Automatically import Windows Autopilot devices using a remediation script and Azure Automation

In this post I will show you a solution allowing you to automatically register devices with Autopilot using a remediation script and Azure Automation.

How does it work ?

For this solution we will use:

- A Remediation script

- An Azure Automation runbook

Remediation script

Purpose: This script is used to get the Harware hash from devices and upload it to a SharePoint.

The remediation script will:

1. Get the hardware hash of devices

2. Save hash in a txt file

3. Upload txt in a SharePoint

4. TXT file name: DeviceName_SerialNumber.txt

In this method I don't use the Get-WindowsAutopilotInfo but get the hash manually.

Azure Automation runbook

Purpose: The runbook script is used to check hardware hash files and upload them on the Autopilot devices part.

The Automation runbook will:

1. Get all txt files from SharePoint

2. Get SN from the file name

3. Check in Autopilot if SN exists

4. If yes:

- Remove file from SharePoint

- Add device in exclusion group of Remediation script

5. If not

- Import device to Autopilot

- Remove file from SharePoint

- Add device in exclusion group of Remediation script

Get the script

Click on the below GitHub picture to get the script

Creating the SharePoint application

We will create a SharePoint application to upload devices list.

For that check my post here.

Remediation script part

The first step is to create an Exclusion group.

This group will be used to excluded devices that are already in Autopilot devices.

Then we will proceed as below:

1. Go to the Microsoft Endpoint Manager admin center

2. Go to Devices

3. Go to Remediations

5. Click on Create script package

6. Type a name

7. Click on Next

8. Click on Detection script file

9. Select the detection script

13. Click on Next

14. In Included groups, select a group

15. In Excluded groups, select a group

15. Schedule the script

16. Click on Apply

17. Click on Next

18. Click on Create

Azure Automation part

Creating the account

1. Go to Azure

2. In the search bar type: Automation accounts

3. Go to Automation accounts

4. Click on Create

5. Type a name

6. Choose a Subscription

7. Choose the Resource group

8. Choose your region

9. Click on Create

10. Wait a bit

11. Click on Go to resource

Adding permissions

Once the Managed Identity has been configured a new Enterprise application will be created.

Then you need to add permissions to do some actions, there permission to get info from the Autopilot events part.

The required permission is the following: DeviceManagementManagedDevices.Read.All

To add this permission you will need to use PowerShell, it can't be done through the portal.

For that use the script Assign_permission on my GitHub repo.

You just need to fill below variables:

- $TenantID: your tenant ID

- $DisplayNameOfMSI: name of your automation account

Adding modules

1. Go to your automaton acount

2. Click on Modules gallery

3. Search: pnp.powershell

4. Click on pnp.powershell

5. Click on Import

6. Click on OK

Creating a Runbook

1. Go to Azure

2. Go to Automation accounts

3. Go to Runbooks

4. Click on + Create a runbook

5. Type a name

6. In Runbook type, select PowerShell

7. Click on Create

How to use the script ?

Download the runbook script from my GitHub.

In this script set below variables

Adding script in Runbook

The runbook script is located downloaded sources

Its name is: Runbook_script.ps1

Testing the Runbook

1. Click on Test pane

2. Click on Start

3. Once finished, you should see Completed

Publishing the Runbook

1. Go to your Runbook

2. Click on Edit

3. Click on Publish

4. Click on Yes

Scheduling the Runbook

1. Go to your Runbook

2. Click on Schedules

3. Click on + Add a schedule

4. Click on Link a schedule to your runbook

5. Click on + Add a schedule

6. Type a schedule name

7. In Recurrence, select Recuring

8. Click on Create