Rock Enroll Tool

The idea of this tool was born when I released my latest tool, and I realized that I have created a lot of them. And I thought to myself: it is time to forge them all into one precious…… tool 😉

Use this tool and you will soon consider it better than second breakfast by being your close-by friend whenever you need to do tasks such as rebooting a W365 cloudPC, sync all devices or when you get a call from a user in dire need of the Bitlocker key (and much more).
New features will be added over time, so make sure to always run the latest version 😃

Disclaimer

❗As always: I recommend that you familiarize yourself with the tool in a lab tenant before usage in production environments.

The Tool is provided “AS IS” with no warranties.

Rock Enroll Tool: Expectations

Administrators can expect a faster and funnier way to do common Intune activities and the sassy colors are here to stay (that is a promise).

Rock Enroll Tool: Accessibility

I have done my best to make the tool including and accessible. The buttons are big, easy to click, support touch screens and the colors are high contrast. Please send me any feedback to make the tool even more accessible.

Rock Enroll Tool: Demo

Here follows demos that describes each functionality of the tool.

Rock Enroll Tool: Connect

Easily connect to your tenant by the click of a button. The tenant and app info are loaded from config.txt

Connect tab in action

Rock Enroll Tool: Quick Info

The Quick Info tab collects info from different places throughout our tenant and presents them in a single view. This tab is in-development and changes are expected in upcoming versions.

Quick info tab in action

Rock Enroll Tool: Win32 App Wrap

This tab will make it easier to wrap our apps into .intuneWin.

W32 App Wrap tab in action

Rock Enroll Tool: Device Management

The device management tab allows us to find all devices related to a specific user. This is helpful when we have a user on the phone or face-to-face and we must find a specific device as soon as possible. No more device miscommunicated device names over the phone! 😅
Now that we have identified the correct device, we can run actions such as sync, restart, or autopilot reset.
✅Confirm the action by checking the corresponding checkbox!

The tool currently supports the following operating systems/form factors. More to come!

  • Windows 10/11
  • Windows 365
  • Android
  • macOS
Device Management tab in action

Rock Enroll Tool: Device Sync

Use the device sync tab to sync all devices of a specific OS. This is extra helpful after we have made an important change that we want to push ASAP.

The tool currently supports following operating systems/form factors. More to come!

  • Windows 10/11
  • Android
  • iOS
  • iPadOS
Device Sync tab in action

Rock Enroll Tool: Autopilot Hash

The good old Autopilot Tool has gotten itself a glow up 🤩The Autopilot Hash tab allows us to upload the hardware hash ID to the Windows Autopilot service with ease. Optionally add a tag and click “Upload”, easy as that!

Autopilot Hash tab in action

Rock Enroll Tool: Bitlocker

The Bitlocker tab allows us to fetch the Bitlocker key from AD or AAD. It makes for a better admin experience as we do not need to cross-reference different systems to get the job done. Having the possibility to get the key from both AD and AAD from a single tool makes the transition from AD to Azure AD easier.

Start off by picking either AD or AAD as the location and just provide the computer name to get the key.
✅Pro tip! If you have a user on the phone who needs the key: search the UPN, pick the right device and click the copy button.

Bitlocker tab in action

OK! Now that we know what the tool is all about…

…. how do we get started? – It is easy, just follow the rest of this post and you will have the tool running in no-time 😃

Prerequisites

We need to take care of some prerequisites before we can start using the tool.
❗Install RSAT if you want to collect Bitlocker keys from AD.

Prerequisite: Permissions

The user running the tool will need to have atleast:
BitlockerKey.Read.All
Read BitLocker keys
CloudPC.ReadWrite.All
Device.Read.All
DeviceManagementConfiguration.Read.All
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementManagedDevices.PrivilegedOperations.All
DeviceManagementManagedDevices.ReadWrite.All
DeviceManagementServiceConfig.Read.All
DeviceManagementServiceConfig.ReadWrite.All
Directory.Read.All
User.ReadWrite.All

Prerequisite: Install MSAL.PS module

  1. Run: PowerShell as admin
  2. Run: Install-Module MSAL.PS -Force

Prerequisites: Enable RSAT (optional)

  1. Run below in PowerShell as admin
  2. Install ADDS RSAT featureAdd-WindowsCapability -Online -Name ‘Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0’
  3. Install Bitlocker RSAT feature: Add-WindowsCapability -Online -Name ‘Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0’

Prerequisites: Register the app

We will use an Azure registered app with delegated permissions to execute our MS Graph calls against. Please note that the app itself cannot do changes beyond these permissions even if the user running the tool has more permissions, and the other way around. The next steps cover how to create the app and delegate the appropriate permissions.

  1. You will need either Global Administrator or Application Administrator to register the app in Azure
  2. Navigate to: https://portal.azure.com
  3. ClickAzure Active Directory
  4. ClickApp registrations
  5. ClickNew registration
  6. Name: I will use ‘Demo-Graph‘, but you may name the app differently (What about “Rock Enroll App”?)
  7. Supported account typesAccounts in this organizational directory only
  8. Redirect URI (Select a platform)Public client/native (mobile and desktop)
  9. Redirect URI (URL)https://login.microsoftonline.com/common/oauth2/nativeclient
  10. ClickRegister
  11. Save the Application (client) ID in notepad, we will need it later
  12. ClickAPI Permissions
  13. ClickMicrosoft Graph
  14. ClickDelegated permissions
  15. Search for and mark:
    1. BitlockerKey.Read.All
    2. Read BitLocker keys
    3. CloudPC.ReadWrite.All
    4. Device.Read.All
    5. DeviceManagementConfiguration.Read.All
    6. DeviceManagementConfiguration.ReadWrite.All
    7. DeviceManagementManagedDevices.PrivilegedOperations.All
    8. DeviceManagementManagedDevices.ReadWrite.All
    9. DeviceManagementServiceConfig.Read.All
    10. DeviceManagementServiceConfig.ReadWrite.All
    11. Directory.Read.All
    12. User.ReadWrite.All
  16. ClickAdd permissions
  17. ClickGrant admin consent for
  18. ClickYes
  19. Make sure that the permissions have been granted accordingly
  20. Now navigate to https://portal.azure.com/
  21. ClickAzure Active Directory
  22. Save the Tenant ID in notepad, we will need it later.

Let’s go!

Download

The Rock Enroll Tool is downloaded from my Github. All new versions will be added to the “releases” section.

  1. Download link: https://github.com/NicklasAhlberg/RockEnrollTool
  2. Find latest version from the releases section
  3. Extract the content and open config.txt
  4. Add your tenant and clientID (from Notepad), save and close config.txt (leave domain and defaultTag).
  5. Run the tool, sign in and have fun!

9 thoughts on “Rock Enroll Tool

    1. Hi, thanks for reaching out! The downloadable content is found to the right in the “Releases” section. Hope it helps!

      Br

      Nicklas Ahlberg

      1. Hi, this fantastic tool, can i get the source code please.? and can we use it with company logo change internally

        1. Hi Vijay, thanks for reaching out. I will send you the source to you in an email.

          Best regards

          Nicklas Ahlberg

  1. Can i get the source code/PowerShell scripts please.? i see the code is embedded in an EXE file, would help if we get the source code so that we can customize as per our requirements.

    1. Hi Vijay, thanks for reaching out. I will send you the source to you in an email.

      Best regards

      Nicklas Ahlberg

  2. Ich würde wenn es noch möglich wäre den Code benötigen für Firmenanpassung.
    Beste Grüße

Leave a Reply to Vijay Cancel reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.