LogoLogo
TwitterLinkedInGitHubPowerShell Gallery
  • About
  • Events
  • Blog
    • 2022
      • 🆕OSD January Update
      • 🆕PSCloudScript Basics
    • 2021
      • Start-OOBEDeploy
      • OSDCloud
      • PowerShell Gallery in WinPE
      • BitLocker KeyProtectors
      • WindowsCapability -and WindowsPackage
      • Scheduled Tasks
        • Building a Task
        • Task Permissions
        • Task Trigger
        • Action a PowerShell File
        • Action a PS Encoded Script
        • Conclusion
          • Windows Activation and Edition Change
          • REG.exe and Multiple Actions
    • 2019
      • 2019-02
        • Offline Servicing vs Reference Image
      • 2019-04
        • Windows 10 Upgrade MultiLang (Uno)
      • 2019-06
        • Offline Servicing Windows 10 with CU for .NET 4.8
        • OSDBuilder and .NET CU KB4480056
      • 2019-09
        • Black Screen During Windows 10 Setup
      • 2019-11
        • I Hate OSDBuilder
    • 2018
      • WinPE 10 1809 WPF DLL Fix
      • Microsoft Update Releases
      • Create WinPE.wim from Boot.wim or WinRE.wim
      • Windows Setup: FAT32 USB with +4GB Install.wim
      • Windows 10 from ESD
      • Windows 10 1809 Appx Issues
      • Mount-WindowsImage -Optimize
  • Guides
    • Autopilot App Registration
    • PSCloudScript
      • PS Cmdlets
      • GitHub Gist
      • GitHub Git Repo
      • Content-Type | Azure Static Web App
      • Command Shortening
      • Azure Key Vault Secret
      • OSD PowerShell Module
      • PSCloudScript Examples
        • Autopilot
        • AutopilotOOBE
        • OSDCloud Live
        • WinPE PowerShell Gallery
        • OSDCloud WinPE and OOBE
    • go OSDCloud
      • Azure Function
      • Custom Domain
      • SSL Binding
      • Proxies
  • PowerShell
    • OSD
    • OSDCloud
    • OSDBuilder (Offline Servicing)
    • OSDSUS (Update Catalogs)
    • OSDUpdate (MS Updates)
    • OSDDrivers (Compact Drivers)
    • PShot
      • Release Notes
      • Usage
        • -Directory
        • $AutoPath
        • -Prefix
        • -Count
        • -Delay
        • -Clipboard
        • -Primary
        • The Object
      • Technical
        • Why a Module?
        • Resolution, Scale and DPI
Powered by GitBook
On this page
  • Get-WindowsAutoPilotInfo Snippet
  • Splatting
  • Create an App Registration
  • API Permissions
  • Manifest
  • Certificates & secrets
  • PowerShell Script
  • Get-WindowsAutoPilotInfo
  • Key Vault
  • OOBE
  • Sponsor
  1. Guides

Autopilot App Registration

David Segura and Mike Marable

PreviousMount-WindowsImage -OptimizeNextPSCloudScript

Last updated 3 years ago

This process will create an Azure Active Directory App Registration which you can then use with Get-WindowsAutopilotInfo to Autopilot register a device

I originally discovered this solution from

Get-WindowsAutoPilotInfo Snippet

Use the following snippets as an example of how to PowerShell register a device using Get-WindowsAutoPilotInfo and an App Registration

$TenantId = ''
$AppId = ''
$AppSecret = ''
$GroupTag = ''
Get-WindowsAutoPilotInfo -Online -TenantId $TenantId -AppId $AppId -AppSecret $AppSecret -GroupTag $GroupTag

Splatting

$AutopilotParams = @{
    Online = $true
    TenantId = ''
    AppId = ''
    AppSecret = ''
    GroupTag = 'YourGroupTag'
}
Get-WindowsAutoPilotInfo @AutopilotParams

Create an App Registration

Start by creating an App Registration in Azure Active Directory for Single Tenant. The name really doesn't matter, but be descriptive

API Permissions

The following API permission need to be set to allow Autopilot Registration with Get-WindowsAutopilotInfo. You will need to Grant admin consent for your App Registration

Manifest

It's much easier to edit the requiredResourceAccess configuration in the App Registration Manifest by copying what I have here

"requiredResourceAccess": [
	{
		"resourceAppId": "00000003-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
				"type": "Scope"
			},
			{
				"id": "243333ab-4d21-40cb-a475-36241daa0842",
				"type": "Role"
			},
			{
				"id": "5ac13192-7ace-4fcf-b828-1a26f28068ee",
				"type": "Role"
			}
		]
	}
],

Certificates & secrets

Create a new Client secret and copy the Value

PowerShell Script

Gather your Application ID, and Tenant ID. Those will be used as values to pass to Get-WindowsAutopilotInfo

Get-WindowsAutoPilotInfo

With all the proper values in place, you can compose a PowerShell script to register an Autopilot Device. This example has a GroupTag of Enterprise

$AutopilotParams = @{
    Online = $true
    TenantId = 'xxxxxxxx-f4bd-4048-b6cd-42db00a0bf3a'
    AppId = 'xxxxxxxx-fb7f-4470-a55e-ef1e7a0fa7ea'
    AppSecret = 'xxxxx~JQRdzKEM3_KP.ooFnk5pkeBcLDj2m..'
    GroupTag = 'Enterprise'
    Assign = $true
}
Get-WindowsAutoPilotInfo @AutopilotParams

Key Vault

You can convert the PowerShell script to an Azure Key Vault Secret by copying the script to the Clipboard (yes, I know the screenshot needs to be updated), and yes you will have to create the KeyVault separately.

Set-CloudSecret -VaultName mmsmoa -Name AutopilotJoinApp -Clipboard

OOBE

You can now register a device in Autopilot with the following command if you have a KeyVault set

#OSD Module using Device Code Flow
Invoke-CloudSecret mmsmoa AutopilotJoinApp

#No OSD Module
Install-Module Az.KeyVault -Force
Connect-AzAccount
Invoke-Expression (Get-AzKeyVaultSecret -VaultName mmsmoa -Name AutopilotJoinApp -AsPlainText)

Sponsor

OSDeploy is sponsored by and their Systems Management Tools

Recast Software
MSP Automator
Quickstart: Register an app in the Microsoft identity platformdocsmsft
Logo
Automated AutoPilot Enrollment Using Powershell and NinjaRMMAutomating Chaos
HomeRecast Software
Sponsored by Recast Software
Logo
Logo