Introduction
In my previous post , we explored the setup process of Windows Autopilot Device Preparation (WADP), highlighting its simplified enrollment procedure without the need for hardware hashes. Now, as a follow-up, we’ll delve into using the Microsoft Graph API to set up and manage WADP more efficiently.
We’ll start by identifying the necessary Graph API calls to retrieve existing WADP profiles and how to determine the required API calls and payloads to create new profiles. Following this, we’ll guide you through setting up an App Registration with the needed permissions using Graph Explorer. This step ensures that our application can make the appropriate API calls. Finally, we will demonstrate using these API calls within a PowerShell script to retrieve and create WADP profiles, providing a streamlined and automated approach to managing your Windows devices.
By the end of this post, you’ll have a understanding of Microsoft Graph API for WADP management.
Retrieving Graph Api Calls
To see what API calls are being made in the Intune portal, we need to use developer tools. In this example, I’ll use Microsoft Edge:
- Open Edge and press
F12to open the DevTools. - Click on the Network tab.
- Log in into Intune
- Navigate to Devices > Windows > Enrollment > Windows Autopilot Device Preparation.
- Clear the network list.
- Click Refresh on the WADP profile page.
Now, you can find the API call used to list the WADP profiles. This method helps identify the necessary API endpoints and what method was used to do the api call.
List of Api Calls used in the portal
Since I have already collected the API calls, here is a list of API calls used to get all the profiles and settings linked to these profiles
### Api Call to collect all WADP Profiles ###
https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$select=id,name,description,platforms,lastModifiedDateTime,technologies,settingCount,roleScopeTagIds,isAssigned,templateReference,priorityMetaData%20&$top=100%20&$filter=(technologies%20has%20%27enrollment%27)%20and%20(platforms%20eq%20%27windows10%27)%20and%20(TemplateReference/templateId%20eq%20%2780d33118-b7b4-40d8-b15f-81be745e053f_1%27)%20and%20(Templatereference/templateFamily%20eq%20%27enrollmentConfiguration%27)%20https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$select=id,name,description,platforms,lastModifiedDateTime,technologies,settingCount,roleScopeTagIds,isAssigned,templateReference,priorityMetaData%20&$top=100%20&$filter=(technologies%20has%20%27enrollment%27)%20and%20(platforms%20eq%20%27windows10%27)%20and%20(TemplateReference/templateId%20eq%20%2780d33118-b7b4-40d8-b15f-81be745e053f_1%27)%20and%20(Templatereference/templateFamily%20eq%20%27enrollmentConfiguration%27)%20
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies(id,name,description,platforms,lastModifiedDateTime,technologies,settingCount,roleScopeTagIds,isAssigned,templateReference,priorityMetaData)",
"@odata.count": 1,
"value": [
{
"id": "ad557acf-1f4e-4509-80c3-b10918a812d4",
"name": "WADP DEMO",
"description": "",
"platforms": "windows10",
"lastModifiedDateTime": "2024-06-04T12:56:48.3116932Z",
"technologies": "enrollment",
"settingCount": 10,
"roleScopeTagIds": [
"0"
],
"isAssigned": true,
"templateReference": {
"templateId": "80d33118-b7b4-40d8-b15f-81be745e053f_1",
"templateFamily": "enrollmentConfiguration",
"templateDisplayName": "Device Preparation",
"templateDisplayVersion": "Version 1"
},
"priorityMetaData": {
"priority": 1
}
}
]
}
### Api Call to Collect Settings of WADP profiles ###
https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('[WADP ID]')?`$expand=settings
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies(settings())/$entity",
"createdDateTime": "2024-06-04T12:56:48.3116932Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2024-06-04T12:56:48.3116932Z",
"name": "WADP DEMO",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 10,
"technologies": "enrollment",
"id": "ad557acf-1f4e-4509-80c3-b10918a812d4",
"templateReference": {
"templateId": "80d33118-b7b4-40d8-b15f-81be745e053f_1",
"templateFamily": "enrollmentConfiguration",
"templateDisplayName": "Device Preparation",
"templateDisplayVersion": "Version 1"
},
"settings@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies('ad557acf-1f4e-4509-80c3-b10918a812d4')/settings",
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_deploymentmode",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "5180aeab-886e-4589-97d4-40855c646315"
},
"choiceSettingValue": {
"value": "enrollment_autopilot_dpp_deploymentmode_0",
"settingValueTemplateReference": {
"settingValueTemplateId": "5874c2f6-bcf1-463b-a9eb-bee64e2f2d82",
"useTemplateDefault": false
},
"children": []
}
}
},
{
"id": "1",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_deploymenttype",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "f4184296-fa9f-4b67-8b12-1723b3f8456b"
},
"choiceSettingValue": {
"value": "enrollment_autopilot_dpp_deploymenttype_0",
"settingValueTemplateReference": {
"settingValueTemplateId": "e0af022f-37f3-4a40-916d-1ab7281c88d9",
"useTemplateDefault": false
},
"children": []
}
}
},
{
"id": "2",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_jointype",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "6310e95d-6cfa-4d2f-aae0-1e7af12e2182"
},
"choiceSettingValue": {
"value": "enrollment_autopilot_dpp_jointype_0",
"settingValueTemplateReference": {
"settingValueTemplateId": "1fa84eb3-fcfa-4ed6-9687-0f3d486402c4",
"useTemplateDefault": false
},
"children": []
}
}
},
{
"id": "3",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_accountype",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "d4f2a840-86d5-4162-9a08-fa8cc608b94e"
},
"choiceSettingValue": {
"value": "enrollment_autopilot_dpp_accountype_0",
"settingValueTemplateReference": {
"settingValueTemplateId": "bf13bb47-69ef-4e06-97c1-50c2859a49c2",
"useTemplateDefault": false
},
"children": []
}
}
},
{
"id": "4",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_timeout",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "6dec0657-dfb8-4906-a7ee-3ac6ee1edecb"
},
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
"value": 60,
"settingValueTemplateReference": {
"settingValueTemplateId": "0bbcce5b-a55a-4e05-821a-94bf576d6cc8",
"useTemplateDefault": false
}
}
}
},
{
"id": "5",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_customerrormessage",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "2ddf0619-2b7a-46de-b29b-c6191e9dda6e"
},
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"value": "Contact your oganization's support person for help.",
"settingValueTemplateReference": {
"settingValueTemplateId": "fe5002d5-fbe9-4920-9e2d-26bfc4b4cc97",
"useTemplateDefault": false
}
}
}
},
{
"id": "6",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_allowskip",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "2a71dc89-0f17-4ba9-bb27-af2521d34710"
},
"choiceSettingValue": {
"value": "enrollment_autopilot_dpp_allowskip_1",
"settingValueTemplateReference": {
"settingValueTemplateId": "a2323e5e-ac56-4517-8847-b0a6fdb467e7",
"useTemplateDefault": false
},
"children": []
}
}
},
{
"id": "7",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_allowdiagnostics",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "e2b7a81b-f243-4abd-bce3-c1856345f405"
},
"choiceSettingValue": {
"value": "enrollment_autopilot_dpp_allowdiagnostics_1",
"settingValueTemplateReference": {
"settingValueTemplateId": "c59d26fd-3460-4b26-b47a-f7e202e7d5a3",
"useTemplateDefault": false
},
"children": []
}
}
},
{
"id": "8",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_allowedappids",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "70d22a8a-a03c-4f62-b8df-dded3e327639"
},
"simpleSettingCollectionValue": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"settingValueTemplateReference": null,
"value": "{\"id\":\"85b74d79-9e57-4bf3-92bc-a2b8d8af3be8\",\"type\":\"#microsoft.graph.winGetApp\"}"
}
]
}
},
{
"id": "9",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_allowedscriptids",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "1bc67702-800c-4271-8fd9-609351cc19cf"
},
"simpleSettingCollectionValue": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"settingValueTemplateReference": null,
"value": " "
}
]
}
}
]
}
### Retrieve Just in time Configuration ###
https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('[WADP ID]')/retrieveJustInTimeConfiguration
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.deviceManagementConfigurationJustInTimeAssignmentPolicy",
"targetType": "entraSecurityGroup",
"target": [
"268399a0-0910-43b5-9499-91fd5843a8f2"
]
}
### Retrieve Assignments ###
https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('[WADP ID]')/assignments
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies('ad557acf-1f4e-4509-80c3-b10918a812d4')/assignments",
"value": [
{
"id": "ad557acf-1f4e-4509-80c3-b10918a812d4_8d522c83-acbf-413f-a103-0077c90440e8",
"source": "direct",
"sourceId": "ad557acf-1f4e-4509-80c3-b10918a812d4",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "8d522c83-acbf-413f-a103-0077c90440e8"
}
}
]
}
Graph Api Permissions
First, go to the Graph API Explorer and paste the initial Graph API URL into the input field. Next, click on the “Permissions” tab. Here, you will find the permissions required to access the data. You will see two types of permissions: read permissions and read-write permissions.
For our purposes, we will need read-write permissions because we plan to create profiles later on. In the next phase, we will create an app registration and assign the appropriate Graph permissions to the app
How to Create an App Registration in the Azure Portal
Sign in to Azure Portal:
- Go to Azure Portal and sign in with your Azure account.
Navigate to EntraID:
- In the left-hand navigation pane, click on “EntraID”.
Access App Registrations:
- In the Azure Active Directory pane, click on “App registrations”.
- Create a New Registration:
- Click on the “New registration” button at the top of the App registrations pane
Fill in the Registration Details:
- Name: Enter a meaningful name for your application. This can be anything that helps you identify the app.
- Supported Account Types: Select the type of accounts that can use the application: Accounts in this organizational directory only (single tenant)
- Redirect URI (optional): leave blank
- Register the Application:
- Click on the “Register” button to create the app registration.
Configure API Permissions:
- After the app is registered, you will be redirected to the application’s overview page.
- In the left-hand menu, click on “API permissions”.
- Click on “Add a permission” and choose the Microsoft Graph API.
- Select the permissions your app requires. For read-write operations, make sure to select the appropriate Delegated permissions.
(I’m Using delegated permission instead of application permission so we don’t need to use a client secret in my script and can just login via an interactive login.) - Select the following permissions
- DeviceManagementConfiguration.ReadWrite.All
- APIConnectors.ReadWrite.All
Grant Admin Consent:
- click on the “Grant admin consent for [Your Organization]” button.
Authentication settings
Powershell Script
On my Github page you will be able to view my full scrip.
Functions & Modules
Importing Module
- MSAL.PS Module: Import the MSAL.PS module, which provides functions for authentication with Microsoft Identity platform.
- Az Module: Import Az module. this module is used to retrieve Tenant ID you could also fill it in manually.
Function: Get-GraphAPIAccessToken
- Purpose: Retrieves an access token for Microsoft Graph API using device code flow.
- Parameters:
$tenantId: The tenant ID of the Azure AD.$clientId: The client ID of the Azure AD application.
- Process:
- Defines the required scopes.
- Uses
Get-MsalTokento initiate device code flow and retrieve the token. - Returns the access token.
Function: Get-GraphData
- Purpose: Retrieves data from Microsoft Graph API using GET method.
- Parameters:
$graphToken: The access token for authorization.$url: The URL endpoint of the Graph API.
- Process:
- Sets up the authorization header.
- Implements a retry mechanism for handling transient errors.
- Loops to handle paginated results if ‘@odata.nextLink’ is present.
Function: Post-GraphData
- Purpose: Posts new data to Microsoft Graph API using POST method.
- Parameters:
$graphToken: The access token for authorization.$url: The URL endpoint of the Graph API.$body: The JSON body content for the POST request.
- Process:
- Sets up the authorization header.
- Implements a retry mechanism for handling transient errors.
- Sends the POST request to create new data.
Import-Module MSAL.PS
function Get-GraphAPIAccessToken {
param (
[string]$tenantId,
[string]$clientId
)
$scopes = "https://graph.microsoft.com/.default"
try {
# Perform device code flow to get the token
$deviceCodeResponse = Get-MsalToken -ClientId $clientId -TenantId $tenantId -Scopes $scopes -DeviceCode
# Wait for the user to complete the authentication
$tokenResponse = $deviceCodeResponse
return $tokenResponse.AccessToken
}
catch {
Write-Error "Failed to get the access token: $_"
return $null
}
}
# Function to get data from Microsoft Graph API
function Get-GraphData {
param(
[Parameter(Mandatory=$true)]
[string] $graphToken,
[string] $url
)
$authHeader = @{
'Authorization' = "$graphToken"
'Content-Type' = 'application/json'
}
$retryCount = 0
$maxRetries = 3
$Results = @()
# Loop to handle retries
while ($retryCount -le $maxRetries) {
try {
do {
# Send GET request to Microsoft Graph API
$response = Invoke-WebRequest -Uri $url -Method Get -Headers $authHeader -UseBasicParsing
$pageResults = $response.Content | ConvertFrom-Json
$retryCount = 0
if ($pageResults.'@odata.nextLink' -ne $null) {
$url = $pageResults.'@odata.nextLink'
$results += $pageResults
} else {
$results += $pageResults
return $results
}
} while ($pageResults.'@odata.nextLink')
} catch {
$statusCode = $_.Exception.Response.StatusCode
if ($statusCode -in $retryStatusCodes) {
$retryCount++
$retryAfter = [int]($_.Exception.Response.Headers.'Retry-After')
$sleepcount = if ($retryAfter) { $retryAfter } else { $retryCount * $global:apiTtimeout }
Start-Sleep -Seconds $sleepcount
} elseif ($statusCode -in $statusCodesObject.code) {
return $null
} else {
Write-Error "$($_.Exception)"
return $null
}
}
}
}
# Function to post new data using POST method in Microsoft Graph API
function Post-GraphData {
param(
[Parameter(Mandatory=$true)]
[string] $graphToken,
[Parameter(Mandatory=$true)]
[string] $url,
[Parameter(Mandatory=$true)]
[string] $body
)
$authHeader = @{
'Authorization' = "$graphToken"
'Content-Type' = 'application/json'
}
$retryCount = 0
$maxRetries = 3
# Loop to handle retries
while ($retryCount -le $maxRetries) {
try {
# Send POST request to Microsoft Graph API
$response = Invoke-RestMethod -Uri $url -Method POST -Headers $authHeader -Body $body -ContentType "application/json"
return $response
} catch {
$statusCode = $_.Exception.Response.StatusCode
if ($statusCode -eq 429) { # Too many requests
$retryCount++
$retryAfter = [int]($_.Exception.Response.Headers.'Retry-After')
$sleepcount = if ($retryAfter) { $retryAfter } else { $retryCount * 10 } # Default backoff if Retry-After not available
Write-Warning "API call returned error $statusCode. Too many requests. Retrying in $($sleepcount) seconds."
Start-Sleep -Seconds $sleepcount
} elseif ($statusCode -eq 503) { # Service unavailable
$retryCount++
$sleepcount = $retryCount * 10
Write-Warning "API call returned error $statusCode. Service unavailable. Retrying in $($sleepcount) seconds."
Start-Sleep -Seconds $sleepcount
} else {
Write-Error "API call returned error $statusCode."
return $null
}
}
}
Write-Warning "Max retry attempts reached."
return $null
}Get your Graph Token
Fill in the client ID from the app registration we just created and run the code.
$session = Connect-AzAccount
$tenantId = $session.context.Tenant.id
$graphToken = Get-GraphAPIAccessToken -tenantId $tenantId -ClientId "FILL IN YOUR CLIENT ID"
Get WADP profiles with graph api
- Retrieving WADP Profiles:
- The script starts by retrieving Windows Autopilot Deployment Profiles (WADP) using the
Get-graphdatafunction with a specific filter. - It fetches configuration policies that are related to enrollment, specifically for the Windows 10 platform, and match a particular template ID and family.
- The script starts by retrieving Windows Autopilot Deployment Profiles (WADP) using the
- Retrieving WADP Profile Settings:
- For each WADP profile ID retrieved, it constructs a URL to get the settings of that profile.
- It then calls the
Get-graphdatafunction to fetch the settings.
- Retrieving WADP Profile Assignments:
- Similarly, for each WADP profile ID, it constructs a URL to get the assignments of that profile.
- It uses the
Get-graphdatafunction to fetch the assignments.
- Retrieving Just-In-Time Configuration:
- For each WADP profile ID, it constructs a URL to retrieve the Just-In-Time configuration.
- The
Get-graphdatafunction is called to get this configuration data.
This script organizes and retrieves various details about WADP profiles, their settings, assignments, and Just-In-Time configurations from the Microsoft Graph API. if you would export these Profile settings, Assignments and just in time configuration to a json file you could backup your configuration.
#Retrieving WADP Profiles & Settings
$wadpprofiles = (Get-GraphData -graphToken $graphToken -url "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?`$select=id,name,description,platforms,lastModifiedDateTime,technologies,settingCount,roleScopeTagIds,isAssigned,templateReference,priorityMetaData%20&`$top=100%20&`$filter=(technologies%20has%20%27enrollment%27)%20and%20(platforms%20eq%20%27windows10%27)%20and%20(TemplateReference/templateId%20eq%20%2780d33118-b7b4-40d8-b15f-81be745e053f_1%27)%20and%20(Templatereference/templateFamily%20eq%20%27enrollmentConfiguration%27)%20").Value
$wadpprofilessettings = $wadpprofiles.id | ForEach-Object {
$url = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($_)')?`$expand=settings"
Get-GraphData -graphToken $graphToken -url $url
}
$wadpprofileassignmetns = $wadpprofiles.id | ForEach-Object {
$url = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($_)')/assignments"
Get-GraphData -graphToken $graphToken -url $url
}
$wadpprofilejustintimeconfig = $wadpprofiles.id | ForEach-Object {
$url = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($_)')/retrieveJustInTimeConfiguration"
Get-GraphData -graphToken $graphToken -url $url
}
Creating WADP profiles with Graph Api
The script sets the IDs for the Just-In-Time (JIT) Security Group and User Security Group. It constructs a JSON body to define a new configuration policy with various settings for device management Including the assignment of Company portal to the policy. The script then posts this JSON body to the Microsoft Graph API to create the configuration policy. After creating the policy, it assigns the JIT configuration to the policy by targeting the JIT Security Group. Finally, it assigns the policy to the User Security Group using another post request to the Microsoft Graph APi.
#Creating WADP Profiles & Assignments
$justInTimeSecurityGroup = "FILL IN ID"
$UserSecurityGroup = "FILL IN ID"
$body = @"
{
"id": "00000000-0000-0000-0000-000000000000",
"name": "WADP_DEMO_GRAPH",
"description": "",
"settings": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"choiceSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
"children": [],
"settingValueTemplateReference": {
"settingValueTemplateId": "5874c2f6-bcf1-463b-a9eb-bee64e2f2d82"
},
"value": "enrollment_autopilot_dpp_deploymentmode_0"
},
"settingDefinitionId": "enrollment_autopilot_dpp_deploymentmode",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "5180aeab-886e-4589-97d4-40855c646315"
}
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"choiceSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
"children": [],
"settingValueTemplateReference": {
"settingValueTemplateId": "e0af022f-37f3-4a40-916d-1ab7281c88d9"
},
"value": "enrollment_autopilot_dpp_deploymenttype_0"
},
"settingDefinitionId": "enrollment_autopilot_dpp_deploymenttype",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "f4184296-fa9f-4b67-8b12-1723b3f8456b"
}
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"choiceSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
"children": [],
"settingValueTemplateReference": {
"settingValueTemplateId": "1fa84eb3-fcfa-4ed6-9687-0f3d486402c4"
},
"value": "enrollment_autopilot_dpp_jointype_0"
},
"settingDefinitionId": "enrollment_autopilot_dpp_jointype",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "6310e95d-6cfa-4d2f-aae0-1e7af12e2182"
}
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"choiceSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
"children": [],
"settingValueTemplateReference": {
"settingValueTemplateId": "bf13bb47-69ef-4e06-97c1-50c2859a49c2"
},
"value": "enrollment_autopilot_dpp_accountype_1"
},
"settingDefinitionId": "enrollment_autopilot_dpp_accountype",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "d4f2a840-86d5-4162-9a08-fa8cc608b94e"
}
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_timeout",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "6dec0657-dfb8-4906-a7ee-3ac6ee1edecb"
},
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
"settingValueTemplateReference": {
"settingValueTemplateId": "0bbcce5b-a55a-4e05-821a-94bf576d6cc8"
},
"value": 90
}
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_customerrormessage",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "2ddf0619-2b7a-46de-b29b-c6191e9dda6e"
},
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"settingValueTemplateReference": {
"settingValueTemplateId": "fe5002d5-fbe9-4920-9e2d-26bfc4b4cc97"
},
"value": "Contact your oganization's support person for help."
}
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"choiceSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
"children": [],
"settingValueTemplateReference": {
"settingValueTemplateId": "a2323e5e-ac56-4517-8847-b0a6fdb467e7"
},
"value": "enrollment_autopilot_dpp_allowskip_1"
},
"settingDefinitionId": "enrollment_autopilot_dpp_allowskip",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "2a71dc89-0f17-4ba9-bb27-af2521d34710"
}
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"choiceSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
"children": [],
"settingValueTemplateReference": {
"settingValueTemplateId": "c59d26fd-3460-4b26-b47a-f7e202e7d5a3"
},
"value": "enrollment_autopilot_dpp_allowdiagnostics_1"
},
"settingDefinitionId": "enrollment_autopilot_dpp_allowdiagnostics",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "e2b7a81b-f243-4abd-bce3-c1856345f405"
}
}
},
{
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_allowedappids",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "70d22a8a-a03c-4f62-b8df-dded3e327639"
},
"simpleSettingCollectionValue": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"value": "{\"id\":\"85b74d79-9e57-4bf3-92bc-a2b8d8af3be8\",\"type\":\"#microsoft.graph.winGetApp\"}"
}
]
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance",
"settingDefinitionId": "enrollment_autopilot_dpp_allowedscriptids",
"settingInstanceTemplateReference": {
"settingInstanceTemplateId": "1bc67702-800c-4271-8fd9-609351cc19cf"
},
"simpleSettingCollectionValue": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"value": " "
}
]
}
}
],
"roleScopeTagIds": [
"0"
],
"platforms": "windows10",
"technologies": "enrollment",
"templateReference": {
"templateId": "80d33118-b7b4-40d8-b15f-81be745e053f_1"
}
}
"@
$($response.id)
$response = Post-GraphData -graphToken $graphToken -body $body -url "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies"
$body = @"
{
"justInTimeAssignments": {
"targetType": "entraSecurityGroup",
"target": [
"$($justInTimeSecurityGroup)"
]
}
}
"@
Post-GraphData -graphToken $graphToken -body $body -url "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($response.id)')/assignJustInTimeConfiguration"
$body = @"
{
"assignments": [
{
"id": "",
"source": "direct",
"target": {
"groupId": "$($UserSecurityGroup)",
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterType": "none"
}
}
]
}
"@
Post-GraphData -graphToken $graphToken -body $body -url "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($response.id)')/assign"
Result
Once you have run the code in PowerShell to create the WADP (Windows Autopilot Deployment Profiles) profile, you have two options to verify the creation of the profile:
- Using Graph APIs:
- Utilize the GET Graph APIs to check if the profiles have been created successfully. You can use the following API call to retrieve the list of WADP profiles:
$wadpprofiles = (Get-GraphData -graphToken $graphToken -url "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?`$select=id,name,description,platforms,lastModifiedDateTime,technologies,settingCount,roleScopeTagIds,isAssigned,templateReference,priorityMetaData%20&`$top=100%20&`$filter=(technologies%20has%20%27enrollment%27)%20and%20(platforms%20eq%20%27windows10%27)%20and%20(TemplateReference/templateId%20eq%20%2780d33118-b7b4-40d8-b15f-81be745e053f_1%27)%20and%20(Templatereference/templateFamily%20eq%20%27enrollmentConfiguration%27)%20").Value
Result ->
id : ad557acf-1f4e-4509-80c3-b10918a812d4
name : WADP DEMO
description :
platforms : windows10
lastModifiedDateTime : 04/06/2024 12:56:48
technologies : enrollment
settingCount : 10
roleScopeTagIds : {0}
isAssigned : True
templateReference : @{templateId=80d33118-b7b4-40d8-b15f-81be745e053f_1; templateFamily=enrollmentConfiguration; templateDisplayName=Device
Preparation; templateDisplayVersion=Version 1}
priorityMetaData : @{priority=1}
id : af92234e-18b0-43e8-b736-4930faa7622e
name : WADP_DEMO_GRAPH
description :
platforms : windows10
lastModifiedDateTime : 06/06/2024 20:42:50
technologies : enrollment
settingCount : 10
roleScopeTagIds : {0}
isAssigned : True
templateReference : @{templateId=80d33118-b7b4-40d8-b15f-81be745e053f_1; templateFamily=enrollmentConfiguration; templateDisplayName=Device
Preparation; templateDisplayVersion=Version 1}
priorityMetaData : @{priority=2}- Checking in Intune Portal:
- Go to the Microsoft Endpoint Manager admin center (Intune Portal).
- Navigate to Devices > Windows > Windows enrollment > Windows Autopilot Deployment Preparation.
- On the WADP page, you should see your freshly created profile listed.
By following these steps, you can confirm that your WADP profile has been successfully created either programmatically via Graph APIs or visually through the Intune portal.
Conclusion
In this post, we explored how to create and manage Windows Autopilot Deployment Profiles using PowerShell and Microsoft Graph APIs. We covered the necessary API calls, setting up an app registration in the Azure portal, and assigning the right permissions. After running the PowerShell scripts to create WADP profiles, we also discussed how to verify their creation using Graph APIs and the Intune portal.
By following these steps, you can automate your device provisioning process, ensuring consistency and efficiency across your organization. Thank you for reading, and happy deploying!
