Intro
This post is for autopilot newbies or for anyone who wants a review of manually enrolling devices. In most cases, we try to use scripted automation for existing device enrollment. I have a few posts on some various ways to do this here, here, and here. If you have an RMM and numerous devices to register, I strongly encourage you to use one of those methods. For new devices, we prefer to have the vendor enroll them for us. However, if you have no choice but to manually register devices (or you only have a small number of devices) sometimes it’s easier to get in front of the devices and do the registration manually. The process is the same for existing and new devices. In the below example, we will show you how to enroll a device from the OOBE initial setup screen (as if you just unboxed a new device and want to register it with autopilot).
The Registration Process
This is all performed through PowerShell. So, step one is to open an administrative PowerShell session. If this is a new PC going through OOBE, pressing SHIFT+F10 will open an administrative command prompt. From here, type PowerShell and press enter to get to a PowerShell session. Before you go any further, make sure the device has internet connectivity. If you are using a laptop, you can proceed with the OOBE setup until you connect to Wi-Fi. Once connected to Wi-Fi, stop and then go to your PowerShell session to follow the rest of the steps.
We need to install the get-windowsautopilot script (https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/3.3), which is what we use to manually register devices with autopilot. For this, we use the command Install-Script Get-WindowsAutoPilotInfo and answer Y to all the confirmations:
Next, we need to set the execution policy. If we try using the script before setting the execution policy, we will receive an error (shown below).
Now we can run the get-windowsautopilotinfo script. If we issue only that script without any parameters, the hardware hash will display as output, which doesn’t do us much good:
Luckily, there are a bunch of parameters with this script that makes our lives much easier. The two most important are the -Online parameter, which registers the device with autopilot immediately, and specifying a group for the device where your autopilot profile is assigned. I like to use grouptags, which can be used to add a device to a dymanic group with an autopilot profile assigned. It gives you some more flexibility if all autopilot devices won’t be using the same profile. If you want to use grouptags, all you need to do is create a dynamic group, and use the below syntax for the device membership rule. Change “Autopilot” in the syntax below to the grouptag you want to use. The dynamic group name does not need to to be the same as the group tag, and the grouptags are not case sensitive.
(device.devicePhysicalIds -any _ -eq "[OrderID]:Autopilot")
If you don’t want to use grouptags, you can make a dynamic group with the below syntax which encompasses all autopilot devices. Sometimes useful if every device will use the same autopilot profile. I did some testing, and if you are using dynamic groups with the ztdid and grouptags as separate groups, the ZTDID profile assignment always wins if the device is a member of both groups. Just something to be aware of.
(device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))
Lastly, you have the option to add the device to a static group. I generally use dynamic groups wherever possible, but you have the option to specify the group for the device. In addition to what was just covered, there are several other parameters we can use. As previously mentioned, the most important are the -online and -grouptag (or -addtogroup) parameters. You can export a CSV with the hash if you’d like, but since we already sitting in front of the PC, we will use the -online parameter so the registration happens immediately. Here is a complete list of the parameters taken directly from the script:
.PARAMETER Name
The names of the computers. These can be provided via the pipeline (property name Name or one of the available aliases, DNSHostName, ComputerName, and Computer).
.PARAMETER OutputFile
The name of the CSV file to be created with the details for the computers. If not specified, the details will be returned to the PowerShell
pipeline.
.PARAMETER Append
Switch to specify that new computer details should be appended to the specified output file, instead of overwriting the existing file.
.PARAMETER Credential
Credentials that should be used when connecting to a remote computer (not supported when gathering details from the local computer).
.PARAMETER Partner
Switch to specify that the created CSV file should use the schema for Partner Center (using serial number, make, and model).
.PARAMETER GroupTag
An optional tag value that should be included in a CSV file that is intended to be uploaded via Intune (not supported by Partner Center or Microsoft Store for Business).
.PARAMETER AssignedUser
An optional value specifying the UPN of the user to be assigned to the device. This can only be specified for Intune (not supported by Partner Center or Microsoft Store for Business).
.PARAMETER Online
Add computers to Windows Autopilot via the Intune Graph API
.PARAMETER AssignedComputerName
An optional value specifying the computer name to be assigned to the device. This can only be specified with the -Online switch and only works with AAD join scenarios.
.PARAMETER AddToGroup
Specifies the name of the Azure AD group that the new device should be added to.
.PARAMETER Assign
Wait for the Autopilot profile assignment. (This can take a while for dynamic groups.)
.PARAMETER Reboot
Reboot the device after the Autopilot profile has been assigned (necessary to download the profile and apply the computer name, if specified).
I’m only using -Online and -Grouptag parameters in this example. This registers the device right away and also adds it to my dynamic group using the grouptag. I don’t specify an assigned user since the assigned user will drive the autopilot process, and I don’t specify an assignedcomputername since the autopilot profile takes care of that. My syntax looks like this.
Get-WindowsAutoPilotInfo -Online -Grouptag autopilot
You’ll be prompted to authenticate to register the device. If you aren’t using a global admin account, you can use an account with the Intune administrator role. After authenticating, you’ll see some output like this for a minute or two:
Once the device is registered, you’ll see this
And if we check our autopilot devices. Its listed, but the profile assignment will take some time. I’ve seen this take anywhere between 5 minutes to an hour.
Once your device has its profile assigned (this is assuming you have already created an autopilot profile and assigned it to your group), we can reboot the machine by using the PowerShell command restart-computer.
After the computer restarts, your target user can sign in and the autopilot process will begin
You can also use the -assign and -reboot parameters to make things easier. The -assign parameter will wait for the autopilot profile to get assigned. Once it is assigned, the -reboot parameter automatically restarts the device. This can be especially useful if you’re registering a device at a user’s desk. You can walk away and tell them to sign in once the computer restarts.