Updated Get-WindowsAutoPilotInfo with Groups fix

Update 14/06/2023 – I have created a Community version and added it to the PowerShell gallery so we can all add fixes, improvements and updates as a community effort. Read more here or download them with the commands below

Install-Script -Name get-windowsautopilotinfocommunity
Install-Module -Name WindowsAutopilotIntuneCommunity

The Get-WindowsAutopilot script is in the toolbox or every Intune administrator, it does have over 48 million downloads after-all!

Update: Microsoft have updated the official version, but at this point it still has a few bugs so I have included an installer to add the module and script

The current 3.5 version created by the great Michael Niehaus still works perfectly 90% of the time, but if you are using the -online parameter and want to add to an AzureAD group, you may find it is giving you an error. This is due to the AzureAD PowerShell module being deprecated (you can find out more here)

Whilst we wait for an official Microsoft update, I have created a fork of the script and updated it to use the MgGraph module instead to replace any references to either AzureAD or the MSGraph modules.

As the script also imported the windowsautopilotinfo PowerShell module from the PSGallery, just replacing the script still causes errors so I have also re-written the functions in the module and embedded them directly into the single script.

It will still work with an app registration, but again now uses the MgGraph module.

To download directly on the machine, run this command:

Invoke-RestMethod -Uri https://raw.githubusercontent.com/andrew-s-taylor/WindowsAutopilotInfo/main/get-windowsautopilotinfo.ps1 -OutFile c:\temp\get-windowsautopilotinfo.ps1

I am not adding this to the PowerShell gallery as I do not want to confuse things when the official script is updated, but you can find the forked version on GitHub:

If you have any issues with it, please let me know either in the comments, contact form or on GitHub.

93 thoughts on “Updated Get-WindowsAutoPilotInfo with Groups fix”

  1. Hi Andrew and nice edition,

    I just came across this post and I was wondering whether we could use an Intune script to upload the HardwareIDs of devices that are currently in use but we may want to convert over to AutoPilot in the future. Is this possible or will it require more permissions and stuff?

    Thank you

      • Ok, thank you.

        Would you suggest this method or the method you described here? https://andrewstaylor.com/2023/06/13/authenticating-to-new-get-windowsautopilotinfo/

        For instance, sth like this would probably work, right?

        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        PowerShell.exe -ExecutionPolicy Bypass
        Install-Script -name Get-WindowsAutopilotInfo -Force
        Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
        get-windowsautopilotinfo.ps1 -online -TenantID 12345 -appid 12345 -appsecret 12345

        Thank you

        • Yes, that will work fine. Once you have completed enrollment, remove the secret though to be on the safe side.

          If you devices are AD joined, you could also Hybrid GPO join and add to autopilot that way

          • Ok, thank you. I am cloud-only, so I will just remove the secret and delete the script once done ๐Ÿ™‚

          • Hi again Andrew,

            Probably stupid question about the link I shared previously, but if i don’t want to use groups, then just DeviceManagementServiceConfig.ReadWrite.All will be enough to read and upload from USB to Intune, right?

            Thank you

  2. I’m getting some intermittent authentication errors… I’m trying to run this on devices with Shift+F10 from the OOBE screen.

    I have two files, a cmd that just calls the ps1
    powershell.exe -executionpolicy bypass -file .\autopilot.ps1

    And the autopilot.ps1
    Install-PackageProvider -Name NuGet -MinimumVersion -Confirm:$false -Force:$true
    Install-Script get-windowsautopilotinfocommunity -Confirm:$false -Force:$true
    get-windowsautopilotinfocommunity -Online -TenantId “aaa” -AppId “bbb” -AppSecret “ccc”
    shutdown.exe /s /t 10

    The error it self just says “Connect-MgGraph : The provided access token has expired. Set a valid access token”… then it seems to connect anyway, because i get the message that says its connected to my tenant using app-based auth, and the serial number of the device. It later throws up “Invoke-MgGraphRequest : Authentication needed. Please call Connect-MgGraph”… at the end, it exits with Get-AutopilotDevice : Microsoft.Graph.Powershell.AuthenticationException: Authentication needed. Please call Connect-MgGraph.

    Any ideas?

      • I haven’t changed anything from the get-windowsautopilotinfocommunity.ps1, so I’m not sure… the output from the script mentions Version 2 module detected, so I’m assuming version 2

        • Seems to work for me now after I specified that the machines should install the v1 versions. Thanks for pointing me in the right direction =)

          In case anyone else gets this, I just added this after the nuget installation and it stopped whining… ๐Ÿ˜€

          Install-Module -Name Microsoft.Graph.Authentication -RequiredVersion 1.28.0 -Confirm:$false -Force:$true -SkipPublisherCheck
          Install-Module -Name Microsoft.Graph.Groups -RequiredVersion 1.28.0
          Install-Module -Name Microsoft.Graph.Identity.DirectoryManagement -RequiredVersion 1.28.0 -Confirm:$false -Force:$true -SkipPublisherCheck
          Install-Module -Name Microsoft.Graph.Intune -Confirm:$false -Force:$true -SkipPublisherCheck

  3. I see in the newest updates that you can run this on a device and then tell it to wipe itself and go into the OOBE after the wipe for provisioning. I’ve tried running get-windowsautopilotinfocommunity -online -wipe -sysprep but nothing happens after rebooting.

    Am I missing something?

    I will also be wrapping this in a script with a client ID and secret for authentication and pushing it through a 3rd party to my off site devices.

    Just trying to find the best way of getting my domain devices into intune without everyone connecting back to VPN or coming into the office.

  4. can confirm standard install works

    did also wipe czech unit and managed to run script succesfully
    not sure why error on first run on new unit from the box

    have some more czech units to be delivered(Lenovo) so will find out if only one gave error?

    thanks, Kim

  5. no, have them all set in script

    did wipe one standard computer and re-run
    and seems to work….no error now waiting to be imported

    so makes me think it must be something with czech locale?

  6. machine is factory customized for czech (all others where standard eng)
    could that throw error?

    can try to run one eng -machine later today

  7. running Get-WindowsAutoPilotInfo.ps1

    thatยดs the funny thing, I installed 3 macines ok on friday
    today first run I get error ๐Ÿ™‚

  8. hi,

    allways get
    WARNING: The version ‘2.9.0’ of module ‘Microsoft.Graph.Authentication’ is currently in use. Retry the operation after closing the applications.
    then after restart it work ok

    any clue how to get rid of the the need of restarting script?

  9. Hi Andrew, sorry about delay in getting back. Think send key combination would be something like:
    1. Alt-tab (to switch from DOS window running script to the OOBE language selection screen
    2. Left mouse click (whilst on the OOBE language selection screen)
    3. Windows key press x5
    4. Down arrow
    5. Enter/Return keypress
    6. Tab key press x2
    7. Enter/Return

    Hopefully got key combination correct this time. Again, no worries if not as it’s a lot of messing. Maybe one day in future, Microsoft would allow support via command line switch or something

  10. Hi
    The problem shows up when u tryin to log on to the first time with the OOBE, just after the first reboot when u add the device to Intune with the new Get-windows script…
    I found the issue, it was not a big deal… its came from the access of the network !
    I changed of the support access to network and everything seems fine.

  11. Hi Andrew,

    At first, thank for your work !
    I’ve followed your App reg process for the authentication.
    The device appear on Intune with serial number, profile assigned, etc.
    But when i rebooted, the authentication looks like a white screen.
    Do you have a idea about how fix this issue, please ?

    • Hi,
      Do you have any firewalls or anything which could be blocking the authentication screen? It’s sometimes worth trying a sysprep as well after adding the device (you can use the sysprep command on the community version of the script)

  12. Hi Andrew,

    Sorry about delay in getting back to you.

    Logically thinking about it, it would be a quite a task to start whiteglove using send-keys type things. I had hoped it may have just been an another command/option that just needed coding for to make use of it.

    Think send key combination would be something like:
    1. Alt-tab (to switch from DOS window running script to the OOBE language selection screen
    2. Left mouse click (whilst on the OOBE language selection screen)
    3. Windows key press x5
    4. Move mouse to the option that starts whitegloving
    5, Then left mouse click on that option.

    Think 4 and 5 (well mostly 4) would be hardest to code for (well in my head haha).

    Thanks anyhow, I do appreciate trying.


    I’ve just tried this today and it will need some tweaking like you said.

    I think it needs following before the 5x windows (I hope in order as below):

    1. Alt-Tab (to switch screens from DOS prompt running the script to the OOBE Region choice screen). I was able to do this with: [System.Windows.Forms.SendKeys]::SendWait(‘%{TAB}’)

    2. Press left mouse button click once

    It’s the left mouse button click I got stuck on as there is no SendKeys option for this so looks like have to try another method.

    Hopefully, that is all that is needed.

    Thanks in advance.


    • Hmm, I’ll see if I can do that. I know I could with something like AutoIt, but it’s the mouse move which could be tricky. Next time you whiteglove, can you check if you can Tab through and press space on the button (and if so, count the tabs)

  13. Hi Andrew,

    I’m now using your community version. It works perfectly so thank you so much and keep up the good work. We use this to automate, as much as possible, (re)imaging a device into autopilot so can whiteglove.

    After this script has ran, all we do is then press windows symbol 5x to start whiteglove process off. Is there anyway once device added into autopilot, etc that I can get the whiteglove process to start as well (on assumption no errors beforehand)?

    Thanks in advance

    • Hi Kev,

      Good idea! I’ve just published v3.0.5 which if run with:
      “-online -assign -preprov”
      Should press Windows key 5 times at the end. It may need some tweaking, but give it a try and see how you get on

  14. Hi Andrew,

    Apologies for the delayed response.

    Yes, I can see Graph Explorer (official site) and MS Graph Powershell.

    Do these need to be configured or modified in any way please?

  15. Hi Andrew,

    I can see Graph explorer (official site).

    Is there anything I need to check/configure within its properties?

  16. Hi Andrew,

    Thank you for getting back to me.

    Unfortunately I don’t get that pop up, instead it says

    ‘Need admin approval..
    needs permission to access resources in your organisation that only an admin can grant…’

    Does something else need to be configured within Azure AD?

    Kind regards

  17. Hi Andrew,

    Hope you are well.

    Many thanks for this, although I’m having some issues, which I’d greatly appreciate some assistance on please.

    I’m trying to upload the hardware hash directly to our tenant, by running the below, and getting the ‘Need admin approval…’ pop up after signing in with my Cloud Admin account:

    PowerShell.exe -ExecutionPolicy Bypass
    Install-Script -Name get-windowsautopilotinfocommunity
    Install-Module -Name WindowsAutopilotIntuneCommunity
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
    Get-windowsautopilotinfocommunity -Online

    Can you please let me know where I’m going wrong?

    Many thanks

  18. The official one, currently v3.9, looks pretty much same as v3.5. It even has brought back AzureAD module which was removed somewhere between 3.6 and 3.8. I thought Azure AD was now end of life?

    Your current community version v10 of Get-WindowsAutoPilotInfo.ps1 supports both then?

    Thanks in advance

  19. Yes, v2 modules dont work for me. Had to specify -requiredversion 1.28.0.

    I connect via MSGraphApp option.

    Example of commands I use now:
    Install-Module microsoft.graph.authentication -RequiredVersion 1.28.0 -SkipPublisherCheck

  20. I fixed most of the errors by adding this at line 1890.

    $Encrypted = ConvertTo-SecureString -String $accessToken -AsPlainText -Force

    Select-MgProfile -Name Beta
    $graph = Connect-MgGraph -AccessToken $Encrypted

    Still getting this one.

    Select-MgProfile : The term ‘Select-MgProfile’ is not recognized as the name of a cmdlet, function, script file, or
    operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
    At C:\Program Files\WindowsPowerShell\Scripts\get-windowsautopilotinfo.ps1:1892 char:13
    + Select-MgProfile -Name Beta
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Select-MgProfile:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

  21. Yes I ran install-script-and-module.ps1 on a fresh install
    Then I ran Get-WindowsAutoPilotInfo.ps1
    Still get errors

  22. I am using
    Microsoft.Graph.Authentication – 2.0.0
    Microsoft.Graph.Groups – 2.0.0
    Microsoft.Graph.Identity.DirectoryManagement – 2.0.0
    Microsoft.Graph.Intune – 6.1907.1.0

  23. Hello Andrew,
    I just downloaded the new version and when I try to run it I get select-mgprofile the term select-mgprofile is not recognized. Its line 1859. select-mgprofile -name beta

    Any Ideas?

    • Hi, can you check which version of the Microsoft.Graph.Authentication module you have installed? The v2 preview has changed the authentication commands and I wonder if a preview version has installed on your machine

  24. I’m trying to use this to register the device and then do a protected wipe. Anyway we could add a wipe option to the script?

  25. ok then the app reg part can you provide a solution on how to tweak yours so I can put the credentials in it. What I have done on ours before the change was wrapped the ps1 up in an exe that is called with a command like below. The credentials was in part of the original ps1 so it would connect to the tenant then it would pop up with a box for the Group Tag then it would not need to ask for any credentials

    Powershell.exe -Command “set-executionpolicy remotesigned”
    cmd.exe /c “AutoPilot.exe” -online

  26. can you still pass credentials through this script. I know when I try it then prompts me. to enter an email address and password. Before it just said connected.

  27. ——————
    Can you try v3.10 I have just uploaded.
    It looks like the JSON has changed from orderIdentifier to groupTag so I have updated accordingly
    Thanks @Andrew -> with this edit v3.10 the Grouptag works perfectly in the commandline again.

    Get-WindowsAutoPilotInfo.ps1โ€ณ -Online -GroupTag GROUPTAGNAME -Assign -Reboot

    If i find something else i let you know.


  28. I’m new at doing this and can’t get it to run. I can download it to c:\temp but then I can not get the script to run. Also can it be run with -Online? I appreciate any help you can give.

    • Yes, it can be run with the -online command
      After you have downloaded, make sure your executionpolicy is correct and then launch it:
      .\get-windowsautopilotinfo.ps1 -online (assuming you are in c:\temp)

  29. Edit ! wrong copy/paste !

    Thank you Andrew for the work you did โ€“ re the -AddToGroup โ€“ you need to modify the scope
    Connect-MgGraph -scopes Group.ReadWrite.All, Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All
    Connect-MgGraph -Scopes โ€œGroup.ReadWrite.All, Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All,GroupMember.ReadWrite.Allโ€

  30. Thank you Andrew for the work you did – re the -AddToGroup – you need to modify the scope
    Connect-MgGraph -scopes Group.ReadWrite.All, Device.Read.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All
    Connect-MgGraph -Scopes “DeviceManagementServiceConfig.ReadWrite.All”, “Device.ReadWrite.All”, “Group.ReadWrite.All,GroupMember.ReadWrite.All”

  31. Sorry – the setting was wiped out here in the commands.
    This is how i run the script:
    Get-WindowsAutoPilotInfo.ps1″ -Online -GroupTag GROUPTAGNAME -Assign -Reboot
    Yes – i setup the Grouptag in the command directly.

  32. Get-WindowsAutoPilotInfo.ps1 -Online -GroupTag -Assign -Reboot
    The grouptag parameter is not working anymore. Its always empty after running this script.

  33. You star! Was banging my head against a wall all weekend thinking I’d imagined this working in the past. Just need MSFT to officially update this to the Powershell Repo now…

    • The Microsoft Graph module needs consent to run the commands. You just need to add consent once though for the tenant.
      The new one in the gallery seems to be exactly the same as the old one so -online won’t work. I imagine when it does get updated, it will use the same MgGraph connection anyway so will also need consent

    • Good point, I’ll add this to the main article.
      Just run this on the machine:
      Invoke-RestMethod -Uri https://raw.githubusercontent.com/andrew-s-taylor/WindowsAutopilotInfo/main/get-windowsautopilotinfo.ps1 -OutFile c:\temp\get-windowsautopilotinfo.ps1

  34. Thanks so much for this. I literally just done the same last week, took me hours, then I see this haha. But this is greatly needed! Cheers.


Leave a Comment