Windows Autopilot

I previously wrote a blog many months ago on Autopilot but since then a lot has changed so i decided to re-write it from scratch. In the past you used to have to also use the Microsoft Store for Business in order to import your devices into the Autopilot service. You no longer need to do this as it can now be done directly from the Intune Portal. I am going to demonstrate what you would do if you were manually importing the devices into Autopilot using a csv file with the hardware hash information of the device. You can request your OEM automatically register new devices into the Autopilot service for you (Several OEM’s support this today).

There are now two types of Autopilot profiles available:

User Driven
Self-Deploying (Used for Kiosk Devices)

A note to make is in order to use Self-Deploying mode the device must have a TPM 2.0 chip. The chip must also be physical so you cannot test this scenario with a virtual machine.

At the time of writing the only join type we have available today is Azure Ad Joined. It was announced at Ignite last month that Hybrid Azure AD Join would also be an option but this has not been released yet. What has been added is a great feature “Convert all targeted devices to Autopilot” which allows you to target all existing devices which are enrolled in Intune with an autopilot profile and it will automatically register them in the autopilot service without the need to manually import the hardware hash of each device.

Steps to Using Autopilot:

The first step is to gather the hardware hash of the device which you want to test this on. If it is a VM then you can only use User Driven. You can obtain the powershell script to allow you to extract the hardware hash from a device from the following location: https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.3

Once you have installed the module you can run .\get-windowsautopilotinfo –Outputfile C:\Hash.csv

In the Intune portal (https://portal.azure.com) navigate to the Device Enrollment > Windows Enrollment blade. You will see a section called Windows Autopilot deployment program. Click on Devices.

image

Choose Import and then select your previously generated csv file containing the hardware hash and click import. After the import is complete choose sync. Once the sync is completed you can choose refresh and you should see the newly imported devices.

Windows Autopilot Devices

Now to create the deployment profile which will be assigned to the device. Navigate back to the Device Enrollment > Windows Enrollment blade and select Deployment Profiles.
Select a Name & Description
Deployment Mode – User Driven or Self-Deploying
Join to Azure AD As – Azure AD Joined (only option available today)
Convert all targeted devices to autopilot – Yes or No (This is for existing devices which arent imported into the Autopilot service as i mentioned earlier)

image

At this point you could just click create, however we are going to have a look at what the configured the OOBE settings are as default. To do this click on “Out-of-box experience (OOBE)”. As you can see the default user account type is “Standard” this means that the user who is enrolling the device will not be an administrator on the device. If this is the desire behaviour you can click ok and then save the profile.

Autopilot OOBE Settings

Now we need to assign the profile to the autopilot device. However you cannot just assign a profile directly to a device you must assign the profile to an Azure AD group. You have two choices, you can create an azure ad group and manually assign the device to that group or you can use the preferred method which is to create a group which has a dynamic membership rule which will automatically populate all autopilot devices for you. This means that whenever you import a new device into the autopilot service it will automatically become a member of a group and will pickup the targeted autopilot profile.

I already have a blog post on how to create a dynamic group for autopilot devices and assign the profile so please use the following post https://triplesixseven.com/autopilot-dynamic-device-group/

Now you should be at a stage where you have imported your hardware hash, create an autopilot profile and assigned the profile to a group which contains your new device. At this point i would advise doing one more thing before powering on the device. If you navigate back to Device Enrollment > Windows Enrollment you will see a section called “Enrollment Status Page (Preview)”. If you click on that and then choose default and then settings you can see you are able to customise the behaviour of the enrollment status page. I would recommend turning on the ability for the end user to see the progress of app and policy installation. You can also choose to stop the user from using the device until the device is fully setup (all apps and policies are on the device). Once you have configured the settings you can click save.

Enrollment Status Page

Now you are ready to power on the device. In User Driven mode you will be required to select the language and keyboard layout and then connect to the WiFi (if not using ethernet). If the profile has been correctly applied the rest of the OOBE wizard is taken care of by Autopilot and the only further action from the end user is to enter their corporate credentials to do the Azure AD Join and Enroll the Device into Intune for management.

If you are using a self-deploying profile and have assigned a language and keyboard configuration in profile and the device is directly plugged into the network with an ethernet cable then after powering on the device there should be no user interaction needed at all.

Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME