Recently deployed Windows Autopilot solution and to simplify the Autopilot Device registration experience, users are given the capability to register their devices themselves from the OOBE (Out of box experience) page by using the
Get-WindowsAutopilotinfo -online command. Some organizations may not allow this approach and only want their IT Administrators to complete this process using an administrator account, which is a good approach.
However, In another scenario, if a user is at a remote location and the IT Admin cannot get physical access to the laptop then in that case I have used an approach where you elevate the user’s role/rights for the duration of device registration and then remove the elevated rights once the device is successfully imported/registered. Through this blog post, I will be sharing this solution with you.
There are other methods to register the device e.g. generating hardware hash on the device in a CSV file and uploading the CSV file directly to the Microsoft Intune admin center under Devices -> Windows -> Windows Enrollment -> Devices -> Import.
In this way, you can pre-assign a particular device to the user and pre-assign the Autopilot profile as well. If you go with this approach then there will not be any need to provide elevated access to the user or there will not be any need for the IT Administrator to register the device via OOBE screen, User can simply reset the Windows device and follow the instructions as per Autopilot Profile to Setup / Sign-in as the device is already pre-registered.
Let’s now see what a Temporary Elevated Permission looks like for a user who will register their device:
- User will have Intune Administrator Role.
- User will need to be bypassed from any Conditional Access Policy which blocks users to sign-in to Non-Compliant Devices.
- User will be provided access to Microsoft Intune Powershell Service Principal [Azure AD Enterprise Application]
Once the device is registered / Imported successfully, Remove elevated permissions given to the user, as it’s no longer required.
When users register the device from the OOBE screen after pressing Shift + F10 and then using
get-windowsautopilotinfo -online, users may get a popup (as shown in the screenshot): Approval required. Microsoft Intune Powershell. This app requires your admin approval to. Therefore, users at this point will not be able to register their devices unless they are provided the required permissions.
Checking the App Registrations or Enterprise Applications, I could not find an application called Microsoft Intune Powershell. As the admin user must provide consent to create this Application/service principal in your tenant, we need to use a command
Connect-MSgraph -adminconsent which will create Microsoft Intune Powershell app / service principal under Azure Active Directory -> Enterprise Applications Blade. Let’s see how to add this application.
Let’s first check the list of Apps currently available under the Enterprise application on my Entra ID admin center. Navigate to: Entra ID admin center > Applications > Enterprise applications.
At present, there is no existing Microsoft Intune PowerShell service principal. Let’s explore how to create it and grant access to the users.
- Type the Command
Connect-MSGraph -AdminConsentand use administrator credentials.
- Provide Administrator Password.
- Click on Accept to provide admin consent. Review the permissions which this app will have the consent for.
- Once you are successful, it will return UPN and Tenant ID on the Portal. This means that the command was successful and it added Microsoft Intune Powershell application/service principal object under Enterprise Applications.
- As shown in the below screenshot, Microsoft Intune PowerShell Application/Service Principal object has been successfully created.
- Click on this Application and on the left-hand side click on Permissions to find out about the admin consented permissions provided to this app.
To enable users to register their devices through the Autopilot process using the OOBE screen or PowerShell console, You can add the users or Azure AD group to Microsoft Intune Powershell App. Best practice is to create an Azure AD group and use it to provide the permissions.
In the future, when a user wants to register or import their device, they can use their regular user account and run the “Get-WindowsAutopilotinfo -online” command.
This will enable device registration. Once the device is registered, it’s important to remove the user from the Azure Active Directory group.
The user was temporarily granted elevated access for this specific task. Keeping the user in this group would provide unnecessary privileges, so it’s best to remove them to maintain security.
In this blog post. We discussed different ways to register a device in Microsoft Intune Admin Center. How to provide users with the capability to register their new devices themselves with temporary elevated permissions. How to register Microsoft Intune Powershell Application/service principal using
Connect-MSgraph -adminconsent and add users to this application so that users have admin consent to register their devices.