Current Windows Autopilot enrollment options require either the OEM to preregister new devices in your Microsoft Business Store or push a script to an existing device (using SCCM, etc.), then pull the resulting CSV to manually enroll the system into Autopilot. But what about existing systems that are geographically seperated, not Azure AD enrolled, not VPN'd into a network, or centrally managed? This project allows an administrator to push a short Powershell script to a remote system and send its results to a Internet facing web API. This "push" can be done through third-party software like Team Viewer, LogMeIn or simply have the remote user run the script as an Administrator.
- Hostname
- External IP address
- Hardware serial number
- Hardware make and model
- Hardware hash
- Timestamp of execution
autopilot-enrollment-existing-devicesNodejs web APIHost Scripts\get-apinfoexisting.ps1Powershell script for remote system
- Internet facing system (e.g. AWS, Azure, self-hosted)
- Nodejs
- DNS record for web API (more for convenience)
- a running web API
- administrator privileges
- Powershell 3.0
- connection to the Internet
- ability to execute the script remotely
- Download nodejs https://nodejs.org/en/download/ and install
- Run the following:
git clone https://github.com/jknyght9/autopilot-enrollment-existing-devices
cd autopilot-enrollment-existing-devices
npm install
npm start
- The API runs on port 8000
- HIGHLY recommend using a load balancer with an SSL/TLS certificate to encrypt all the traffic. Otherwise this data will transmitted in CLEAR TEXT. You are responsible for any data leakage that may occur.
- Ensure that your host firewall allows TCP port 8000
- Ensure that your network/enterprise firewall allows TCO port 8000 to the server hosing this web API
- Web server logs (access and error) are located in the
logfolder - Host registration information is located in the
datafolder
Before deploying the Powershell script, you will need to test the API from an external system with the following commands:
# Mac or Linux via Curl
curl http(s)://<YOUR WEB ADDRESS>:8000/
or
# Windows Powershell
Invoke-WebRequest -Uri http(s)://<YOUR WEB ADDRESS>:8000/ -Method GET
If you recieve a Successfull connection, proceed to the next step. Otherwise you will need to troubleshoot your network.
Once the web API is running, the admin will need to have the remote hosts execute the following command:
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/jknyght9/autopilot-enrollment-existing-devices/master/Host%20Scripts/get-apinfoexisting.ps1") | iex; getautopilotinfoexisting https://<server URI>:8000/register
If you are using a self-signed certificate for SSL/TLS communication, you will need to bypass powershell's certificate validation check with the following:
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};(new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/jknyght9/autopilot-enrollment-existing-devices/master/Host%20Scripts/get-apinfoexisting.ps1") | iex; getautopilotinfoexisting https://<server URI>:8000/register
This script will set the system up for secure communications, download the get-apinfoexisting.ps1 script and run the module using your web API URL. Note that you will have to change the <server URI> to the IP address or hostname you have configured for the web API. Also, you must have the /register path at the end of the URL.
Once the systems have executed the Powershell script, you can retrieve the CSV file from the data directory. Before you import the CSV into Windows Autopilot, you must remove the Timestamp column from the CSV. Use the timestamp field to sort from previously imported entires.
https://docs.microsoft.com/en-us/intune/enrollment-autopilot
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements