In this article I’ll explain how you can automatically enrol existing devices into Intune/AzureAD using Microsoft Deployment Toolkit (MDT) and Autopilot Profiles.
There are a few reasons you may want to do this, for example;
- Converting existing On-Prem devices to Intune/AzureAD without having to manually enrol them.
- Using custom Windows images instead of the manufacturer provided Windows installations (No bloatware!!)
By the end of this article you will have an MDT task sequence that;
- Installs custom operating system image
- Copy’s Autopilot Profile to device
- Reboots device ready to sign in to Enrol to AzureAd/Entra
Step 1 – Create Autopilot Profile
If you haven’t already created an autopilot profile, you need to do so by heading to Intune > Devices >Windows > Windows Enrolment > Deployment Profiles
Note: This must be set to ‘user-driven’
Step 2 – Export Autopilot Profile
To begin, run PowerShell as administrator and install the required modules to connect to Intune/Autopilot.
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module WindowsAutopilotIntune -MinimumVersion 5.4.0 -Force
Install-Module Microsoft.Graph.Groups -Force
Install-Module Microsoft.Graph.Authentication -Force
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Force
Import-Module WindowsAutopilotIntune -MinimumVersion 5.4
Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Identity.DirectoryManagement
If you have issues importing the modules, you can temporarily use the following
set-executionpolicy bypass
We can now export the autopilot profile(s) to our device using the following script, remember to change the TargetDirectory to an accessible location.
Connect-MgGraph -Scopes "Device.ReadWrite.All", "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Domain.ReadWrite.All", "Group.ReadWrite.All", "GroupMember.ReadWrite.All", "User.Read"
$AutopilotProfile = Get-AutopilotProfile
$targetDirectory = "C:\AutopilotProfiles"
$AutopilotProfile | ForEach-Object {
New-Item -ItemType Directory -Path "$targetDirectory\$($_.displayName)"
$_ | ConvertTo-AutopilotConfigurationJSON | Set-Content -Encoding Ascii "$targetDirectory\$($_.displayName)\AutopilotConfigurationFile.json"
}
You’ll be prompted to enter your credentials, sign in with an account that has access to Intune/Autopilot profiles. (If this is the first time connecting to MS Graph you’ll be prompted to allow access)
Verify the profile has exported by navigating to the target directory and see if the .JSON file is there.
Step 3: Adding Autopilot JSON to MDT Task sequence
You should start by copying the Autopilot Profile FOLDER from the step above and head over to your MDT deployment share.
Paste the folder into the ‘SCRIPTS‘ folder on your deployment share.
You can now either create a new or open an existing task sequence, I will edit an existing one.
In the ‘Post Install’ section add a new “run command line” step and enter the following.
xcopy %SCRIPTROOT%\LaptopsAutopilot\AutopilotConfigurationFile.json %OSDisk%\Windows\provisioning\AutoPilot\ /c
note: be sure to update the path to reflect that in your scripts folder
This will inject the autopilot profile into the target device.
You now want to create a new ‘Run Command Line’ step and enter the following.
cmd.exe /c del %OSDisk%\Windows\Panther\unattend.xml /s
This will remove the unattend file and force the device to boot into OOBE when it reboots.
Step 4: Run the Task Sequence
You can now your your MDT task sequence, once the image is installed, your device should now reboot and be presented with the Autopilot sign in screen.
Simply enter credentials of an account with access to enrol devices and away you go. The end result is a freshly imaged machine joined to Intune/Azure AD/Entra.
Note: Although this uses autopilot profiles to join your device to Intune, it does not register it with Autopilot, should the device be wiped, it will not automatically poll MS and download the autopilot payload.
#EdTech Network Manager, experienced in Microsoft 365, Server 2019, Intune, SCCM and anything inbetween.
Great
Nice article. One question though. This isn’t an option if I want to use this on domain joined computer right? Because if I install new OS, join it to domain (during the task sequence), and then try to load autopilot profile, it wont work. Unless I use sysprep /oobe to get to the OOBE, but that removes the domain join.
If you want your PCs to be domain joined the easiest way would be to image as normal using SCCM or MDT then use the group policy to join intune (see my other article) https://liam-robinson.co.uk/automatically-enroll-domain-joined-pcs-into-intune-via-gpo/