Automated import of Hardware Hashes into Intune
Hi everyone, So, here is the script I used to pre-seed the hardware hashes into my Intune environment. Please check it over before just running it.. You'll need to create a csv called: computernamelist.csv In this file, you'll need a list of all your computer names like this: "ComputerName" "SID-1234" "SID-4345" You can use a the Get-ADComputer command to gather all your computers and output to a CSV. Features: It will run through 10 computers at a time. It will remove computers that it has confirmed as being updated in Intune. Pings a computer first to speed it up. Only for devices on your network or on the VPN. You can schedule it to run, or I just re-ran it a bunch of times over a few weeks. # Path to the CSV file $csvPath = "C:\scripts\computernamelist.csv" # Import the CSV file $computers = Import-Csv -Path $csvPath # Number of concurrent jobs (adjust as needed) $maxConcurrentJobs = 10 # Array to store the job references $jobs = @() # Ensure the required settings and script are set up [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force Install-Script -Name Get-WindowsAutopilotInfo -Force # Authenticate with Microsoft Graph (Office 365 / Azure AD) Connect-MGGraph # Function to remove a computer from the CSV after successful import function Remove-ComputerFromCSV { param ( [string]$computerName, [string]$csvPath ) $computers = Import-Csv -Path $csvPath $computers = $computers | Where-Object { $_.ComputerName -ne $computerName } $computers | Export-Csv -Path $csvPath -NoTypeInformation Write-Host "Removed $computerName from CSV." } # Loop through each computer in the CSV foreach ($computer in $computers) { $computerName = $computer.ComputerName # Start a new background job for each computer $job = Start-Job -ScriptBlock { param($computerName, $csvPath) # Check if the computer is reachable (ping check) if (Test-Connection -ComputerName $computerName -Count 1 -Quiet) { Write-Host "$computerName is online. Retrieving Autopilot info..." # Ensure TLS 1.2 is used and execution policy is set for the job [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force # Run the Autopilot info command and capture the output $output = Get-WindowsAutopilotInfo -Online -Name $computerName # Check if the output contains the success or error messages if ($output -like "*devices imported successfully*") { Write-Host "Success: $computerName - Autopilot info imported successfully." # Remove the computer from the CSV after successful import Remove-ComputerFromCSV -computerName $computerName -csvPath $csvPath } elseif ($output -like "*error 806 ZtdDeviceAlreadyAssigned*") { Write-Host "Error: $computerName - Device already assigned." } else { Write-Host "Error: $computerName - Unknown issue during import." } } else { Write-Host "$computerName is offline. Skipping." } } -ArgumentList $computerName, $csvPath # Add the job to the list $jobs += $job # Monitor job status Write-Host "Started job for $computerName with Job ID $($job.Id)." # If the number of jobs reaches the limit, wait for them to complete if ($jobs.Count -ge $maxConcurrentJobs) { # Wait for all current jobs to complete before starting new ones $jobs | ForEach-Object { Write-Host "Waiting for Job ID $($_.Id) ($($_.State)) to complete..." $_ | Wait-Job Write-Host "Job ID $($_.Id) has completed." } # Check job output and clean up completed jobs $jobs | ForEach-Object { if ($_.State -eq 'Completed') { $output = Receive-Job -Job $_ Write-Host "Output for Job ID $($_.Id): $output" Remove-Job $_ } elseif ($_.State -eq 'Failed') { Write-Host "Job ID $($_.Id) failed." } } # Reset the jobs array $jobs = @() } } # Wait for any remaining jobs to complete $jobs | ForEach-Object { Write-Host "Waiting for Job ID $($_.Id) ($($_.State)) to complete..." $_ | Wait-Job Write-Host "Job ID $($_.Id) has completed." } # Check job output for remaining jobs $jobs | ForEach-Object { if ($_.State -eq 'Completed') { $output = Receive-Job -Job $_ Write-Host "Output for Job ID $($_.Id): $output" Remove-Job $_ } elseif ($_.State -eq 'Failed') { Write-Host "Job ID $($_.Id) failed." } } This is all derived from: https://learn.microsoft.com/en-us/autopilot/add-devices "Get-WindowsAutopilotInfo" is from this link. Hope this helps someone. Thanks, Tim JeensMoving from MDT/WDS to Autopilot part 2
Hi everyone Following up on my previous post about moving from MDT/WDS to Windows Autopilot, I wanted to share some of the more detailed parts of the deployment and config that might help others working through similar issues. Wi-Fi (RADIUS + NPS + Azure AD Join): This was hands-down one of the trickiest bits. We use a local RADIUS server (Windows NPS) with certificates for EAP authentication, and users authenticate using local AD credentials, despite Autopilot devices being Azure AD joined. I had to build a custom Wi-Fi configuration profile in Intune that handled certificate trust, proper targeting, and worked with our existing NPS policies. If anyone needs help with this scenario, I’m happy to share more details. I’ll be posting the full configuration soon. BitLocker Conflicts: BitLocker generally worked but only after cleaning up overlapping configurations. Intune allows BitLocker settings to be applied via multiple paths (Device Configuration, Endpoint Security, Encryption, even legacy GPOs via ADMX). I found they MUST be aligned across all sources — otherwise, ESP fails or encryption doesn’t trigger. My fix: consolidate BitLocker settings under Endpoint Security and Windows Configurations and ensure nothing else contradicts them, they give different options hence the need for the two. App Deployment + Detection Scripts: Some software just doesn’t play nice with Intune alone. We had issues with SolidWorks and other legacy tools. For these, I used NinjaOne to run custom silent installers and Intune detection scripts to track success and reapply if needed. For complex installs, I had to fall back on Proactive Remediation scripts to detect and fix problems. Compliance Baselines & Settings: We're gradually shifting to Intune-based compliance. I ported over our core GPO baselines and rebuilt them using Configuration Profiles, Settings Catalog, and Security Baselines. Compliance policies then reference these, so non-conformant machines are flagged. Still evolving this as we onboard more devices. Licensing Requirements: For anyone wondering, some of these capabilities require specific licensing. We're running "Microsoft 365 E3" + "Enterprise Mobility + Security E3", which gives us access to: Proactive Remediations Intune-based compliance management Scripted deployments and reporting Note, only 1 user in the tenant needs these two licences to enable the features. Summary This move to Autopilot wasn’t just a deployment change, it pushed us to rethink how we handle security, authentication, app installs, and policy enforcement. There’s still more to do, but we’ve built a solid foundation that’s scalable and more resilient than our old MDT-based approach. If you’re dealing with similar challenges or stuck on something like Wi-Fi, BitLocker or app installs, feel free to reach out. I’ve probably hit the same wall and am happy to compare notes or share scripts/settings if it helps. Cheers, Timothy Jeens
Cloud PKI SCEP
Hello All, I have setup steps to utilise cloud PKI to issue SCEP certificate to users so they can be used for email security (SMIME). Root and intermediary setup in cloud PKI successfully and configuration profiles for both setup and both are deployed successfully to test devices. When it comes to the SCEP profile, It has also been deployed but no success status showing yet in the report and issuing certificate not showing any leaf certificates. No errors are currently showing and report just says pending. Any Idea what is causing the delay or how to investigate? Thanks in advance.
can't add default access role to enterprise application
I have added a user for my Enterprise Manager, but I noticed the role assigned is not the 'Default Access' role. It's a different role ('Tester'). When I initialy created this user, there was no option for the 'Default Access' role. It only had 'Tester'. I want to change the role of this user to 'Default Access', but I couldn't find where to change it. I was wondering if you know where to change the role?
Devices are ad joined on-prem how do i join to azure ad
Hi, I have devices that are on prem ad joined. I have AAD connect synch running but no federation or seamless sign on. How would i get them joined to also azure ad without impacting anything like GPOs or user experience etc? End goal is to get them into into. Can i keep my devices to being authenticated from my local on prem domain controller and have them into azure ad for intune management Thanks
GIA - Get Intune Assignments Application
Hello Everyone, Some time ago I was struggling to get all Assignments Intune for a Specific Azure AD Group. This option does not exist at console, and we need to run a lot of queries at MS Graph and/or use PowerShell to retrieve. So, to help the community I started to create PowerShell scripts to help to query some of the Assignments but, still, I had a lot of scripts each one to retrieve a specific type of items (like profiles, conditional access, apps, etc). After a while I decide to develop a C# .NET Application to facilitate the process. Today I want to share with all you my GIA App (Get Intune Assignments). It's available on my gitHub page: sibranda/GetIntuneAssignments: Get Intune Assignments helps you to identify the Intune assignments target the Azure AD Groups (github.com) I hope this app can help you guys the same way is helping me and my customers. RegardsGet the Intune enrolled devices synced into Azure Active Directory and show up as devices
Hi there, I have a question , I hope you can help me with that or give me some hints - I posted this question on Azure Active Directory but have not got any respond from our fellows yet: Let's say I have added an iPhone in Apple Business Manager, and by a connector (I configured earlier) it comes over to InTune. So as an example when I search for that device by serial number in the Intune --> All Devices, it will be displayed there properly. But if I go and search for that device on the Devices in Azure AD, it does now show up. I want to add those devices in to a group so they should be displayed and show up in my AAD. How can I make/configure my Azure AD or Intune to see my devices which were enrolled in Intune or any way I could get them synced between Intune and AAD? [ Intune --> AAD ]Win 10 devices showing in AAD but not MEM
I am setting up a hybrid domain with on-prem DC and sync'g to AAD. I have the devices showing Azure Hybrid Join in the AAD, but I am not able to get them to show in the InTune/MEM (MS Endpoint Manager) so that we can manage them. I have setup the MDM Automatic Enrollment to apply to a single security group that contains my test user. The test user account has logged in to a laptop, which now shows as azure hybrid join.
Multiple instances of same device appearing in Azure AD
Hello guys, We have recently pushed out Conditional access in our company and few devices are failing to access company resources. After some research I found out that the specific devices appear twice in the AzureAD devices(Picture of device entry in Azure AD). I'm looking for a solution to either convert the AD-joined device into intune managed device or the other way. Best, Abhi
