8
« Last post by ristst on May 10, 2024, 02:44 PM »
Hello all,
Background:
I work for a university, and we've onboarded our devices to Intune. We're a hybrid organization, and some of our onboarded devices are ADDS joined (desktops, servers), and some are not (laptops connecting via wireless). Our laptops were not licensed at the time of onboarding, and we now have a need to license them. I use Active Directory Based Activation, and it requires the devices to be domain joined, which the laptops are not. So I'd like to do this via Intunes, and I imagine I may get some replies stating I'm trying to lower the river rather than raise the brigde. But if I could use a custom script in Intune I'd like to give it a shot, as it'll be good experience, which I can certainly use. But I won't deride any suggestions of how to do it differently, on the contrary I always welcome good advice. I've made a good bit of progress but I still have a couple items to get straight. We need to assign the unlicensed (Windows) laptops with Windows 11 MAK licenses, and I believe a custom script in Intune will do the job. To be up front, I have around 12 years in Microsoft 365 and 5 years in Azure, but I'm a newbie in Intune.
Custom script:
I've begun building the custom script in Intune, and I did find one site where someone else was doing just this. The Remediation script should be straightforward, with not much more than using slmgr to apply a MAK license to unlicensed devices. It's the Detection script that I've been working on. I used some of the script I got from the one site I found, and I removed some of his code and added the code that points the output to a file. I logged into one on prem test device and ran the script locally. I haven't attempted this in the portal, as I'm not inclined to punch buttons without thorough testing. Just for grins I pointed the output to c:\temp\123.log on that device, and I tested it using both MAK and KMS successfully, with the logfile showing the correct values I expected to see. This is what I have for the Detection script so far:
{$_.PartialProductKey}
if ($license.description -like "*MAK*") {
Add-Content -Path c:\temp\123.log -Value "MAK license found"
Write-Output "MAK license found"
exit 1
} else {
Add-Content -Path c:\temp\123.log -Value "MAK license not found"
Write-Output "MAK license not found"
exit 0
}
What I'd like to see would be list of computer names along with their licensing status.
Questions:
First, am I looney for trying to do this in this manner? (lol) I wonder...! But the one site where an admin was doing this looked like a slick way to do it. He was removing a KMS key and replacing it with a MAK.
Second, how would I generate a list of the names of any laptops with no Windows activation? Is this even needed?
I was thinking I would then use this list to apply a scope tag to these unlicensed laptops. But the custom script requires both a Detection and a Remediation script, and the Remediation script would apply a license, unless I did something else with it. In the example I found on the one site, he used slmgr //b /ipk <product key>. I'm not sure what the //b does, so any assistance there is appreciated.
So am I on the right track here? Is a list of unlicensed computers necessary, or would I first apply the scope tag to the unlicensed laptops, and configure the Remediation script to appy the MAK licenses? It would be good to have an output of devices that were activated, or to see if it worked at all.
Thanks in advance for any replies or suggestions.