Public/TenantConfiguration/Baseline/Add-DeviceEnrollmentConfiguration.ps1
|
function Add-DeviceEnrollmentConfiguration { param( [Parameter(Mandatory)] [string]$TenantId, [bool]$Hybrid = $false ) try { Connect-CustomerGraph -CustomerTenantId $TenantId $MgContext = Get-MgContext if ($MgContext.Scopes -notcontains "Policy.ReadWrite.MobilityManagement") { Write-Host "The current application does not have the required scopes to update device enrollment configuration." -ForegroundColor Yellow Write-Host "Re-creating application consent, please wait.." Set-SAMConsent -CustomerTenantId $TenantId Disconnect-MgGraph | Out-Null Connect-CustomerGraph -CustomerTenantId $TenantId } <# This ensures that all users are able to enroll in Intune. #> $MobileDeviceManagementPolicy = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000") if ($MobileDeviceManagementPolicy.appliesTo -ne "all") { $MDMParams = @{ "appliesTo" = "all" } Invoke-GraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000" -Body $MDMParams Write-Host "Set MDM user scope to 'all'" -ForegroundColor Green } else { Write-Host "MDM user scope is already set to 'all', not updating.." -ForegroundColor Yellow } $DeviceEnrollmentConfigurations = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations").value # Windows Hello for Business $DeviceEnrollmentConfigurationsFiles = Get-ChildItem -Path "$PSScriptRoot\DeviceEnrollmentConfigurations" -Filter *.json foreach ($DeviceEnrollmentConfigurationsFile in $DeviceEnrollmentConfigurationsFiles) { $DeviceEnrollmentConfiguration = Get-Content -Path $DeviceEnrollmentConfigurationsFile.FullName | ConvertFrom-Json -AsHashtable -Depth 100 if ($DeviceEnrollmentConfiguration.Id -like "*_DefaultWindowsHelloForBusiness") { $DeviceEnrollmentConfigurationId = ($DeviceEnrollmentConfigurations | Where-Object { $_.Id -like "*_DefaultWindowsHelloForBusiness" }).Id Update-MgDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $DeviceEnrollmentConfigurationId -AdditionalProperties $DeviceEnrollmentConfiguration.AdditionalProperties Write-Host "Updated Windows Hello for Business Enrollment Configuration" -ForegroundColor Green } } # Windows Autopilot $WindowsAutopilotDeploymentProfiles = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles").value if ($Hybrid) { $WindowsAutopilotDeploymentProfile = Get-Content -Path "$PSScriptRoot\WindowsAutopilotDeploymentProfiles\JyskIT_Baseline_AP_HybridProfile.json" | ConvertFrom-Json -AsHashtable -Depth 100 } else { $WindowsAutopilotDeploymentProfile = Get-Content -Path "$PSScriptRoot\WindowsAutopilotDeploymentProfiles\JyskIT_Baseline_AP_DefaultProfile.json" | ConvertFrom-Json -AsHashtable -Depth 100 } if ($WindowsAutopilotDeploymentProfiles.displayName -contains $WindowsAutopilotDeploymentProfile.displayName) { Write-Host "Windows Autopilot deployment profile '$($WindowsAutopilotDeploymentProfile.displayName)' already exists, not creating.." -ForegroundColor Yellow } else { $WindowsAutopilotDeploymentProfile = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles" -Body $WindowsAutopilotDeploymentProfile Write-Host "Created Windows Autopilot deployment profile '$($WindowsAutopilotDeploymentProfile.displayName)'." -ForegroundColor Green Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles/$($WindowsAutopilotDeploymentProfile.id)/assignments" -Body @{ "target" = @{ "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget" } } | Out-Null Write-Host "Assigned Windows Autopilot deployment profile '$($WindowsAutopilotDeploymentProfile.displayName)' to all devices." -ForegroundColor Green } # Windows Autopilot Enrollment Status Page $EnrollmentStatusPageFiles = Get-ChildItem -Path "$PSScriptRoot\EnrollmentStatusPages" -Filter *.json foreach ($EnrollmentStatusPageFile in $EnrollmentStatusPageFiles) { $EnrollmentStatusPage = Get-Content -Path $EnrollmentStatusPageFile.FullName | ConvertFrom-Json -AsHashtable -Depth 100 if ($DeviceEnrollmentConfigurations.displayName -contains $EnrollmentStatusPage.displayName) { Write-Host "Enrollment status page '$($EnrollmentStatusPage.displayName)' already exists, not creating.." -ForegroundColor Yellow } else { $EnrollmentStatusPage = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations" -Body $EnrollmentStatusPage Write-Host "Created enrollment status page '$($EnrollmentStatusPage.displayName)'." -ForegroundColor Green Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($EnrollmentStatusPage.id)/assign" -Body @{ "enrollmentConfigurationAssignments" = @( @{ "target" = @{ "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget" } } ) } | Out-Null Write-Host "Assigned enrollment status page '$($EnrollmentStatusPage.displayName)' to all devices." -ForegroundColor Green } } } catch { throw "Failed to update Device enrollment configuration: $_" } } |