Device Enrollment Manager to enroll Hybrid AAD device into Autopilot error

Robert Sudbury 21 Reputation points

Two part question.

Part 1. We've enrolled our AD machines into Intune using GPO. The devices show up in Intune, and we can manage them, but they never appeared in Autopilot.

A single line from what I've dug up in MS docs tells me that Autopilot IDs will not autopopulate for Hybrid AAD machines, but ... shouldn't they?

Part 2. As the Intune Administrator I am able to harvest an Autopilot ID and immediately upload using

"Get-WindowsAutopilotInfo -online -grouptag group -addtogroup group"

I want my Device Enrollment Managers to be able to do the same, without granting them extra permissions to do anything else.

Harvest the ID
Upload the ID
Assign the GroupTag to the devices' Autopilot iD
Assign the device to the specific security group

Currently, errors ...

Firstly, Microsoft Intune Powershell aadsts50105, so I added the user to Enterprise Application, Microsoft Intune PowerShell, and Microsoft Graph PowerShell.

DEM user can run the command, log in with their AAD account, supporting scripts are downloaded etc, but then

"Connected to Intune tenant ..."
"Connected to Azure AD tenant ..."
"Gathered defailts for device with serial number ..."
"Add-AutopilotImportedDevice : System.Net.Http.HttpRequestException: 401 Unauthorized" ... and more
"At C:\Program Files\WindowsPowserShell\Scripts\Get-WindowsAutoPilotInfo.ps1:331 char:17"... "Write -Error, WriteErrorException"

What am I missing?

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
385 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Crystal-MSFT 40,706 Reputation points Microsoft Vendor

    @Robert Sudbury , In fact, this is a normal behavior that the enrolled device will not show under Autopilot device. For the Autopilot Device, it is one process of the Windows Autopilot registration. In General, the hardware hash captured from existing devices can be uploaded in the following ways:

    • Microsoft Intune.
    • Partner Center.
    • Microsoft 365 Business & Office 365 Admin.
    • Microsoft Store for Business.

    Registration can also be performed within your organization by collecting the hardware identity from new or existing devices and uploading it manually. If devices meet certain requirements, they can also be configured for automatic registration with Windows Autopilot. We can see more details in the following link:

    For the error with the DEM account, it seems the issue is with permission. In the official article, it mentioned that the Autopilot device management requires that you enable all permissions under Enrollment programs, Here is the link for the reference:

    Please grant the permission and see if it works. Hope it can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.