Get an overview of Windows Autopilot registered devices that are not enrolled in 180 days

Update 11-24-2022:

The statement regarding the re-registration of Windows Autopilot devices which are not enrolled after 180 days after registration is removed from the Microsoft docs. Referring to Microsoft PM Hermen, the information was inaccurate and there is no 180 days limit and re-registration is not needed.

Well, it seems we don’t need the below described Logic Apps flow, but I’ll just leave it here in case something in the flow is useful for somebody in the future.

Original post:

Last week one of the Microsoft Intune Product Managers caused a lot of buzz on Twitter (is Twitter still alive?) by sending out a few tweets related to Windows Autopilot registered devices:

While he describes something which isn’t new as far as I understand, many people, including myself, responded to the tweet to ask for more information on the subject as we were pretty confused by this information.

This document currently describes the ‘issue’ in just one sentence:
If the device is registered and not enrolled after 180 days, you’ll need to re-register the device to complete a successful deployment.
But Herman already responded they would soon update their documentation for clarification.

This behavior could be a thing for a lot of companies who order their Windows devices in bulk, certainly when these devices are registered in the Autopilot service by their vendor. When the company normally buys hardware let’s say once a year, the company has hardware in stock, that is not enrolled in these 180 days. Now that we are aware of this behavior, we should make sure we enroll these devices before the 180th day after registration in the Autopilot services. Otherwise, we need to remove the device object from Autopilot and re-import the device again (and we don’t have the information as our vendor did the registration). Or maybe an option to extend/ renew the certificate which expires after 180 days and causes this issue, is performing a pre-provisioning enrollment. But as long as Microsoft doesn’t update the docs, we have no idea about this.

You might have a good overview of your devices in your CMDB on which date these are purchased and might be able to estimate the registration date of the devices. Otherwise, you might want to receive an automated overview on a regular basis, with all Windows Autopilot registered devices that are not enrolled and are almost near 180 days after registration.

To get such an overview on a regular basis, I created a Logic Apps flow, which does this job.

The solution in short

By querying Microsoft Graph we can get a lot of information regarding Microsoft Intune and thus also for our Windows Autopilot devices. Strange enough via Graph, we are not able to get a registration date for the Autopilot object. But we do get the Azure AD device Id back of the Autopilot object. With that id we can, also via Graph, get the creation date of the Azure AD object back. Which in my opinion should match the registration date of the Autopilot device.
To automatically check this information on a recurrence, we can use an HTTP action in a Logic Apps flow. And with some additional actions in the flow, we can add all the devices which are not enrolled and near the 180th day after enrollment in an Excel sheet and save the sheet to SharePoint. If needed we can also send this sheet as an attachment via email.

In this post, I describe the complete flow. You can also find the flow on my GitHub for easy deployment.

Requirements

For this solution, we have some requirements. To query Microsoft Graph we need to have permission to perform this job. There are different options to authenticate to MS Graph and assign permissions, but I prefer an Azure Managed Identity.
The required Graph (Application) permissions we need are:
DeviceManagementServiceConfig.Read.All
Device.Read.All

To create an Excel sheet we need to save it to a SharePoint documents library. So a requirement is a document library and a (service) account with read-write permissions to the library.

And last, we need to have a mailbox (if you want to send the file via email). I used a service account with permission to send an email from a shared mailbox.

Setup the Logic App flow

When the requirements are in place, we can start creating the Logic Apps flow.

Sign in to the Azure portal and open the Logic App service. I created a blank Logic App of type Consumption.

When the flow is created, click on the name of the flow at the top of the screen, open the Identity section, and on the tab User assigned add your Managed Identity.

Open the Overview tab, which shows a few templates, and choose Recurrence.

Change the interval settings to your needs.

First, we need to compose an Excel file, otherwise, we end up with an empty sheet. We do this by using a Compose action, which is found under the Data Operations actions.

This is the input from an empty Excel sheet, you can just copy-paste this into the inputs field. Otherwise, you need to create an empty Excel sheet and import it once in a flow to retrieve this information.

{
"$content": "",
"$content-type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
}

After the Compose action, we add a Create file action, which is a SharePoint action. With this action, we create an Excel sheet on a SharePoint library, and as file content, we use the outputs from the Compose action.

First sign in with your (service) account.

Select the Site Address from the drop-down list or choose Enter custom value and manually enter the site address.
Via the folder icon, you can browse the folder path.
You can manually enter a File name, ending on .xlsx. But I want it to hold the current date and time. We can do this by entering an Expression. Place your cursor on the correct place in the file name field and add the below expression:

formatDateTime(utcNow(), ‘yyyy-MM-dd-HH-mm’)

As File content, we want to add the output from the compose action. We add this as Dynamic content.
Select Outputs from the Dynamic content list.

Our sheet needs to have a table, so we add a Create table action to the flow, which is an Excel action.

Choose the SharePoint site from the list and select the Document library. In the File field, we enter the Id of the create file action.

My table only contains the serialNumber, displayName, enrollmentState, groupTag, manufacturer, model and createdDateTime from the configuration, thus the table range is A1:F1.
Add these items to the Columns names field separated with a comma. And add a Table name.

Now it’s time to add our first HTTP action to query the Microsoft Graph.

Add the first HTTP action.
As Method select GET.
As URI enter:

https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities

Choose Add Parameter and select Authentication.
As Authentication type select Managed identity.
Select your Managed identity from the list.
And add https://graph.microsoft.com as Audience.

Next, we need to add a Parse JSON action. We parse the output of the HTTP action, to be able to use the values later on in the flow.
To parse the JSON we need to have a schema, which we can create by using a sample payload. we can get the sample payload by running the flow and grabbing the output from the HTTP action.
Or we can use Microsoft Graph Explorer. Sign in to the tool, run the query by entering the URI and copy everything in the Response preview field.

Add a Parse JSON action to the flow, which is a Data operations action.
As Content, we select Body from the Dynamic content list that is from our HTTP action.
Click Use sample payload option to create the schema. Paste the information from Graph Explorer in the sample payload field to create the schema.

We only want to further process Windows Autopilot devices that don’t have a status of enrolled. Thus we will filter out these devices using a Filter array action, which is also a Data operations action.

In the From field we add value of the Parse JSON action.
In the left field, we add enrollmentState of the Parse JSON action. Choose is not equal to from the drop-down list and add the text enrolled in the right field.

By using the previously retrieved azureActiveDirectoryDeviceId of the devices, we can query Azure AD for the createdDateTime of the AAD device.

Add an HTTP action to the flow.
Choose GET as Method.
As URI enter:

https://graph.microsoft.com/v1.0/devices?$filter=(deviceId%20eq%20'[azureActiveDirectoryDeviceId]')

On the place of [azureActiveDirectoryDeviceId] we need to add the azureActiveDirectoryDeviceId found as Dynamic content. Make sure to select the one from the Filter array action!

Adding the AAD Device ID will add the HTTP action in a For each action.

Choose Add Parameter and select Authentication.
As Authentication type select Managed identity.
Select your Managed identity from the list.
And add https://graph.microsoft.com as Audience.

The HTTP action is followed again by a Parse JSON action. But if we add the action, using a sample payload again and run the action, we might see a couple of errors.

“Invalid type. Expected string but got Null” .

The value is null, but a string was expected. We can simply solve this issue by replacing:

"type": "string"

For this in the schema:

    "type": ["string", "null"]

This is the schema I use, which you can use in your flow.

{
"properties": {
"@@odata.context": {
"type": "string"
},
"value": {
"items": {
"properties": {
"accountEnabled": {
"type": "boolean"
},
"alternativeSecurityIds": {
"items": {
"properties": {
"identityProvider": {},
"key": {
"type": "string"
},
"type": {
"type": "integer"
}
},
"required": [
"type",
"identityProvider",
"key"
],
"type": "object"
},
"type": "array"
},
"approximateLastSignInDateTime": {
"type": "string"
},
"complianceExpirationDateTime": {},
"createdDateTime": {
"type": "string"
},
"deletedDateTime": {},
"deviceCategory": {},
"deviceId": {
"type": "string"
},
"deviceMetadata": {},
"deviceOwnership": {
"type": [
"string",
"null"
]
},
"deviceVersion": {
"type": "integer"
},
"displayName": {
"type": "string"
},
"domainName": {},
"enrollmentProfileName": {
"type": [
"string",
"null"
]
},
"enrollmentType": {
"type": [
"string",
"null"
]
},
"extensionAttributes": {
"properties": {
"extensionAttribute1": {},
"extensionAttribute10": {},
"extensionAttribute11": {},
"extensionAttribute12": {},
"extensionAttribute13": {},
"extensionAttribute14": {},
"extensionAttribute15": {},
"extensionAttribute2": {},
"extensionAttribute3": {},
"extensionAttribute4": {},
"extensionAttribute5": {},
"extensionAttribute6": {},
"extensionAttribute7": {},
"extensionAttribute8": {},
"extensionAttribute9": {}
},
"type": "object"
},
"externalSourceName": {},
"id": {
"type": "string"
},
"isCompliant": {
"type": [
"boolean",
"null"
]
},
"isManaged": {
"type": [
"boolean",
"null"
]
},
"isRooted": {
"type": [
"boolean",
"null"
]
},
"managementType": {
"type": [
"string",
"null"
]
},
"manufacturer": {
"type": [
"string",
"null"
]
},
"mdmAppId": {
"type": [
"string",
"null"
]
},
"model": {
"type": [
"string",
"null"
]
},
"onPremisesLastSyncDateTime": {},
"onPremisesSyncEnabled": {},
"operatingSystem": {
"type": "string"
},
"operatingSystemVersion": {
"type": "string"
},
"physicalIds": {
"items": {
"type": "string"
},
"type": "array"
},
"profileType": {
"type": "string"
},
"registrationDateTime": {
"type": "string"
},
"sourceType": {},
"systemLabels": {
"type": "array"
},
"trustType": {
"type": "string"
}
},
"required": [
"id",
"deletedDateTime",
"accountEnabled",
"approximateLastSignInDateTime",
"complianceExpirationDateTime",
"createdDateTime",
"deviceCategory",
"deviceId",
"deviceMetadata",
"deviceOwnership",
"deviceVersion",
"displayName",
"domainName",
"enrollmentProfileName",
"enrollmentType",
"externalSourceName",
"isCompliant",
"isManaged",
"isRooted",
"managementType",
"manufacturer",
"mdmAppId",
"model",
"onPremisesLastSyncDateTime",
"onPremisesSyncEnabled",
"operatingSystem",
"operatingSystemVersion",
"physicalIds",
"profileType",
"registrationDateTime",
"sourceType",
"systemLabels",
"trustType",
"extensionAttributes",
"alternativeSecurityIds"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}

And this is our Parse JSON action.

With the next action, we will filter out only the devices that are registered 165 days or longer ago. I took 165 days instead of 180 days to filter out the devices, as this allows us some time to take action.
To filter out these devices, we use a Condition, which is a Control action. When a device is registered 165 days or longer ago, the outcome of the condition is true and thus we add the action after the conditions action under True.

Add createdDateTime in the left field and select is less than from the drop-down list.
In the right box, we add an Expression. This expression sets the current day in UTC, minus the number of days we enter, in this example 165 days.
Example expression:

adddays(utcNow('yyyy-MM-ddTHH:mm:ssZ'),-165)

Adding createdDateTime to the action, added the action in a new For each action.

We can add an additional condition to the action, to match the serial number to the display name. When this is also true, we can be quite certain this is a new device. If this is not true, the device has been enrolled in the past, but now isn’t anymore.

If you want to add this additional condition, add serialNumber in the left box, choose is equal to from the drop-down list and add displayName to the right field.

We have now filtered out all devices which are not enrolled and registered 165 or longer ago. We need to add this information to our Excel sheet. Before we can do this, we need to create a row of this information.
Add a Compose action under True with the below JSON in the Inputs field:

{
"serialNumber":,
"displayName":,
"enrollmentState":,
"groupTag":,
"manufacturer":,
"model":,
"createdDateTime":
}

Add the corresponding dynamic content values from the Filter array and get (AAD) device Parse JSON actions.

This is the Compose action.

With an Add a row action (another Excel action) we will add the output from the compose action to the Excel sheet.

As Location select the SharePoint site and select the Document library.
Add Id from the Create file action in the File field.
Enter the Table name and add Outputs from the last compose action to the Body field.

The devices are now all added to the Excel sheet which is stored on SharePoint.
To send the sheet via email, the below steps are needed.

Close the For each actions. First, we add a Delay action, which is a Schedule action.
We add this action as without a short delay in the flow, we could miss some rows.

With need to retrieve the file content from the file which now is stored on SharePoint, this is done with a Get file content action.

Select the Site address and enter ID from the Create file action as File identifier.

And as the last action, we add the action to send the email, with the Excel sheet as an attachment.
Sign in with your (service) account which has permissions on the mailbox.

Enter an email address for the sender and recipient. Add a subject and some text to the body.

Choose Add new parameter and select Attachments so we can add the attachment to the email. Add Name from the Create file action and add File content from the Get file content action.

And our flow is ready to provide you with an overview of the devices.

End result

The end result is we get a weekly overview on our mailbox, with an overview of the not enrolled Windows Autopilot devices which are near the 180 days ago registration date.

That’s it for this post. If we receive more information from Microsoft and the flow needs to be changed because of this, I’ll update the flow and post.

Be the first to comment

Leave a Reply

Your email address will not be published.


*