I’ve given presentations at a variety of events that included this slide, talking about the different mechanisms that are available for registering devices with Windows Autopilot:
For customers, you can register devices using the serial number and hardware hash via Intune. I published a blog last year that showed how to automate that using PowerShell and the Intune Graph API. For OEMs, we’ve provided a set of APIs that they can use (with no UI at all, it always automated). So that leaves partners: Any CSP partner can register devices on behalf of any customer, as long as the customer consents to that. See the consent documentation for more details on that process.
So what exactly is a CSP partner? They are “Cloud Solution Providers.” You can find more information about the CSP program on the official site, including details about the different types of CSPs that exist. But from a Windows Autopilot perspective, that part doesn’t matter – any CSP partner can add devices on behalf of any customer, as long as the customer consents. These CSP partners could be:
- Service providers
So, if you’re a registered Microsoft partner, you’ve already done the first step. Becoming a CSP partner is the next step.
Once you are a CSP partner, you can leverage Partner Center to add devices to Windows Autopilot for any of the customers that you have a relationship with. Sign into Partner Center, click on CSP then Customers, select the customer you want, and click “Devices”:
When you click “Add devices” you can select a CSV file that is similar to the one that is used with Intune, just with two additional columns. Here’s an example:
Device serial number,Windows product ID,Hardware hash,Manufacturer name,Device model
Notice in this case that there isn’t a hardware hash, just the serial number and the Windows product ID value. There are a variety of valid combinations, from the Partner Center API documentation:
- HardwareHash + ProductKey.
- HardwareHash + SerialNumber.
- HardwareHash + ProductKey + SerialNumber.
- HardwareHash only.
- ProductKey only.
- SerialNumber + OemManufacturerName + ModelName.
We recommend always specifying the serial number (mainly so the IT person is always able to figure out which device is which). But as a CSP partner, you can choose which combination of fields you want.
So let’s change focus to automating this process. To do this, you need to install a few modules with these PowerShell commands (preferably from an elevated PowerShell session):
Install-Module AzureAD –force
Install-Module PartnerCenter –force
Install-Module WindowsAutopilotPartnerCenter –force
Then, find the WindowsAutopilotPartnerCenter module folder using these commands:
Get-Module WindowsAutopilotPartnerCenter | format-list
In the same folder as the PSD1 file shown in the “Path” property, there will be a PartnerCenter.xml file. This needs to be edited (Notepad will do) to specify some key details:
<!– Production values –>
<!– Partner-specific settings, must be updated before using the module –>
For the app ID and app secret values, you’ll need to have your Partner Center admin (each partner will have at least one) create an Azure AD app for you; this will be used to authenticate to Partner Center (along with a user ID and password). See the Partner Center documentation for a PowerShell script that can be used to create this app (a one-time operation). The PartnerTenantID is the Azure AD tenant ID for your partner tenant (as shown in Partner Center or in Azure AD).
With those three values added, you can then use the module. You already imported it earlier, so you don’t need to do that again. Just authenticate, find the customer you want, and then import the batch of machines. Here’s my example:
PS C:\> Connect-AutopilotPartnerCenter
Account : Microsoft.Store.PartnerCenter.PowerShell.Authentication.AzureAccount
ApplicationId : d9e31207-2d74-47ac-a328-1d90436c7f71
AuthenticationType : AppPlusUser
CountryCode : US
Environment : GlobalCloud
Locale : en-US
PS C:\> Get-PartnerCustomer
CustomerId Domain Name
———- —— —-
c4f6bf3c-60de-432e-a3ec-20bcc5b26ec2 AcmeCorp001.onmicrosoft.com Acme Corp
e3d700d7-0b42-4373-9501-3eec6d574149 contosocm.onmicrosoft.com Contoso CM
78a05132-5fda-40fe-99a0-b765ce83eebc ContosoHybridAZ.onmicrosoft.com Contoso
278aaea7-4b3f-4a69-a115-ab07bf793396 fabrikamcspdemo.onmicrosoft.com Fabrikam Corp Inc.
b870bf37-fe75-4db3-9578-ab838438e267 fabrikamltd01.onmicrosoft.com Fabrikam Ltd
e974093c-2a52-4ebd-994e-b3e7e0f90cf2 fourthcoffee01.onmicrosoft.com Fourth Coffee
467266cb-acb5-4cf3-a74c-0345aa0e40de Northwinds001.onmicrosoft.com Northwind Traders
085b2b89-0481-4c13-b5c6-ff215fa3d361 tailspintoys002.onmicrosoft.com Tailspin Toys
4d85a253-7911-4f67-8023-858670b9ca4b wingtipabcsptest1.onmicrosoft.com Wingtip Toys
PS C:\> Import-AutoPilotPartnerCenterCSV -csvFile .\PartnerCenterBatch.csv -CustomerID e3d700d7-0b42-4373-9501-3eec6d574149 -BatchID “Demo Batch”
Devices successfully added = 2
Devices not added due to errors = 0
DeviceId : 50691ec3-b252-45a3-aa84-7aa049e9f214
ErrorCode : 0
ErrorDescription : None
SerialNumber : 110003260457
Status : Finished
DeviceId : f5bee715-405a-4fab-8a1d-605aee45eeb7
ErrorCode : 0
ErrorDescription : None
SerialNumber : HBNTCX001011462
Status : Finished
Here’s an overview of those steps:
- The Connect-AutopilotPartnerCenter function is a fairly simple wrapper that authenticates to Partner Center using cmdlets in the PartnerCenter module.
- The Get-PartnerCustomer cmdlet is also from the PartnerCenter module. It lists all the customers that you have access (they have consented to having you as their CSP partner). Find the GUID of the customer you want.
- The “Import-AutopilotPartnerCenterCSV function reads the specified CSV file and feeds the devices in it to another function in the PartnerCenter module to create a device batch. (The device batch name can be anything you want; the value will end up as the “Group Tag” in Intune.) This function will return some summary details (devices added and not added), followed by a colleciton of the individual results. If they show an ErrorCode of 0, they were successful; any other value is a failure. (See https://oofhours.com/2019/07/07/what-happens-when-you-register-a-device-with-windows-autopilot/ for more details on the possible errors.)
It only took me a year to get this script to work – when I initially tried it I gave up in disgust. (Getting the authentication right using the REST API can be challenging.) Now, the new PartnerCenter module takes care of almost all the details for you, making this much easier. (Thanks to Isaiah Williams from the One Commercial Partner team for his work on the PartnerCenter module.)
Categories: Windows Autopilot