anyweb Posted December 18, 2020 Report post Posted December 18, 2020 Introduction In part 1 you learned how to use Azure functions and a http trigger to add a device to an Azure Ad security group. In this part you'll see how it all fits together on the client side after Autopilot is complete. Step 1. Get the scripts Download the client side scripts here. Please read the note before trying. Note: To download the files here, please make sure you are logged on to this site otherwise you'll get an error. Download the following zip file here: temp.zip Step 2. Extract the files Extract the files to C:\temp Step 3. Edit AddDeviceToAzureAdGroup.ps1 Using Windows PowerShell ISE or notepad, open AddDeviceToAzureAdGroup.ps1, you need to edit the following two lines. Replace $company with your own company name, and for $URL you will need to login to your Azure resource group created in part 1 and copy the HttpTrigger1 url by clicking on Get Function URL and copying the url as shown below. Note: If you don't do this properly then it won't work ! Paste in the URL you copied from your HttpTrigger and append &deviceID= on the end as shown here. Step 4. Encode the scripts Open the EncodeScripts.ps1 script and run it. It will generate new encoded copies of the two scripts that will become embedded in the Step 5. Edit AddDeviceToAzureAdGroup_CreateScheduledTask.ps1 Open AddDeviceToAzureAdGroup_CreateScheduledTask.ps1 and scroll down to the $Base64_1 line. In notepad, open C:\temp\encoded1.txt, press CTRL+A and CTRL+C to copy everything in that file. Back in the PowerShell script, paste the copied content into the $Base64_1 variable in between the "" as shown below. repeat this exercise for the $Base64_2 variable but use the C:\temp\encoded2.txt file contents for that variable. Note: You have to repeat this process any time you edit either of the following two scripts. AddDeviceToAzureAdGroup.ps1 AddDeviceToAzureAdGroup.vbs After my edits it looks like this, your encoded variables will most likely have different values. Save the file. Step 6. Add the PowerShell script to Intune Create a new deployment to your Autopilot Users group using the AddDeviceToAzureAdGroup_CreateScheduledTask.ps1 PowerShell script. use the following settings Deploy it to your Autopilot Users group Step 7. Verify the end result Launch Autopilot After it's done, you'll login to the desktop. If you check scheduled tasks you should see this task is scheduled to run approx 15 minutes after you've logged on, if you see a different behavior then please modify the setting on line 79 of the AddDeviceToAzureAdGroup_CreateScheduledTask.ps1 script. The task that created that scheduled task extracted files to the users temp folder. As the task hasn't run yet we don't have a log file for adding the device to the azure ad group yet. The scheduled task log looks something like this however. After the scheduled task has run you'll have a new log file to look at called AddDeviceToAzureAdGroup.log available in the logged on users temp folder. The log file is very detailed and will show the actions of getting the deviceID, detecting the Group Name and the success of adding the device to the Azure Ad group. Below you can see that it has confirmed the addition of the device to the group. At which point you can check the group in the MEM portal. And there's your device 🙂 The script also creates registry keys so that you can see when it added the device, to which group and using which deviceID. Job done ! I hope you found this useful, if you do, please give me feedback. cheers niall Quote Share this post Link to post Share on other sites More sharing options...
RaslDasl Posted May 4, 2021 Report post Posted May 4, 2021 Any particular reason to deploy to users? We don't have an Autopilot users group as we don't know who will be getting an Autopiloted device. I have dynamic groups for all Autopilot devices and for specific group tags. Any downside you can see to deploying to All Autopilot Devices? I've been searching for a way to exclude Completed Autopilot Devices from app and configuration deployments and I'm hoping this is the solution. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted May 5, 2021 Report post Posted May 5, 2021 there are two reasons, if you deploy this as required to your autopilot devices then how will you know when to run it, when deployed to users you can look for the username and make sure it doesn't match defaultuser0 (the user account used by windows during autopilot oobe), to ignore that user and only do actions based on a valid user, you could probably use this method in your scenario but you'll need to get creative in adapting it, or start targeting users you could do it by verifying that the logged on user is NOT defaultuser0 and that there is a logged on user, sounds weird but that could do it Quote Share this post Link to post Share on other sites More sharing options...
bondy666 Posted July 5, 2022 Report post Posted July 5, 2022 Beautiful, worked first time. Thanks Niall. Re deploying to Users group, this is also important if you're testing something. For example I am using this to fix the time automatically for the UK but I have users in Switzerland and I would need a different group for them, one size doesn't fit all. Quote Share this post Link to post Share on other sites More sharing options...