Autopilot Manager (APM) needs the Autopilot-Manager-Client to receive the Autopilot device provisioning information import request and showing the user a processing screen, similar to the Autopilot Pre-Provisioning scenario (former known as WhiteGlove). The app service queues and handles all the processing to import the device provisioning information into the tenant. It has an approval workflow built in via QR code or Approval helpdesk page. It uses the same logic like the Michael Niehaus Autopilot script Get-WindowsAutoPilotInfo. The process of the Get-WindowsAutoPilotInfo script is described in a blog post from Michael here: Importing a device hash directly into Intune
Read more about the solution and detailed installation instructions on my blog post here:
The following prerequisites are necessary to get Autopilot-Manager to work:
- Azure AD Application Registration Client-ID
- Azure AD Application Registration Client-Secret
- Azure AD group for Autopilot direct profile assignment
- Azure AD group for general Autopilot-Manager access
- Azure AD group for 'View-Imports' access (Job Histroy Viewer)
- Azure AD group for 'Approve-Requests' access (Approver)
The app service can be deployed via the Azure Resource Manager (ARM) template by using the following link:
v1.7
- fixed a logging bug (user identity was not always correctly logged)
- added support for transparent headers to support Azure Front Door scenarios
v1.6
- added support for Azure Functions, which gives extended functionality developed at business side.
AppConfig:AutopilotManagerConfig:AzureFunctionsUrl set to your Azure Function URL (e.g. https://apm-functions-xxx.azurewebsites.net/api/)
- A validation function (function name: 'validate') to be called for extended validation of the import request. Validation result will allow or block import
AppConfig:AutopilotManagerConfig:UseValidationFunction set to true
AppConfig:AutopilotManagerConfig:ValidationFunctionKey set to "your azure function key" - A GroupTag function (function name: 'grouptag') to receive a GroupTag for the given device
AppConfig:AutopilotManagerConfig:UseGroupTagFunction set to true
AppConfig:AutopilotManagerConfig:GroupTagFunctionKey set to "your azure function key" - An AutoApproval function (function name: 'autoapproval') to automatically approve requests after extended validation
AppConfig:AutopilotManagerConfig:UseAutoApprovalFunction set to true
AppConfig:AutopilotManagerConfig:AutoApprovalFunctionKey set to "your azure function key"
- A validation function (function name: 'validate') to be called for extended validation of the import request. Validation result will allow or block import
v1.5
- added support for re-register of Autopilot devices. Existing Autopilot devices will be deleted upfront before upload of new Autopilot device information.
Tun on ReRegister mode with
AppConfig:AutopilotManagerConfig:UseReRegisterMode set to true
Additional App registration permissions "DeviceManagementManagedDevices.ReadWrite.All" must be granted, same as for delete requests
To preservce the purchase order identifier in case of re-register use
AppConfig:AutopilotManagerConfig:PreservePurchaseOrderIdOnReRegister set to true - added support for writing Audit data to Log Analytics via data collector API
use the following configurations to configure this
AppConfig:AutopilotManagerConfig:UseLogAnalytics set to true
AppConfig:AutopilotManagerConfig:LogAnalyticsWorkspaceId set to "your workspace GUID"
AppConfig:AutopilotManagerConfig:LogAnalyticsSharedKey set to "your shared workspace key"
AppConfig:AutopilotManagerConfig:LogAnalyticsReportHardwareHash set to true or false - added Homepage customization options
AppConfig:AutopilotManagerConfig:HomepageHeadlineSentenceApprovalMode to e.g. "Please call the helpdesk (+49 180-12345678) for approval of device import."
AppConfig:AutopilotManagerConfig:HomepageHeadlineSentenceNonApprovalMode to e.g. "Please scan the QR code to import the device."
AppConfig:AutopilotManagerConfig:HomepageCompanyLogoImageUrl to an image url "https://company.com/image/comapnylogo.png"
v1.4
- added deletion support in Approval Mode for Intune devices due to this latest change:
https://docs.microsoft.com/en-us/mem/autopilot/troubleshoot-device-enrollment
new client parameter -e can be used to invoke the delete request
AppConfig:AutopilotManagerConfig:AllowDeletionInApprovalMode must be set to true
Additional App registration permissions "DeviceManagementManagedDevices.ReadWrite.All" must be granted - Optionally you can display the Approval and History link now on the footer area of the main page
AppConfig:AutopilotManagerConfig:ShowHomepageApprovalLink set to true
AppConfig:AutopilotManagerConfig:ShowHomepageHistoryLink set to true
v1.3
- added timeout configuration option
AppConfig:AutopilotManagerConfig:Timeout must be set to integer in minute e.g. 120 minutes
v1.2
- improved model/manufacturer parsing
- improved AAD group membership addition