Get Windows AutoPilot device information of Microsoft Intune managed devices

This week I’m going to show an example of how to collect the Windows AutoPilot device information of existing Microsoft Intune managed (Windows 10) devices. That could be useful, for example, when an organization wants one similar deployment experience for all devices. For now and in the future. In that case it can be very useful to gather the device information and upload that information. That will provide future deployments of those existing devices with the same company branded deployment experience as new devices. Also, another reason for this post is the simple fact that I’ve received this request multiple times now.

This example will use an Azure storage account that will be used to store the Windows AutoPilot device information and it will use the Get-WindowsAutoPilotInfo script to collect the information. In this post I’ll show high over the steps to create the Azure storage account, followed by an overview of the PowerShell script to collect the information and write the information to the storage account. I’ll end this post with the Microsoft Intune configuration and a quick peak at the results. After that simply collect the information and upload it via Microsoft Intune or the Microsoft Store for Business (or the Partner portal).

Create storage account

The first step is to create a storage account in Azure. The following four steps walk through the high over steps to create a storage account including a file share. That file share will be used to store the Windows AutoPilot device information.

1 Open the Azure portal and navigate to Storage accounts;
2 Add a storage account of the Storage (general purpose v1) kind and make sure that Secure transfer required is enabled (remember the storage account name);
3 Navigate to Files and add a file share (remember the file share name);
4 Navigate to Access keys and view the available keys (remember the key) ;

Note: Be aware that not every ISP allows access from port 445 to Azure (for an overview see: https://social.technet.microsoft.com/wiki/contents/articles/32346.azure-summary-of-isps-that-allow-disallow-access-from-port-445.aspx).

Create PowerShell script

The second step is to create a PowerShell script to upload the Windows AutoPilot device information to the file share in the just created storage account.

Script variables

This PowerShell script is created for usage within Microsoft Intune. Currently the PowerShell script functionality within Microsoft Intune can’t work with input variables, which means that the values of the different variables have to be available in the script. That means that in the variables block on top of the script (see script snippet section) the following values should be adjusted.

  1. <StorageAccountKey>: This should be the access key of the created storage account (step 4);
  2. <StorageAccountName>: This should be the name of the created storage account (step 2);
  3. <ShareName>: This should be the name of the share of the created storage account (step 3).

Script actions

The PowerShell script contains a few actions that it should perform to complete the required activities. It contains the following actions that can be found in the different try-catch blocks (see script snippet section).

  1. Create a drive with the created Azure storage account;
  2. Download the available script from PowerShell Gallery;
  3. Set the location to the location of the downloaded script;
  4. Install the downloaded script;
  5. Run the installed script and use the created drive for the output;
  6. Remove the downloaded script and the created drive.

Script snippet

The PowerShell script is shown below.

[gist https://gist.github.com/pvanderwoude/09f4e1354a41a40e5a6f98bd826333c7 /]

Note: Be aware that downloading PowerShell Gallery items requires PowerShellGet and that PowerShellGet requires the NuGet provider to work with the PowerShell Gallery (for more information see: https://docs.microsoft.com/en-us/powershell/gallery/psgallery/psgallery_gettingstarted).

Configure PowerShell script

The third step is to configure the PowerShell script in Microsoft Intune. To upload the script, follow the next five steps. After uploading the script, simply assign the script to the required users and/or devices.

1 Open the Azure portal and navigate to Intune > Device configuration > PowerShell scripts;
2 On the Device configuration – PowerShell scripts blade, click Add script to open the Script Settings blade;
3 GWAI_AddPowerShellScriptOn the Add PowerShell script blade, provide the following information and click Settings to open the Script Settings blade;

  • Name: Provide a valid name for the PowerShell script policy;
  • Description: (Optional) Provide a description for the PowerShell script policy;
  • Script location: Browse to the PowerShell script.

Note: The script must be less than 10 KB (ASCII) or 5 KB (Unicode).

4 GWAI_ScriptSettingsOn the Script Settings blade, provide the following configuration and click OK to return to the PowerShell script blade;

  • Run the script using the logged on credentials: No;
  • Enforce script signature check: No;

Note: Configure Run the script using the logged on credentials to No means that the PowerShell script will run in SYSTEM context;

5 Back on the Add PowerShell script blade, click Create.

End result

Now let’s end this post by looking at the results. The share in the created storage accounts will start filling with CSV-files of the different Windows 10 devices that are managed by Microsoft Intune. That means that it will start to look like something as shown below.

GWAI_AzureStorage

As the required device information is available now, within the file share of the storage account, it can be downloaded and imported via for example Microsoft Intune. Of course it’s possible to use PowerShell to merge these CSV-files into one big CSV-file. This is relatively easy by simply using something like Get-Content and always grab the second line of the CSV-files.

28 thoughts on “Get Windows AutoPilot device information of Microsoft Intune managed devices”

  1. Nice and good for customers that want to migrate to a modern workplace concept. I used a similar construction for deploying custom software, scripts and executables. Found at another Peter 🙂 blog @ https://blog.peterdahl.net/2017/12/12/deploy-exe-file-from-microsoft-intune-using-azure-blob-storage/

    Its always debatable to supply a name and key in a script file cause it will be in the PS Management Extensions log files plain text. But sometimes we have no choice

    Reply
  2. The eventual goal is to eliminate the need for something like this: If you’ve already got a device enrolled in Intune, we can automatically add it to AutoPilot. Stay tuned.

    Reply
  3. Hi, I’ve tried to import the CSV file into Intune and returned an error saying the device is already member of AAD and couldn’t be imported into the AutoPilot :\

    Reply
    • Hi Eduardo,
      Can you provide some more details, like if you already previously added that device to AutoPilot?
      I just successfully uploaded device information of a device that already existed in AAD.
      Regards, Peter

      Reply
      • Hi Peter,
        I haven’t added that device to autopilot before but I have registered and joined it to Azure AD manually.

        Under Device Enrollment – Windows Enrollment, I click on Manage Windows Autopilot Devices, select import, choose the csv file – that parts works but the import process comes back with the following error:

        Internal error
        ERROR CODE:
        814 – ZtdDeviceAlreadyAadRegistered
        CSV LINE NUMBERS AFFECTED:
        1

        Thanks,
        Eduardo

        Reply
        • Hi Eduardo,
          I just heard that the behavior recently changed for importing AutoPilot devices. At this moment the import will fail when the device is already available in Azure AD.
          Regards, Peter

          Reply
          • that is good, so I know the error is not related to my tenant or something that I’ve missed.

            It is a shame this change in behavior. I came across your article because of this statement “That will provide future deployments of those existing devices with the same company branded deployment experience as new devices. ” but at least your article is great showing us how to export the necessary information from existing machines. 🙂

            Thanks,
            Eduardo

  4. Peter,
    I am able to get this to run manually if I run my PS session as an admin (elevated rights) so I know the script works. However, when I push this to my Intune machines it fails since all teammates are users on their machines and not admins. I have this running in system context but that does not seem to help. Any ideas on a resolution?

    Thanks,
    Mike M.

    Reply
    • Hi Michael,
      Running a script as admin is not the same as running a script as SYSTEM, which is what Intune does. Having said that, keep in mind that you can now also easily targeted already Intune managed devices without separately importing those devices.
      Regards, Peter

      Reply
  5. Hello,

    Like Michaels comment, my script will fail if run through Intune, but it will run with admin permissions locally and show up in my storage account, although there were a couple prompts where I had to accept.

    I noticed the note:

    Note: Be aware that downloading PowerShell Gallery items requires PowerShellGet and that PowerShellGet requires the NuGet provider to work with the PowerShell Gallery (for more information see: https://docs.microsoft.com/en-us/powershell/gallery/psgallery/psgallery_gettingstarted).

    Could this be causing the failure?

    I’m also wondering if the execution policies of the machine could be causing the error? If I run locally it will prompt to allow a couple of times, and script works, ID sends to my blob storage.

    I’ve tried as currentuser and system in intune and script has been failing. I even set the execution policy to bypass on the currentuser and localmachine to test and still no go.

    Reply
  6. Hi Peter

    And to who should this script be assigned? i choosed an AD Group where all Users are Member !? is this the right way?

    thanks

    Reply
  7. Peter,

    I followed your steps one by one but I get:

    FAILED to connect to Azure storage

    Can you think any reason why? I believe you had a script to check access to the store share but can’t find it…

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.