{"id":13623447,"url":"https://github.com/PowerShellCrack/PSAutopilotReadinessCheck","last_synced_at":"2025-04-15T14:33:02.676Z","repository":{"id":176906629,"uuid":"658833868","full_name":"PowerShellCrack/PSAutopilotReadinessCheck","owner":"PowerShellCrack","description":"A PowerShell script to check to ensure a device is ready for Autopilot and is assigned to everything it needs to be successful..","archived":false,"fork":false,"pushed_at":"2024-04-14T15:45:20.000Z","size":1011,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-11T20:21:27.323Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PowerShellCrack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-06-26T15:26:19.000Z","updated_at":"2024-11-28T09:50:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"5ffb2cc2-edbb-4b7d-8405-e28c9b577d19","html_url":"https://github.com/PowerShellCrack/PSAutopilotReadinessCheck","commit_stats":null,"previous_names":["powershellcrack/psautopilotreadinesscheck"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShellCrack%2FPSAutopilotReadinessCheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShellCrack%2FPSAutopilotReadinessCheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShellCrack%2FPSAutopilotReadinessCheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShellCrack%2FPSAutopilotReadinessCheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PowerShellCrack","download_url":"https://codeload.github.com/PowerShellCrack/PSAutopilotReadinessCheck/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249089074,"owners_count":21210912,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T21:01:31.897Z","updated_at":"2025-04-15T14:33:02.634Z","avatar_url":"https://github.com/PowerShellCrack.png","language":"PowerShell","funding_links":[],"categories":["PowerShell"],"sub_categories":[],"readme":"# Autopilot Readiness Pre-Flight Checker\n\nThis script is designed to check to ensure a device is Autopilot Ready\n\nThis code only uses **get** cmdlets. There are no _sets_\n\n## Required modules:\n\n- Microsoft.Graph.Authentication\n\n\u003e NOTE: This script uses beta graph API requests\n\n## Supported\n\n- Powershell 5.1 or higher (Tested with Posh 7.3.5)\n\n## What does it do?\n\n1. Check if device is enrolled as Autopilot Device\n1. Check if the device is assigned a deployment profile and how (group tag, Azure AD group)\n1. Check if device is assigned an ESP and what are the apps assigned to it\n1. Check to see what groups the device is assigned to\n1. Check to see if device groups are assigned to the apps as required.\n1. Check to see if user groups are assigned to the apps as required.\n1. Check type of DeploymentProfile is assigned to device (hybrid vs Azure AD)\n1. If Hybrid, check to make sure only one domain join profile is assigned to device\n1. Check if device is assigned a user profile\n1. Check if user is assigned to MDM enrollment group and Intune license\n1. Check if user is part of \"allow user to Azure AD device\" join group\n\n\u003e NOTE: All graph calls are read only! \n\n## Graph scoped permissions\n\nPermission Scope | Graph Resource Endpoint | Link\n--|--|--\nDevice.Read.All | /devices | https://learn.microsoft.com/en-us/graph/permissions-reference#device-permissions\nDirectory.Read.All | \u003cli\u003e/subscribedSkus\u003c/li\u003e\u003cli\u003e/groups\u003c/li\u003e  | https://learn.microsoft.com/en-us/graph/permissions-reference#directory-permissions\nGroupMember.Read.All | /groups | https://learn.microsoft.com/en-us/graph/permissions-reference#group-permissions\nGroup.Read.All | /groups | https://learn.microsoft.com/en-us/graph/permissions-reference#group-permissions\nUser.Read.All | /users | https://learn.microsoft.com/en-us/graph/permissions-reference#user-permissions\nDeviceManagementApps.Read.All | \u003cli\u003e/deviceAppManagement/mobileApps\u003c/li\u003e | https://learn.microsoft.com/en-us/graph/permissions-reference#intune-device-management-permissions\nDeviceManagementConfiguration.Read.All |\u003cli\u003e/users\u003c/li\u003e\u003cli\u003e/deviceManagement/managedDevices\u003c/li\u003e\u003cli\u003e/deviceManagement/deviceConfigurations\u003c/li\u003e\u003cli\u003e/deviceManagement/deviceEnrollmentConfigurations\u003c/li\u003e|https://learn.microsoft.com/en-us/graph/permissions-reference#intune-device-management-permissions\nDeviceManagementManagedDevices.Read.All |\u003cli\u003e/users\u003c/li\u003e\u003cli\u003e/deviceManagement/managedDevices\u003c/li\u003e|https://learn.microsoft.com/en-us/graph/permissions-reference#intune-device-management-permissions\nDeviceManagementServiceConfig.Read.All |\u003cli\u003e/users\u003c/li\u003e\u003cli\u003e/deviceManagement/windowsAutopilotDeviceIdentities\u003c/li\u003e\u003cli\u003e/deviceManagement/windowsAutopilotDeploymentProfiles\u003c/li\u003e\u003cli\u003e/deviceManagement/deviceEnrollmentConfigurations\u003c/li\u003e | https://learn.microsoft.com/en-us/graph/permissions-reference#intune-device-management-permissions\nOrganization.Read.All | /subscribedSkus | https://learn.microsoft.com/en-us/graph/permissions-reference#organization-permissions\nPolicy.Read.All | \u003cli\u003e/policies/deviceRegistrationPolicy\u003c/li\u003e\u003cli\u003e/policies/mobileDeviceManagementPolicies\u003c/li\u003e\u003cli\u003e/policies/conditionalAccessPolicies\u003c/li\u003e| https://learn.microsoft.com/en-us/graph/permissions-reference#policy-permissions\n\n## How to run\nRun it against a serial number\n```powershell\n.\\AutoPilotReadiness.ps1 -Serial 'N4N0CX11Z173170'\n```\nRun it against a device name\n```powershell\n.\\AutoPilotReadiness.ps1 -DeviceName 'DTOPAW-1Z173170'\n```\n\nRun it against a device name and check licenses if primary user is assigned\n```powershell\n.\\AutoPilotReadiness.ps1 -DeviceName 'DTOAAD-1Z156178' -CheckUserLicense\n```\nRun it against a serial and check licenses for enrolling user\n```powershell\n.\\AutoPilotReadiness.ps1 -Serial 'N4N0CX11Z173170' -UserPrincipalName 'tracyr@contoso.com' -CheckUserLicense\n```\n\nRun it against a serial, check licenses for enrolling user, and check Azure settings\n```powershell\n.\\AutoPilotReadiness.ps1 -Serial 'N4N0CX11Z173170' -UserPrincipalName 'tracyr@contoso.com' -CheckUserLicense -CheckAzureAdvSettings\n```\n\n\n## What it looks like (example)\n\nTest against a potential azure ad device\n\n![Azure AD](.images/azureadcheck.png)\n\nTest against a potential hybrid device\n\n![Hybrid](.images/hybridcheck.png)\n\nTest against an existing device\n\n![Hybrid](.images/existingdevice.png)\n\nFailed test\n\n![Azure AD](.images/depprofile_error.png)\n\n## Known issues\n\n- If apps or configuration has assignment filters; this may cause the output to be wrong; this is because the tool doesn't currently check if the device is in a filter.\n\n## Future plans\n\n- WPF UI\n- Make it modular (Json controlled)\n- Logging (cmtrace format)\n- Support assignment filters\n- Check if device is assigned at least one compliance policy (to ensure device will be compliant)\n- Check if device is part of a device filter\n- Check if device is assigned a device category\n- Check Device restrictions against device\n- Check Device limitation against user profile\n- Check if device has supporting OS (using WINRM)\n- Check if user is part of CBA Stage Rollout\n- Check for Organization branding\n- Check if user is assigned a Windows license.\n- Check if device is assigned a post script (eg. rename script, complete script, etc)\n            \n# DISCLAIMER\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS\nOR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\nFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER\nDEALINGS IN THE SOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPowerShellCrack%2FPSAutopilotReadinessCheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPowerShellCrack%2FPSAutopilotReadinessCheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPowerShellCrack%2FPSAutopilotReadinessCheck/lists"}