Whilst Microsoft have fixed the official script and module, unlike a lot of their scripts and documents, it does not seem to live anywhere public so we cannot make changes for review.
Version 2.0 just released with new parameters:
-wipe (Sends an Intune wipe to Intune managed devices, such as if you are shifting from hybrid to AAD)
-sysprep (Sends a sysprep OOBE reboot command)
Version 3.0 now supports both PowerShell Graph SDK v1 and v2
Big news – The scripts are now digitally signed for extra security!
With that in mind, I have renamed and changed the GUID on my versions to create a community script and module with the names:
get-windowsautopilotinfocommunity and WindowsAutopilotIntuneCommunity
The source files can be found here:
https://github.com/andrew-s-taylor/WindowsAutopilotInfo/tree/main/Community%20Version
And on the PowerShell Gallery:
https://www.powershellgallery.com/packages/get-windowsautopilotinfocommunity/1.0.0
Install-Script -Name get-windowsautopilotinfocommunityhttps://www.powershellgallery.com/packages/WindowsAutopilotIntuneCommunity/1.0
Install-Module -Name WindowsAutopilotIntuneCommunityThese are community scripts, please send feature requests, bug fixes, anything at all, I will attempt to keep on top of all changes.
Hi Andrew,
I am trying to run this in a SCCM TS to update a device tag for existing autopilot devices being repurposed as a AutoPilot device with a new tag.
I am trying to use –
get-windowsautopilotinfocommunity.ps1 -Online -Delete -GroupTag “NewGroupTag” -TenantId “****************” -AppId “*****************” -AppSecret “********************”
I am not having much look should this work in WinPE during the TS?
Thanks,
AlanG
I don’t think you want the Delete option on there for an update.
Is this in full PE, or just during the OS deployment? It won’t work in PE because it can’t grab the hardware hash
It is booting the TS, Partition and Format HDD, Applying the OS, installing drivers and then trying to apply the powershell script to update the Group Tag. Then restart to OOBE.
So i should use -Online -UpdateTag “NewGroupTag” TenantId “****************” -AppId “*****************” -AppSecret “********************”
I only used -Delete because i understood it would remove the device from any other AutoPilot dynamic groups.
So will this work during the Task Sequence or do i need to look at another solution.
Yes, it should work at that point because you’re in full Windows.
Delete removes the autopilot object, Entra object etc. so I would avoid adding that
Hi Andrew,
I tried to find a way to use the get-windowsautopilotinfocommunity Script with these parameter2 -online -AppSecret -AppId -TenantId and with a “Secure String Format”, but this doesn’t work. When I use this with “normal Text Format” it works as expected.
My question is: Will be that a secure way to run that PS Script here over an Internet Connection, because it includes very important Information as AppID and AppSecret?
What is your recommendation here?
The secret is converted to a secure string within the script before anything is transmitted, everything going over the internet uses the secure string
Just tried to register a fresh W11 VM, and it quickly goes downhill 🙂 Seems to fall over when detecting/installing the modules (microsoft.graph.authentication, MS Graph Identity Management etc)
Error shows, Install-Module: The value Ignore is not supported for an ActionPreference variable.
ErrorAction Ignore is a fairly standard command.
Are you running in OOBE? I know the modules won’t work in WinRE
ok, you mean the profile ID within the Autopilot Environment? I can see the ID when I run your script. But how would be the syntax for the dynamic group?
(device.enrollmentProfileName -eq “OfflineAutopilotprofile-PROFILEID”)
Replace PROFILEID with your ID
Hi Andrew,
my bad. I’ve answered to the wrong blog post. My questions was about that script here: https://andrewstaylor.com/2023/08/15/creating-windows-iso-with-autopilot-json-injected/
BG,
Dom
Ah, got you. No, that one won’t work with group tags as the devices aren’t visible in Intune and Autopilot until after deployment. You can create a dynamic group based on the profile ID so one option would be to configure multiple profiles
Should this be included in your script? How should I add it?
Or can I start the script with the syntax? I’ve tried with no success.
BG,
Dom
You run with parameters:
get-windowsautopilotinfocommunity.ps1 -GroupTag “tag” -Online -Assign (or whatever parameters you normally use)
Hi Andrew,
thx for your answer 🙂
How is the syntax to use the Group Tag Feature? Can´t figure it out.
Regards,
Dom
It should just be -GroupTag “tagname” and then -online etc. as needed
Hi Andrew,
the script is great. I`m working with Group Tags to deploy different profiles. Is there a way to that also with your script?
BG,
Dom
Hi Dom,
Yes, there is a GroupTag parameter you can use
Just to update you this can be replicated, something is messed up in the module versions of the script. If you call a KeyVault to get the appsecret then the community version will break with the errors I pasted before. Replicated entire day.
The only workaround I have now is to have one session to call for the keyvault, store the secret in a variable and pass it over to a new sessions where i run the community script.
Something with the module versions is completely broken
The community script doesn’t use the module to authenticate at all. The issue is between you grabbing the secret and passing it through to the script.
Have you tried grabbing the secret and just send it to a write-host to check everything looks ok in the command?
I have just run this in my tenant and it worked without issue:
# Connect to Azure account
Connect-AzAccount
# Get the secret from Azure Key Vault
$secret = Get-AzKeyVaultSecret -VaultName “homelab” -Name “appreg” -AsPlainText
$appid = “CLIENTID”
$tenant = “TENANTID”
get-windowsautopilotinfocommunity.ps1 -Online -AppId $appid -AppSecret $secret -Tenantid $tenant
Scratch last message this is the part that makes it fail.
# Install only the required Azure modules
$requiredModules = @(“Az.Accounts”, “Az.KeyVault”)
foreach ($module in $requiredModules) {
if (-not (Get-InstalledModule -Name $module -ErrorAction SilentlyContinue)) {
Write-Host “$module module not found. Installing…”
Install-Module -Name $module -Repository PSGallery -Confirm:$false -Force:$true
} else {
Write-Host “$module module found.”
}
}
# Connect to Azure account
Connect-AzAccount -Tenant $tenantId -SubscriptionId $subscriptionId
# Get the secret from Azure Key Vault
$secret = Get-AzKeyVaultSecret -VaultName “VaultName” -Name “AutopilotRegistration” -AsPlainText
Hi Andrew!
I’m trying to use the get-windowsautopilotcommunity -Online -TenantID xxxxxx -AppID yyyyy -Appsecret wwwww but I’m facing an error like this:
Connect-ToGraph: cannot find a parameter that matches the name TenantID
Do you have any clue about this error?
Hi Paulo,
My fault, I had a typo in there. V3.0.1 should fix it.
Hi, it works now however getting warning as below.
Installing module microsoft.graph.authentication
Installing module MS Graph Identity Management
WARNING: The version ‘1.28.0’ of module ‘Microsoft.Graph.Authentication’ is currently in use. Retry the operation after
closing the applications.
Connected to Intune tenant
Gathered details for device with serial number: 121HT872
Adding New Device serial 121HT872
Hopefully that should be fixed now as well
Hi Andrew, getting this when running the community version online.
PS D:\Community Editions> .\get-windowsautopilotinfocommunity.ps1 -online
Connected to Intune tenant
Gathered details for device with serial number: 111HT872
Adding New Device serial 111HT872
cmdlet Set-AutopilotDevice at command pipeline position 1
Supply values for the following parameters:
id: 123
Set-AutopilotDevice : Microsoft.Graph.PowerShell.Authentication.Helpers.HttpResponseException: Response status code
does not indicate success: NotFound (Not Found).
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
At D:\Community Editions\get-windowsautopilotinfocommunity.ps1:1999 char:30
+ … $imported += Set-AutopilotDevice -groupTag $_.’Group Tag’
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-AutopilotDevice
Hi,
I’ve just uploaded v1.0.3 which should fix the issue
hi Andrew,
I tried to parse Online with GroupTag
It works on the logs , parsing json file for existing devices. however, it never gets the GroupTag printed to the device under Windows Autopilot devices
would that be supported?
.\get-windowsautopilotinfo.ps1 -Online -TenantId aaaa -AppId bbbb -AppSecret cccc -Assign -GroupTag CANADA -Verbose
{
“@odata.type”: “#microsoft.graph.importedWindowsAutopilotDeviceIdentity”,
“groupTag”: “CANADA”,
“serialNumber”: “9999-8888-7777-6666-5555-4444-33”,
“productKey”: “”,
“hardwareIdentifier”:
“XXXXXXXXXXX”,
“assignedUserPrincipalName”: “”,
“state”: {
“@odata.type”: “microsoft.graph.importedWindowsAutopilotDeviceIdentityState”,
“deviceImportStatus”: “pending”,
“deviceRegistrationId”: “”,
“deviceErrorCode”: 0,
“deviceErrorName”: “”
}
}
Should be sorted on the community version now