Jump to content


anyweb

Adding devices to an Azure AD group after Windows Autopilot is complete - part 2

Recommended Posts

Introduction

In part 1 you learned how to use Azure functions and a http trigger to add a device to an Azure Ad security group. In this part you'll see how it all fits together on the client side after Autopilot is complete.

Step 1. Get the scripts

Download the client side scripts here. Please read the note before trying.

Note: To download the files here, please make sure you are logged on to this site otherwise you'll get an error.

  • Download the following zip file here: temp.zip

Step 2. Extract the files

Extract the files to C:\temp

extract to temp.png

Step 3. Edit AddDeviceToAzureAdGroup.ps1

Using Windows PowerShell ISE or notepad, open AddDeviceToAzureAdGroup.ps1, you need to edit the following two lines.

edit the following two lines.png

Replace $company with your own company name, and for $URL you will need to login to your Azure resource group created in part 1 and copy the HttpTrigger1 url by clicking on Get Function URL and copying the url as shown below.

Get function URL.png

 

Note: If you don't do this properly then it won't work !

Paste in the URL you copied from your HttpTrigger and append &deviceID= on the end as shown here.

URL.png

Step 4. Encode the scripts

Open the EncodeScripts.ps1 script and run it. It will generate new encoded copies of the two scripts that will become embedded in the

encode the scripts.PNG

Step 5. Edit AddDeviceToAzureAdGroup_CreateScheduledTask.ps1

Open AddDeviceToAzureAdGroup_CreateScheduledTask.ps1 and scroll down to the $Base64_1 line.

In notepad, open C:\temp\encoded1.txt, press CTRL+A and CTRL+C to copy everything in that file. Back in the PowerShell script, paste the copied content into the $Base64_1 variable in between the "" as shown below.

copy everything from encoded1 to the first variable.png

repeat this exercise for the $Base64_2 variable but use the C:\temp\encoded2.txt file contents for that variable.

Note: You have to repeat this process any time you edit either of the following two scripts.

  • AddDeviceToAzureAdGroup.ps1
  • AddDeviceToAzureAdGroup.vbs

After my edits it looks like this, your encoded variables will most likely have different values.after adding the encoded changes.png

Save the file.

Step 6. Add the PowerShell script to Intune

Create a new deployment to your Autopilot Users group using the  AddDeviceToAzureAdGroup_CreateScheduledTask.ps1 PowerShell script.

add script to intune.png

use the following settingsfollowing settings.png

Deploy it to your Autopilot Users group

autopilot users.png

Step 7. Verify the end result

Launch Autopilot

start autopilot.png

After it's done, you'll login to the desktop. If you check scheduled tasks you should see this task is scheduled to run approx 15 minutes after you've logged on, if you see a different behavior then please modify the setting on line 79 of  the AddDeviceToAzureAdGroup_CreateScheduledTask.ps1 script.

scheduled task.png

The task that created that scheduled task extracted files to the users temp folder.

extracted files.png

 

As the task hasn't run yet we don't have a log file for adding the device to the azure ad group yet. The scheduled task log looks something like this however.

scheduled task log file.png

After the scheduled task has run you'll have a new log file to look at called AddDeviceToAzureAdGroup.log available in the logged on users temp folder.

The log file is very detailed and will show the actions of getting the deviceID, detecting the Group Name and the success of adding the device to the Azure Ad group. Below you can see that it has confirmed the addition of the device to the group.

adddevicetoazureadgroup log file.png

At which point you can check the group in the MEM portal. And there's your device ?

job done.png

The script also creates registry keys so that you can see when it added the device, to which group and using which deviceID.

autopilot completed in registry.png

Job done !

I hope you found this useful, if you do, please give me feedback.

cheers

niall

Share this post


Link to post
Share on other sites

Any particular reason to deploy to users? We don't have an Autopilot users group as we don't know who will be getting an Autopiloted device. I have dynamic groups for all Autopilot devices and for specific group tags. Any downside you can see to deploying to All Autopilot Devices? I've been searching for a way to exclude Completed Autopilot Devices from app and configuration deployments and I'm hoping this is the solution. 

Share this post


Link to post
Share on other sites

there are two reasons, if you deploy this as required to your autopilot devices then how will you know when to run it, when deployed to users you can look for the username and make sure it doesn't match defaultuser0 (the user account used by windows during autopilot oobe), to ignore that user and only do actions based on a valid user,

you could probably use this method in your scenario but you'll need to get creative in adapting it, or start targeting users :)

 

you could do it by verifying that the logged on user is NOT defaultuser0 and that there is a logged on user, sounds weird but that could do it

Share this post


Link to post
Share on other sites

Beautiful, worked first time. Thanks Niall.

Re deploying to Users group, this is also important if you're testing something. For example I am using this to fix the time automatically for the UK but I have users in Switzerland and I would need a different group for them, one size doesn't fit all.

Share this post


Link to post
Share on other sites

Hi, In step no3 to get "Get Function URL" I am getting three options to choose URL's. So which one from below needs to be used as the needed URL for step 3 :

_master (Host key)

default (Function key)

default (Host key)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.