Run Windows Update during Pre-provisioning only.

01-01-2024 UPDATE! This script does not work anymore after Microsoft made some changes on how the the ESP works :/. But I will leave it here in case someone can find inspiration in the solution.

Intro:

In the environment I’m currently working in, we are transitioning from a classic On-prem Configuration Manager environment to a pure cloud Intune/AADJ environment. This is done by Autopilot registering all exisiting devices and having users reset and enroll their devices. New user or users who are replacing their “old” device are receiving a Pre-provisioned device.

During this process we have experienced some issues (who haven’t ^^) mostly due to missing drivers or missing Windows Updates especially during Pre-provisioning. This is due to the many different states a device can have prior to being Pre-provisioned. A few examples:

• Devices taken from storage with OEM image can have different versions of Windows OS installed depending on when the batch were delivered.
  * Drivers usually ok
  * Windows OS rarely up-to-date.
• Devices that has been setup with with a classic Configuration Manager image (then reset and enrolled).
  * Drivers usually ok
  * Windows OS up-to-date
• Devices with a fresh Windows OS image installed from a USB
  * Drivers never ok
  * Windows OS sometimes up-to-date

I wanted to ensure that all devices Pre-provisioned by our hardware vendor and/or support staff, had run a cycle of Windows Update to ensure that the latest Quality updates, Feature updates and Drivers were installed on the device prior to being handed out to the end-users. This primarily serves three purposes.

1. Ensure the devices are as up-to-date as it can possible be before being handed out to the user.
2. Ensure that critical drivers such as WiFi and mousepad are installed and working when the user receives the device.
3. No administrative overhead for the IT department

Running Windows Update does add time to the enrollment process though and I was not interested in adding additional time to the enrollment process during a full user enrollment (recall the reset and enroll procedure for existing users above?). But during Pre-provisioning it’s not a problem adding 5-20 minutes (depending on the OS state) more to the preperation time to ensure that the device is fully operational when handed out the end-users.

Solution:

To get the solution up and running I needed 2 things.

1. A way to trigger Windows Update during Enrollment. This is where Michael Niehaus script came to very good use: https://oofhours.com/2019/10/29/installing-windows-updates-during-a-windows-autopilot-deployment/
2. And then a way to detect if the device is running in Pre-provisioning mode. This is where Rudy Ooms came to the rescue: https://call4cloud.nl/2022/09/foouser-meets-the-cosmic-autopilot-user/

With the above script and knowledge I were able to create a PowerShell script that did exactly what I wanted.

The PowerShell script was wrapped as an .intunewin package and uploaded to Intune as a Win32 App. The Win32 App is then assigned as required to all devices and set as required during the ESP to ensure execution during the device enrollment phase.

When the script runs it does the following:

1. Creates a generic file which is used as a detection method for the Win32 App in “%ProgramData%\Microsoft\UpdateOS\UpdateOS.ps1.tag”
2. A log file created in the %ProgramData%\Microsoft\IntuneManagementExtension\Logs directory so it can be extracted with the”Collect Diagnostics” commands.
3. Searches for any instance of “UPN=fooUser@<YourDomain>.com” under the registry key HKLM\Software\Microsoft\Enrollments\
4. If it does not find the fooUser registry entry above, it just exits as seen below. And the enrollment continues as if nothing has happend.

4. If it however does find the fooUser in the registry, it will look something like this.

5. The script will then trigger Windows Update to run. You can keep an eye on the log file for progress.
6. When done, it will reboot the device and the enrollment will continue where it left off.

You can find the script “UpdateOS.ps1” on my Github page:
https://github.com/aknotronic/epmstuff

Make sure to update line “61” with your domain name (i.e.: “epmstuff.onmicrosoft.com”).

Notes:

1. Note that any configured “Feature updates for Windows 10 and later” policies, are being ignored. This means you will always get the latest available Feature update installed on the device.
   * Edit: 28-12-2022: You can add the following parameter to the Get-WindowsUpdate command in line “81” to disable Feature updates from being installed: -NotCategory “Upgrades”
2. Driver updates are not listed in the log file unfortunately, but most of them are installed none the less.
3. Note that some drivers and software will not be installed until the second or third Windows Update cycle. This script only runs the cycle once.
4. * Edit: 09-01-2023: I have not tested this scenario, but it is worh mentioning that the foouser is also present on devices that are Hybrid joined and then enrolled into intune via group policy (Even when set to use user credentials) – so if you have this app targeted to all devices, it could trigger windows update to run on them as well (Credits to Dando).