationException: Authentication needed. Please call Connect-MgGraph.
Any ideas?
Hi, are you using the V1 or V2 Graph modules?
I haven’t changed anything from the get-windowsautopilotinfocommunity.ps1, so I’m not sure… the output from the script mentions Version 2 module detected, so I’m assuming version 2
Seems to work for me now after I specified that the machines should install the v1 versions. Thanks for pointing me in the right direction =)
In case anyone else gets this, I just added this after the nuget installation and it stopped whining… ๐
Install-Module -Name Microsoft.Graph.Authentication -RequiredVersion 1.28.0 -Confirm:$false -Force:$true -SkipPublisherCheck
Install-Module -Name Microsoft.Graph.Groups -RequiredVersion 1.28.0
Install-Module -Name Microsoft.Graph.Identity.DirectoryManagement -RequiredVersion 1.28.0 -Confirm:$false -Force:$true -SkipPublisherCheck
Install-Module -Name Microsoft.Graph.Intune -Confirm:$false -Force:$true -SkipPublisherCheck
I see in the newest updates that you can run this on a device and then tell it to wipe itself and go into the OOBE after the wipe for provisioning. I’ve tried running get-windowsautopilotinfocommunity -online -wipe -sysprep but nothing happens after rebooting.
Am I missing something?
I will also be wrapping this in a script with a client ID and secret for authentication and pushing it through a 3rd party to my off site devices.
Just trying to find the best way of getting my domain devices into intune without everyone connecting back to VPN or coming into the office.
Hi,
You need the -assign parameter for use with sysprep as we need to make sure the profile has assigned correctly before returning to OOBE
can confirm standard install works
did also wipe czech unit and managed to run script succesfully
not sure why error on first run on new unit from the box
have some more czech units to be delivered(Lenovo) so will find out if only one gave error?
thanks, Kim
no, have them all set in script
did wipe one standard computer and re-run
and seems to work….no error now waiting to be imported
so makes me think it must be something with czech locale?
Iยดm running script from https://github.com/andrew-s-taylor/WindowsAutopilotInfo/community
adding our: GroupTag, TenantID, AppID, Appsecret
Online=True
Assign=True
PreProv=True
As parameters?
get-windowsautopilotinfocommunity.ps1 -online -assign -grouptag “tag” -tenantid “tenantid” -AppID “appid” -AppSecret “appsecret”
use AppID & Secret no authentication window
Can you share the full command you are running to launch? Just replace the app ID and secret with xx
machine is factory customized for czech (all others where standard eng)
could that throw error?
can try to run one eng -machine later today
Guess you mean get-windowsautopilotinfocommunity.ps1?
I’ve just tested here and get prompted to authenticate, did you see a Microsoft login window?
Language shouldn’t matter
running Get-WindowsAutoPilotInfo.ps1
thatยดs the funny thing, I installed 3 macines ok on friday
today first run I get error ๐
today stuck with new errror?
Invoke-MgGraphReguest: Authentication needed. Please call Connect-MgGraph
on line 1925 char 22
What command did you run? There haven’t been any changes to the script since the last update
alos tried one install with -preprov
ended up with Command promt window on exit
I guess 5x WIN -key did not work?
That’s still a work-in-progress, I need to work out how to shift focus and then send the commands
1 install made with v4.0.1 and seems to work ok ๐
thanks!
hi,
allways get
WARNING: The version ‘2.9.0’ of module ‘Microsoft.Graph.Authentication’ is currently in use. Retry the operation after closing the applications.
then after restart it work ok
any clue how to get rid of the the need of restarting script?
Hi,
I have just pushed out v4.0.1 which should fix it. You are safe to ignore the message as well, no need to restart
Hi Andrew, sorry about delay in getting back. Think send key combination would be something like:
1. Alt-tab (to switch from DOS window running script to the OOBE language selection screen
2. Left mouse click (whilst on the OOBE language selection screen)
3. Windows key press x5
4. Down arrow
5. Enter/Return keypress
6. Tab key press x2
7. Enter/Return
Hopefully got key combination correct this time. Again, no worries if not as it’s a lot of messing. Maybe one day in future, Microsoft would allow support via command line switch or something
Hi
The problem shows up when u tryin to log on to the first time with the OOBE, just after the first reboot when u add the device to Intune with the new Get-windows script…
I found the issue, it was not a big deal… its came from the access of the network !
I changed of the support access to network and everything seems fine.
Hi Andrew,
At first, thank for your work !
I’ve followed your App reg process for the authentication.
The device appear on Intune with serial number, profile assigned, etc.
But when i rebooted, the authentication looks like a white screen.
Do you have a idea about how fix this issue, please ?
Hi,
Do you have any firewalls or anything which could be blocking the authentication screen? It’s sometimes worth trying a sysprep as well after adding the device (you can use the sysprep command on the community version of the script)
Sorry somehow, I had managed to post same thing (ish) twice. It’s the first part is all I meant to post lol.
Hi Andrew,
Sorry about delay in getting back to you.
Logically thinking about it, it would be a quite a task to start whiteglove using send-keys type things. I had hoped it may have just been an another command/option that just needed coding for to make use of it.
Think send key combination would be something like:
1. Alt-tab (to switch from DOS window running script to the OOBE language selection screen
2. Left mouse click (whilst on the OOBE language selection screen)
3. Windows key press x5
4. Move mouse to the option that starts whitegloving
5, Then left mouse click on that option.
Think 4 and 5 (well mostly 4) would be hardest to code for (well in my head haha).
Thanks anyhow, I do appreciate trying.
Kev
I’ve just tried this today and it will need some tweaking like you said.
I think it needs following before the 5x windows (I hope in order as below):
1. Alt-Tab (to switch screens from DOS prompt running the script to the OOBE Region choice screen). I was able to do this with: [System.Windows.Forms.SendKeys]::SendWait(‘%{TAB}’)
2. Press left mouse button click once
It’s the left mouse button click I got stuck on as there is no SendKeys option for this so looks like have to try another method.
Hopefully, that is all that is needed.
Thanks in advance.
Kev
Hmm, I’ll see if I can do that. I know I could with something like AutoIt, but it’s the mouse move which could be tricky. Next time you whiteglove, can you check if you can Tab through and press space on the button (and if so, count the tabs)
Hi Andrew,
I’m now using your community version. It works perfectly so thank you so much and keep up the good work. We use this to automate, as much as possible, (re)imaging a device into autopilot so can whiteglove.
After this script has ran, all we do is then press windows symbol 5x to start whiteglove process off. Is there anyway once device added into autopilot, etc that I can get the whiteglove process to start as well (on assumption no errors beforehand)?
Thanks in advance
Hi Kev,
Good idea! I’ve just published v3.0.5 which if run with:
“-online -assign -preprov”
Should press Windows key 5 times at the end. It may need some tweaking, but give it a try and see how you get on
Hi Andrew,
Apologies for the delayed response.
Yes, I can see Graph Explorer (official site) and MS Graph Powershell.
Do these need to be configured or modified in any way please?
Try deleting MS graph Powershell and then re-authenticate and see if it gives you the option to approve for your organization
Hi Andrew,
I can see Graph explorer (official site).
Is there anything I need to check/configure within its properties?
Hi Adam,
Do you have Graph PowerShell or Graph Command Line Tools in there?
Hi Andrew,
Thank you for getting back to me.
Unfortunately I don’t get that pop up, instead it says
‘Need admin approval..
unverified
needs permission to access resources in your organisation that only an admin can grant…’
Does something else need to be configured within Azure AD?
Kind regards
Can you check your Azure AD enterprise apps and see if Graph is in there?
Hi Andrew,
Hope you are well.
Many thanks for this, although I’m having some issues, which I’d greatly appreciate some assistance on please.
I’m trying to upload the hardware hash directly to our tenant, by running the below, and getting the ‘Need admin approval…’ pop up after signing in with my Cloud Admin account:
PowerShell.exe -ExecutionPolicy Bypass
Install-Script -Name get-windowsautopilotinfocommunity
Install-Module -Name WindowsAutopilotIntuneCommunity
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-windowsautopilotinfocommunity -Online
Can you please let me know where I’m going wrong?
Many thanks
Hi Adam,
When accepting the approval, are you ticking the box to approve for your tenant?
This might help:
https://andrewstaylor.com/2023/06/13/authenticating-to-new-get-windowsautopilotinfo/
The official one, currently v3.9, looks pretty much same as v3.5. It even has brought back AzureAD module which was removed somewhere between 3.6 and 3.8. I thought Azure AD was now end of life?
Your current community version v10 of Get-WindowsAutoPilotInfo.ps1 supports both then?
Thanks in advance
Yes, v3.0.3 of the community version supports both modules. I have written a new function which checks the installed version and adjusts the connection accordingly
Yes, v2 modules dont work for me. Had to specify -requiredversion 1.28.0.
I connect via MSGraphApp option.
Example of commands I use now:
Install-Module microsoft.graph.authentication -RequiredVersion 1.28.0 -SkipPublisherCheck
The new official one now works with v2, but not v1.
If you use my community versions they work with both versions
I fixed most of the errors by adding this at line 1890.
$Encrypted = ConvertTo-SecureString -String $accessToken -AsPlainText -Force
Select-MgProfile -Name Beta
$graph = Connect-MgGraph -AccessToken $Encrypted
Still getting this one.
Select-MgProfile : The term ‘Select-MgProfile’ is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At C:\Program Files\WindowsPowerShell\Scripts\get-windowsautopilotinfo.ps1:1892 char:13
+ Select-MgProfile -Name Beta
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Select-MgProfile:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
I am going to update later to work with the new modules.
Have you definitely only got v1 modules installed now? That error means it is using v2
I’ve just uploaded v3.0.1 which should fix it
Yes I ran install-script-and-module.ps1 on a fresh install
Then I ran Get-WindowsAutoPilotInfo.ps1
Still get errors
I am using
Microsoft.Graph.Authentication – 2.0.0
Microsoft.Graph.Groups – 2.0.0
Microsoft.Graph.Identity.DirectoryManagement – 2.0.0
Microsoft.Graph.Intune – 6.1907.1.0
That’s the problem, can you remove the v2.0.0 and install the latest v1 modules. Did they auto-install with the script?
Hello Andrew,
I just downloaded the new version and when I try to run it I get select-mgprofile the term select-mgprofile is not recognized. Its line 1859. select-mgprofile -name beta
Any Ideas?
Hi, can you check which version of the Microsoft.Graph.Authentication module you have installed? The v2 preview has changed the authentication commands and I wonder if a preview version has installed on your machine
I’m trying to use this to register the device and then do a protected wipe. Anyway we could add a wipe option to the script?
Good idea, version 2 just uploaded with parameters for -wipe (Intune wipe) and -sysprep (sysprep with reboot)
it seems that after the update, it fails if the group tag has a space in it. Any way to mitigate that?
Are you using the community version? Which command is it that is failing? -online or csv output?
I sent it to you thanks for looking at this.
ok then the app reg part can you provide a solution on how to tweak yours so I can put the credentials in it. What I have done on ours before the change was wrapped the ps1 up in an exe that is called with a command like below. The credentials was in part of the original ps1 so it would connect to the tenant then it would pop up with a box for the Group Tag then it would not need to ask for any credentials
Powershell.exe -Command “set-executionpolicy remotesigned”
cmd.exe /c “AutoPilot.exe” -online
If you drop me a message on the contact form, I’ll take a look at what you have currently and can amend it for you
ok I dont the app reg part will work in the OOBE which is where I was using the script prior to this change.
I don’t see any reason why it won’t, I use it during OOBE without any issues
can you still pass credentials through this script. I know when I try it then prompts me. to enter an email address and password. Before it just said connected.
No, this uses the Graph SDK to connect so you either have to use standard auth with the popup window, or an app reg which you can pass through with the -online command
——————
Can you try v3.10 I have just uploaded.
It looks like the JSON has changed from orderIdentifier to groupTag so I have updated accordingly
——————-
Thanks @Andrew -> with this edit v3.10 the Grouptag works perfectly in the commandline again.
Get-WindowsAutoPilotInfo.ps1โณ -Online -GroupTag GROUPTAGNAME -Assign -Reboot
If i find something else i let you know.
Greetings
Mario
I’m new at doing this and can’t get it to run. I can download it to c:\temp but then I can not get the script to run. Also can it be run with -Online? I appreciate any help you can give.
Yes, it can be run with the -online command
After you have downloaded, make sure your executionpolicy is correct and then launch it:
.\get-windowsautopilotinfo.ps1 -online (assuming you are in c:\temp)
Edit ! wrong copy/paste !
Thank you Andrew for the work you did โ re the -AddToGroup โ you need to modify the scope
from
Connect-MgGraph -scopes Group.ReadWrite.All, Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All
to
Connect-MgGraph -Scopes โGroup.ReadWrite.All, Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All,GroupMember.ReadWrite.Allโ
Updated now ๐
Thank you Andrew for the work you did – re the -AddToGroup – you need to modify the scope
from
Connect-MgGraph -scopes Group.ReadWrite.All, Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All
to
Connect-MgGraph -Scopes “DeviceManagementServiceConfig.ReadWrite.All”, “Device.ReadWrite.All”, “Group.ReadWrite.All,GroupMember.ReadWrite.All”
Thanks Maya, updated now ๐
Happy to make any improvements to the original too if there are any requests
And trying with another machine with my same account still I have the request
You might need to use an app reg if you can’t give them the permissions required
I did it but to my colleague (not tenant admins) still asking permissions
Sorry – the setting was wiped out here in the commands.
This is how i run the script:
Get-WindowsAutoPilotInfo.ps1″ -Online -GroupTag GROUPTAGNAME -Assign -Reboot
Yes – i setup the Grouptag in the command directly.
Can you try v3.10 I have just uploaded.
It looks like the JSON has changed from orderIdentifier to groupTag so I have updated accordingly
Get-WindowsAutoPilotInfo.ps1 -Online -GroupTag -Assign -Reboot
The grouptag parameter is not working anymore. Its always empty after running this script.
Are you setting the GroupTag in the command?
Hi all,
for me too still asking the grant
How can I add consent once though for the tenant?
Thanks
When you see the consent screen, you should have a box at the bottom to consent on behalf of the tenant
You star! Was banging my head against a wall all weekend thinking I’d imagined this working in the past. Just need MSFT to officially update this to the Powershell Repo now…
Fingers crossed, I’ve kept the same GUID so they can just lift and shift this one if they want
Running this script -online requires consent in our tenant. I can see that there is new powershellgalery v3.6 https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/3.6
can we use this to make the -online parameters works again without any approval/consent?
The Microsoft Graph module needs consent to run the commands. You just need to add consent once though for the tenant.
The new one in the gallery seems to be exactly the same as the old one so -online won’t work. I imagine when it does get updated, it will use the same MgGraph connection anyway so will also need consent
How do you find is the best way to build this into your device flow – can you somehow register your github location as a new repository and use the same save-script workflow to save it directly to the machine? https://learn.microsoft.com/en-us/powershell/module/powershellget/save-script
Or is the workaround to simply copy it onto a USB and read from that?
Thanks for your work on this! I imagine a fair few sysadmins are scratching their heads right now..
Good point, I’ll add this to the main article.
Just run this on the machine:
Invoke-RestMethod -Uri https://raw.githubusercontent.com/andrew-s-taylor/WindowsAutopilotInfo/main/get-windowsautopilotinfo.ps1 -OutFile c:\temp\get-windowsautopilotinfo.ps1
Thanks so much for this. I literally just done the same last week, took me hours, then I see this haha. But this is greatly needed! Cheers.
Glad you’ve found it useful. I’m happy to make improvements to the original, or any bug fixes