Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/PowerShellCrack/PSAutopilotReadinessCheck
A PowerShell script to check to ensure a device is ready for Autopilot and is assigned to everything it needs to be successful..
https://github.com/PowerShellCrack/PSAutopilotReadinessCheck
Last synced: 5 days ago
JSON representation
A PowerShell script to check to ensure a device is ready for Autopilot and is assigned to everything it needs to be successful..
- Host: GitHub
- URL: https://github.com/PowerShellCrack/PSAutopilotReadinessCheck
- Owner: PowerShellCrack
- License: other
- Created: 2023-06-26T15:26:19.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-09-20T19:57:55.000Z (about 1 year ago)
- Last Synced: 2024-02-27T06:35:32.661Z (9 months ago)
- Language: PowerShell
- Size: 960 KB
- Stars: 7
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
- jimsghstars - PowerShellCrack/PSAutopilotReadinessCheck - A PowerShell script to check to ensure a device is ready for Autopilot and is assigned to everything it needs to be successful.. (PowerShell)
README
# Autopilot Readiness Pre-Flight Checker
This script is designed to check to ensure a device is Autopilot Ready
This code only uses **get** cmdlets. There are no _sets_
## Required modules:
- Microsoft.Graph.Authentication
> NOTE: This script uses beta graph API requests
## Supported
- Powershell 5.1 or higher (Tested with Posh 7.3.5)
## What does it do?
1. Check if device is enrolled as Autopilot Device
1. Check if the device is assigned a deployment profile and how (group tag, Azure AD group)
1. Check if device is assigned an ESP and what are the apps assigned to it
1. Check to see what groups the device is assigned to
1. Check to see if device groups are assigned to the apps as required.
1. Check to see if user groups are assigned to the apps as required.
1. Check type of DeploymentProfile is assigned to device (hybrid vs Azure AD)
1. If Hybrid, check to make sure only one domain join profile is assigned to device
1. Check if device is assigned a user profile
1. Check if user is assigned to MDM enrollment group and Intune license
1. Check if user is part of "allow user to Azure AD device" join group
> NOTE: All graph calls are read only!
## Graph scoped permissions
Permission Scope | Graph Resource Endpoint | Link
--|--|--
Device.Read.All | /devices | https://learn.microsoft.com/en-us/graph/permissions-reference#device-permissions
Directory.Read.All |
GroupMember.Read.All | /groups | https://learn.microsoft.com/en-us/graph/permissions-reference#group-permissions
Group.Read.All | /groups | https://learn.microsoft.com/en-us/graph/permissions-reference#group-permissions
User.Read.All | /users | https://learn.microsoft.com/en-us/graph/permissions-reference#user-permissions
DeviceManagementApps.Read.All |
DeviceManagementConfiguration.Read.All |
DeviceManagementManagedDevices.Read.All |
DeviceManagementServiceConfig.Read.All |
Organization.Read.All | /subscribedSkus | https://learn.microsoft.com/en-us/graph/permissions-reference#organization-permissions
Policy.Read.All |
## How to run
Run it against a serial number
```powershell
.\AutoPilotReadiness.ps1 -Serial 'N4N0CX11Z173170'
```
Run it against a device name
```powershell
.\AutoPilotReadiness.ps1 -DeviceName 'DTOPAW-1Z173170'
```
Run it against a device name and check licenses if primary user is assigned
```powershell
.\AutoPilotReadiness.ps1 -DeviceName 'DTOAAD-1Z156178' -CheckUserLicense
```
Run it against a serial and check licenses for enrolling user
```powershell
.\AutoPilotReadiness.ps1 -Serial 'N4N0CX11Z173170' -UserPrincipalName '[email protected]' -CheckUserLicense
```
Run it against a serial, check licenses for enrolling user, and check Azure settings
```powershell
.\AutoPilotReadiness.ps1 -Serial 'N4N0CX11Z173170' -UserPrincipalName '[email protected]' -CheckUserLicense -CheckAzureAdvSettings
```
## What it looks like (example)
Test against a potential azure ad device
Test against a potential hybrid device
Test against an existing device
Failed test
## Known issues
- If apps or configuration has assignment filters; this may cause the output to be wrong; this is because the tool doesn't currently check if the device is in a filter.
## Future plans
- WPF UI
- Make it modular (Json controlled)
- Logging (cmtrace format)
- Support assignment filters
- Check if device is assigned at least one compliance policy (to ensure device will be compliant)
- Check if device is part of a device filter
- Check if device is assigned a device category
- Check Device restrictions against device
- Check Device limitation against user profile
- Check if device has supporting OS (using WINRM)
- Check if user is part of CBA Stage Rollout
- Check for Organization branding
- Check if user is assigned a Windows license.
- Check if device is assigned a post script (eg. rename script, complete script, etc)
# DISCLAIMER
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.