Windows Autopilot Plan B

By Johan Arwidmark / June 8, 2022
Share
Share

Windows Autopilot is pretty great… when it works. But the last few months there has been more issues with the Windows Autopilot service than I have fingers to count with, so here is a post on setting up a backup plan for enrolling devices automatically into Intune during deployment, without Autopilot.

The Plan

The Autopilot backup plan is fairly straightforward:

  1. Create a provisioning package that contains a bulk enrollment token for Intune
  2. Modify your deployment task sequence to stage the provisioning package during imaging

Creating a Provisioning Package for Bulk Enrollment

Creating a provisioning package for bulk enrollment can be done either by using the Windows Configuration Designer (part of Windows ADK, and also available on the Microsoft store), or via the AADInternals PowerShell module written by Dr. Nestori Syynimaa (@DrAzureAD).

Note: Provisioning Packages for bulk enrollment can also be created in the ConfigMgr console, which is really just using the Windows Configuration Designer behind the scenes when exporting an enrollment profile to an enrollment package.

Anyway, here is an excellent post from Michael Niehaus (@mniehaus) that covers both scenarios, plus some extra tips around automation:

Automatically join devices to Azure AD
https://oofhours.com/2022/03/04/automatically-join-devices-to-azure-ad/

Note: I have also added some additional great reading in the end of this blog post, see the "Additional Resources" section.

Bulk Enrollment Package Created

Adding the Provisioning Package to your Task Sequence

In this section you find instructions on how to add a bulk enrollment package to a task sequence in both ConfigMgr and MDT Lite Touch. Let's start with ConfigMgr.

Add the Enrollment Package to a ConfigMgr Task Sequence

First, create a ConfigMgr package without a program, holding the content of the bulk enrollment package. Then download the StageEnrollmentPackage_CM.ps1 script, add that to the package, and distribute the package to your distribution points. In my example I named the package AAD Bulk Enrollment – Expire 06032022.

The StageEnrollmentPackage_CM.ps1 added to the package

Creating the package in ConfigMgr

Second, edit your task sequence, and after the built-in Apply Network Settings action, add a Run PowerShell Script action with the following settings:
Name: Stage Enrollment Package
Select a package with a PowerShell script: <your previously created enrollment package>
Script name: StageEnrollmentPackage_CM.ps1
PowerShell execution policy: Bypass

Stage Enrollment Package action added to the task sequence

Add the Enrollment Package to an MDT Lite Touch Task Sequence

In your MDT deployment share, create a folder named ProvisioningPackages, and copy your bulk enrollment package folder to the ProvisioningPackages folder. In my example, the folder for my enrollment package was named BulkEnrollment-Expire06032022.

Enrollment package added to deployment share

Add a new custom variable to your CustomSettings.ini file named EnrollmentPackage, and set the variable to the path of your provisioning package. For example:

[Settings]
Priority=Default
Properties=EnrollmentPackage

[Default]
EnrollmentPackage=%DeployRoot%\ProvisioningPackages\BulkEnrollment-Expire06032022\BulkEnrollment-Expire06032022.ppkg

Download the StageEnrollmentPackage_MDT.ps1 from GitHub, and copy it to the scripts folder in your deployment share. In my example my deployment share path is E:\MDTProduction.

StageEnrollmentPackage_MDT.ps1 copied to the deployment share

Edit your Windows 10 or Windows 11 task sequence, and in the Postinstall node, add a Run Command Line action with the following settings

Name: Stage Enrollment Package
Command Line: PowerShell.exe -ExecutionPolicy Bypass -File "%SCRIPTROOT%\StageEnrollmentPackage_MDT.ps1"

Enrollment package added to an MDT Lite Touch task sequence.

When deploying the MDT Lite Touch Task Sequence, make sure to configure your CustomSettings.ini to join the machine into a workgroup, or prompt for Domain/Workgroup during deployment.

Joining a Workgroup during MDT deployment

Additional Resources

Bulk enrollment for Windows 10 devices – By Peter van der Woude
https://www.petervanderwoude.nl/post/bulk-enrollment-for-windows-10-devices/

Bulk enrollment for Windows devices – Microsoft Docs
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll

BPRT unleashed: Joining multiple devices to Azure AD and Intune – By Dr. Nestori Syynimaa
https://o365blog.com/post/bprt/

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Lorenzo
Lorenzo
4 months ago

Great one Johan. Is there a way to check if a device is already enrolled in autopilot as part of MDT deployment? This mostly relates to refurbished computers bought elsewhere. Thanks for any info you can share on this.

0
Reply
Johan Arwidmark
Author
Johan Arwidmark
4 months ago
Reply to  Lorenzo

Yes, you can add a script that checks for this. Either in the WinPE phase, as long as you use a web service like RestPS, or in the specialize pass in Windows.

0
Reply
←Previous post Next post→
>