Recently deployed Windows Autopilot solution and to simplify the Autopilot Device registration experience, users are given the capability to register their devices themselves from the OOBE (Out of box experience) page by using the
Get-WindowsAutopilotinfo -online command. Some of the organizations may not allow this approach and only want their IT Adminstrators to complete this process using an administrator account, which is a good approach.
However, In another scenario if user is at remote location and physical access to the laptop is not possible then in that case I have used an approach where you elevate user’s role / rights for the duration of device registration and then remove the elevated rights once the device is successfully imported / registered. Through this blog post, I will be sharing this solution with you.
Also Read: How to setup Microsoft Intune (MAM and MDM Configuration) – Step by Step Guide
There are other methods to register the device e.g. generating hardware hash on the device in a CSV file and uploading the CSV file directly to Microsoft Endpoint Manager Admin Center under Devices -> Windows -> Windows Enrollment -> Devices -> Import.
In this way you can pre-assign a particular device to the user and pre-assign Autopilot profile as well. If you go with this approach then there will not be any need to provide elevated access to the user or there will not be any need for IT Administrator to register the device via OOBE screen, User can simply reset the windows device and follow the instructions as per Autopilot Profile to Setup / Sign-in as the device is already pre-registered.
Let’s now see what an Temporary Elevated Permission look like for a user who will register their device:
- User will have Intune Administrator Role.
- User will need to be bypassed from any Conditioanal Access Policy which blocks users to sign-in to Non-Compliant Devices.
- User will be provided access to Microsoft Intune Powershell Service Principal [Azure AD Enterprise Application]
Once the device is registered / Imported successfully, Remove above permissions / role from user as its no longer needed.
When users are registering the device from OOBE screen after pressing Shift + F10 and then using get-windowsautopilotinfo -online. Users may get popup message: Approval required. Microsoft Intune Powershell. This app requires your admin approval to: Therefore, users at this point will not be able to register their devices unless they are provided the required permissions (as shown in the screenshot).
Checking the App Registrations or Enterprise Applications, I could not find an application called Microsoft Intune Powershell. As admin user must provide consent to create this Application / service principal in your tenant, we need to use a command
Connect-MSgraph -adminconsent which will create Microsoft Intune Powershell app / service principal under Azure Active Directory -> Enterprise Applications Blade. Let’s see how to add this application.
As of now, I am able to list below applications under Enterprise applications in Azure Active Directory:
Navigate to: Azure Portal-> Azure Active Directory -> Enterprise applications.
Currently as we can see that there is no Microsoft Intune Powershell service principal existing. Lets see how we can create it and provide acccess to the users.
Type the Command
Connect-MSGraph -AdminConsent and use administrator credentials.
Click on Accept to provide admin consent. Review the permissions which this app will have the consent for.
Once you are successful, it will return UPN and Tenant Id on the Portal. This means that the command was successful and it added Microsot Intune Powershell application / service principal object in Azure Portal under Azure Active Directory -> Enterprise Applications.
As you can see Microsoft Intune Powershell Application / service principal object is now created.
Click on this Application and on the left hand side click on Permissions to find out about the admin consented permissions provided to this app.
If you want users to register their devices via the Autopilot process through OOBE screen / Powershell console. Then you can add an Azure Active Directory Security Group here and add the user(s) into this group or you can add a user directly in Microsoft Intune Powershell App but the best practice is to use an AAD security group.
Next time when user will use their normal user account and run
Get-WindowsAutopilotinfo -online, they will be able to register / import their device. Once the device is registered, you can remove the user from this AAD group. We provided elevated access to normal user temporarily just for performing this task. So make sure you do not keep the user in this group which will provide unnecessary priviledges to the user.
In this blog post:
We discussed on different ways to register a device in Microsoft Endpoint Manager Admin Center.
How to provide users with the capability to register their new devices themselves with temporary elevated permissions.
How to register Microsoft Intune Powershell Application / service principal using
Connect-MSgraph -adminconsentand add users to this application so that users have admin consent to register their device into Microsoft Endpoint Manager admin center.