New-ProvisioningPackage.ps1

# ------------------------------------------------------------------------------
# File: New-AADJoinPackage.ps1
# Author: Michael Niehaus
#
# Description:
# A sample script to generate a provisioning package that can be used to join
# one or more devices to an Azure AD tenant (AAD join). This uses the
# AADInternals module, available on the PowerShell Gallery, as well as the
# ICD.EXE tool from the Windows 10/11 ADK.
#
# Provided as-is with no support. See https://oofhours.com for related
# information.
# ------------------------------------------------------------------------------
[CmdletBinding()]
param(
    [Parameter(ValueFromPipeline = $True,Position = 0)]
    [String]$PackageName = "Join-AzureAD"
)

$package_GUID = New-Guid
# Make sure NuGet is installed
$provider = Get-PackageProvider -Name NuGet -ErrorAction Ignore
if (-not $provider) {
    Find-PackageProvider -Name NuGet -ForceBootstrap -IncludeDependencies
}

# Import the AADInternals module, installing if necessary
$module = Import-Module AADInternals -PassThru -ErrorAction Ignore
if (-not $module) {
    Install-Module -Name AADInternals -RequiredVersion 0.8.0 -Force
    Import-Module AADInternals -Force
}

# Get the access token
$null = Get-AADIntAccessTokenForAADGraph -Resource urn:ms-drs:enterpriseregistration.windows.net -SaveToCache

# Create a new BPRT (bulk token/bulk PRT)
$bprt = New-AADIntBulkPRTToken -Expires ((Get-Date).AddDays(179))

# Generate the customizations xml file
$xml = @"
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizations>
    <PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
        <ID>{$package_GUID}</ID>
        <Name>$PackageName</Name>
        <Version>1.4</Version>
        <OwnerType>OEM</OwnerType>
        <Rank>0</Rank>
        <Notes></Notes>
    </PackageConfig>
    <Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
        <Customizations>
            <Common>
                <Accounts>
                    <Azure>
                        <Authority>https://login.microsoftonline.com/common</Authority>
                        <BPRT>$bprt</BPRT>
                    </Azure>
                    <ComputerAccount>
                        <ComputerName>HUB-%SERIAL%</ComputerName>
                    </ComputerAccount>
                </Accounts>
                <OOBE>
                    <Desktop>
                        <HideOobe>True</HideOobe>
                    </Desktop>
                </OOBE>
                <Policies>
                    <ApplicationManagement>
                        <AllowAllTrustedApps>Yes</AllowAllTrustedApps>
                    </ApplicationManagement>
                </Policies>
            </Common>
        </Customizations>
    </Settings>
</WindowsCustomizations>
"@
$xml | Out-File "$FileName.xml" -Encoding UTF8 -Force

# Find the ADK and ICD.exe
if (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows Kits\Installed Roots') {
    $kitsRoot = Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows Kits\Installed Roots' -Name KitsRoot10
} elseif (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows Kits\Installed Roots') {
    $kitsRoot = Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows Kits\Installed Roots' -Name KitsRoot10
} else {
    Write-Error "ADK is not installed."
    return
}

$icdPath = "$kitsRoot\Assessment and Deployment Kit\Imaging and Configuration Designer\x86"
$icdExe = "$icdPath\ICD.exe"
$icdStoreCommon = "$icdPath\Microsoft-Common-Provisioning.dat"
$icdStoreDesktop = "$icdPath\Microsoft-Desktop-Provisioning.dat"

if (-not (Test-Path "$icdPath\ICD.exe")) {
    Write-Error "ICD.exe not found."
    return
}

# Generate the PPKG
& "$icdExe" /Build-ProvisioningPackage /CustomizationXML:${FileName}.xml /PackagePath:${FileName}.ppkg /StoreFile:"""${icdStoreDesktop}""","""${icdStoreCommon}"""

Remove-Variable -Name package_GUID,provider,module,user,bprt,xml,kitsroot,icdPath,icdExe,icdStoreCommon,icdStoreDesktop -Force