Import or remove Windows Autopilot devices based on specific criteria
Enrolling a device with Windows Autopilot requires it to be imported in Microsoft Intune. The import can be done by either your applicable vendor or by your IT department by using a CSV file containing hardware hashes. The CSV file will be checked for invalid characters and bad hardware hashes to ensure a valid import.
By using Azure automation solutions we can add additional requirements before a device is allowed to be imported or removed. I will describe here how to implement this by using an Azure runbook and how I use a SharePoint site for gathering files to import and store logs.
When devices are imported in Windows Autopilot they are marked as corporate owned and can easily be enrolled in Microsoft Intune. Be sure that you only allow devices that met the company requirements like the presence of a TPM 2.0 chip, supported device models or group tag permissions.
This implementation builds a security layer to ensure the device integrity, meeting all criteria being set and enforced before a device is allowed to be imported or removed.
The scripts and examples can be found on my GitHub. By changing the variables you are able to use it directly. Be careful using the scripts, please check it first in your test environment. |
Requirements:
- Bulk upload devices by gathering all CSV files by using a SharePoint site.
- User must have permissions to import or remove devices with a specific group tag.
- Runbook will stop if no new CSV files are found in the SharePoint folder.
- Health check if the Autopilot deployment program is up and running.
- Group tag is present and checked for valid name convention.
- Device hardware hash must be valid to continue.
- Device can only be imported or removed if it exists in the model list.
- Device must contain the TPM 2.0 chip.
- User must have permissions on current device group tag to update it.
- Check for motherboard replacements before importing or removing devices.
- Check if the device is already member of the tenant.
- Check if device is already member of another tenant.
- All actions must be logged and uploaded to a SharePoint site.
- The user must be notified when errors occur.
Prerequisites:
- The SharePoint site and folders where users can upload CSV files.
- An Azure Automation account to configure the runbooks in.
- Add a Automation Accounts worker group server that has the module PnP.PowerShell and AzureAD installed.
- An account with permissions on the SharePoint site and can read Azure AD objects.
- An app registration with permissions to retrieve Intune data and send mail, see specifications below.
API / Permissions name | Type |
DeviceManagementManagedDevices.ReadWrite.All | Application |
DeviceManagementServiceConfig.ReadWrite.All | Application |
Mail.Send | Application |
SharePoint site
We are going to use a SharePoint site for importing and removing Autopilot devices. Employees can upload their CSV files here when they are member of a specific security group (see script variable valuesToLookFor) . You can place the CSV file(s) for example in a folder called ImportAutopilotDevice or RemoveAutopilotDevice. In this folder you can create other folders like Errors, Imported/Deleted, Logging, Resources and Sources and set read-only permissions. Give the account you use for automation permissions on this site so it can retrieve files and upload logging.
The Autopilot Actions log can contain devices that are manually added during the same time the runbook ran. That’s because the Get-AutoPilotImportedDevice function will retrieve all devices that are recently imported to get the latest import status. |
Foldername | Description |
Errors | Error logging from the whole process with Error codes. |
Imported or Deleted | Devices that are actually imported or deleted successfully from Windows Autopilot. |
Logging | All actions performed during the import or removal process. |
Sources | The CSV’s that are imported by the Azure runbook to import or remove devices in Windows Autopilot. |
The Azure runbooks for importing and removing Windows Autopilot devices
It’s necessary to have the PowerShell Gallery | AutopilotUtility 1.0 installed. It will decrypt the hardware hash for information like serial number, model name and TPM chip version. |
There are two different runbooks, one for import and the other for removing devices in Windows Autopilot. Each Azure runbook is divided into multiple stages, each with different actions. The Azure runbooks can only run asynchronously to work properly, meaning one active job at a time. That’s why it’s important to maintain a valid interval period to give it time to finish for example run it every hour.
The stages for the Autopilot import runbook:
Stage | Description | Action |
First stage | Download and prepare files. | CSV’s are downloaded from SharePoint and moved to sources. |
Second stage | Permission check. | The user permissions will be checked. If the user has permissions the CSV’s entries will be added to the import list. |
Third stage | Get device and group tag from Intune. | Check if device already exist in Intune, if so try to update the group tag if there are differences and the user has permissions. |
Fourth stage | Get hardware info and check if criteria is met. | Check if criteria is met. Device will be removed from the import list when one of the criteria is not met. |
Fifth stage | Importing checked devices in Autopilot. | The import list will be used to add the devices in Autopilot. Users who uploaded the CSV file will be informed by mail if errors occur during import. |
Sixth stage | Uploading and cleaning files. | At the end files will be removed from the $Temp folder and files will be uploaded to the SharePoint site. |
The stages for the Autopilot remove runbook:
Stage | Description | Action |
First stage | Download and prepare files. | CSV’s are downloaded from SharePoint and moved to sources. |
Second stage | Remove device from Autopilot. | Check if the user has permissions on the group tag, if so try to remove the device from Autopilot based on serialNumber. |
Third stage | Uploading and cleaning files. | At the end files will be removed from the $Temp folder and files will be uploaded to the SharePoint site. |
The variables below are added in Automation Accounts variables, so it’s not necessary to edit the Azure runbooks. The credentials are added in Automation Accounts credentials.
Name | Type | Description |
AutomationCreds | Credentials | Credentials used to get Graph API token and download/ upload files on SharePoint. |
cModel | Variable | Contains all models that are allowed to be imported. Only used for importing process. |
cLabel | Variable | Contains first label parts of group tags that are allowed. |
cCountry | Variable | Contains all countries that are allowed to be used in combination with group tags. |
cEntity | Variable | Contains all entities that are allowed to be used in combination with group tags. |
UPN | Variable | It contains the UPN prefix for accounts like @domain.com used for getting the SMTP address. |
EmailUPN | Variable | This Email address will receive the error message if something went wrong. |
Below an overview of all the functions. Some functions are only used for the import process. To run all those functions you need the graph permissions mentioned in the prerequisities.
Function | Description |
Get-AutoPilotImportedDevice (import only) | Get all devices that are just imported with Import-AutopilotCSV. It’s part of the Import-AutoPilotCSV function. |
Add-AutoPilotImportedDevice (import only) | It will add all devices that are in the Autopilot import CSV. It’s part of the Get-AutoPilotCSV function. |
Remove-AutoPilotDevice | Will remove the device from Autopilot. Is used in import and remove process. |
Remove-AutoPilotImportedDevice (import only) | The import device records will be deleted with this function when the Import-AutoPilotCSV function is done. |
Import-AutoPilotCSV (import only) | Contains multiple functions to import devices from the CSV file. It will process the CSV device for device. |
Invoke-AutoPilotSync (import only) | It will sync changes made to speed up the process for seeing changes in Intune. |
Get-HardwareInfo (import only | Will use the AutopilotUtility to decrypt the hardware hash and do a cross reference with the conditions defined. |
Update-GroupTag (import only) | If a device is already imported in Intune it will do a cross-reference check and update the current group tag. |
Get-AADUserGroupMembership | Check if the user is member of one or multiple Autopilot groups to determine permissions. |
Get-AADUserMail | Retrieve the user email address needed to sent an error mail. |
Write-Log | Every step will be written to a log. This function will make that clear and simple. |
When the runbooks are finished it will let the uploader(s) from CSV file(s) know if the import or remove action was successful. There will be logging placed on SharePoint and they will be notified by email when error(s) occur. The following error codes are communicated.
Error code | Description |
No permissions | The user does not have permissions to add or remove devices for that specific country and/ or entity. |
No Group tag | There is no group tag assigned to the device. |
Bad Group tag | There is a group tag assigned that is not in the list. |
Bad Model (import only) | Device model is not in the list. |
Bad Serial Number | There is a mismatch in the CSV file and the conversion from the hardware hash. |
Bad TPM (import only) | Device does not have a TPM 2.0 chip. |
No permission on current Group tag | The user does not have permissions to use a specific group tag. It prevents hijacking devices. |
Device is active in Intune | Device needs to removed from Intune first before it can be replaced or removed. |
Device not found (remove only) | Device is not found in Windows Autopilot. |
Fatal error during import (import only) | Generic error occurred during the Autopilot import process. |
Device already assigned in Autopilot (import only) | Device is already added to Intune for the same tenant. |
Device is assigned to another tenant (import only) | Device is added to Intune in another tenant. |
Below an example of the error mail. The message subject and Owner table header will always address the account that uploaded the CSV file(s) with device(s). It will look for the primary SMTP address, if the owner does not have one no mail will be sent.
Example of error(s) during the import process:
Example of error(s) during the remove process:
There are multiple ways to implement this, check what suits your needs.
[avs_posts_tag]