# Autopilot App Registration

This process will create an Azure Active Directory App Registration which you can then use with Get-WindowsAutopilotInfo to Autopilot register a device

{% embed url="<https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app>" %}

I originally discovered this solution from [MSP Automator](https://twitter.com/ceejplaysgames)

{% embed url="<https://mspautomator.com/2021/10/03/automated-autopilot-enrollment-using-powershell-and-ninjarmm>" %}

## Get-WindowsAutoPilotInfo Snippet

Use the following snippets as an example of how to PowerShell register a device using Get-WindowsAutoPilotInfo and an App Registration

```powershell
$TenantId = ''
$AppId = ''
$AppSecret = ''
$GroupTag = ''
Get-WindowsAutoPilotInfo -Online -TenantId $TenantId -AppId $AppId -AppSecret $AppSecret -GroupTag $GroupTag
```

### Splatting

```powershell
$AutopilotParams = @{
    Online = $true
    TenantId = ''
    AppId = ''
    AppSecret = ''
    GroupTag = 'YourGroupTag'
}
Get-WindowsAutoPilotInfo @AutopilotParams
```

## Create an App Registration

Start by creating an App Registration in Azure Active Directory for Single Tenant.  The name really doesn't matter, but be descriptive

![](https://3996045416-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDKRxGiKLYjW1gana2O%2Fuploads%2FAHFB21o92zmQqqM66qhF%2Fimage.png?alt=media\&token=b9e0bf33-7da6-4504-86f8-c2aefeb308f7)

## API Permissions

The following API permission need to be set to allow Autopilot Registration with Get-WindowsAutopilotInfo.  You will need to **Grant admin consent** for your App Registration

![](https://3996045416-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDKRxGiKLYjW1gana2O%2Fuploads%2F1K6UmEKoNHuCjqMJuvEi%2Fimage.png?alt=media\&token=de27cc38-676a-42ce-a3b7-66c59c1153d1)

### Manifest

It's much easier to edit the **requiredResourceAccess** configuration in the App Registration Manifest by copying what I have here

```
"requiredResourceAccess": [
	{
		"resourceAppId": "00000003-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
				"type": "Scope"
			},
			{
				"id": "243333ab-4d21-40cb-a475-36241daa0842",
				"type": "Role"
			},
			{
				"id": "5ac13192-7ace-4fcf-b828-1a26f28068ee",
				"type": "Role"
			}
		]
	}
],
```

## Certificates & secrets

Create a new Client secret and copy the Value

![](https://3996045416-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDKRxGiKLYjW1gana2O%2Fuploads%2FiTQSLX3cchNhZhOEaVGS%2Fimage.png?alt=media\&token=fa078e3a-f7a0-4695-affa-3ca5e38239f3)

## PowerShell Script

Gather your Application ID, and Tenant ID.  Those will be used as values to pass to Get-WindowsAutopilotInfo

![](https://3996045416-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDKRxGiKLYjW1gana2O%2Fuploads%2FIacwUsfC7AjZSO9hLWrF%2Fimage.png?alt=media\&token=fdf8ffda-484d-4e45-bd3f-efb9ce53b639)

## Get-WindowsAutoPilotInfo

With all the proper values in place, you can compose a PowerShell script to register an Autopilot Device.  This example has a GroupTag of Enterprise

```powershell
$AutopilotParams = @{
    Online = $true
    TenantId = 'xxxxxxxx-f4bd-4048-b6cd-42db00a0bf3a'
    AppId = 'xxxxxxxx-fb7f-4470-a55e-ef1e7a0fa7ea'
    AppSecret = 'xxxxx~JQRdzKEM3_KP.ooFnk5pkeBcLDj2m..'
    GroupTag = 'Enterprise'
    Assign = $true
}
Get-WindowsAutoPilotInfo @AutopilotParams
```

## Key Vault

You can convert the PowerShell script to an Azure Key Vault Secret by copying the script to the Clipboard (yes, I know the screenshot needs to be updated), and yes you will have to create the KeyVault separately.

```
Set-CloudSecret -VaultName mmsmoa -Name AutopilotJoinApp -Clipboard
```

![](https://3996045416-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LDKRxGiKLYjW1gana2O%2Fuploads%2FVHvMnQ7qWTzylvx3NGq5%2Fimage.png?alt=media\&token=aa27245f-baa6-4658-bc02-3df49f221311)

## OOBE

You can now register a device in Autopilot with the following command if you have a KeyVault set

```powershell
#OSD Module using Device Code Flow
Invoke-CloudSecret mmsmoa AutopilotJoinApp

#No OSD Module
Install-Module Az.KeyVault -Force
Connect-AzAccount
Invoke-Expression (Get-AzKeyVaultSecret -VaultName mmsmoa -Name AutopilotJoinApp -AsPlainText)
```

## Sponsor

OSDeploy is sponsored by [Recast Software](https://www.recastsoftware.com/?utm_source=osdeploy\&utm_medium=ad\&utm_campaign=web) and their Systems Management Tools

{% embed url="<https://www.recastsoftware.com/?utm_source=osdeploy&utm_medium=ad&utm_campaign=web>" %}
Sponsored by Recast Software
{% endembed %}