Autopilot Windows 10 Deployment

I’ve been playing around alot with Intune and Autopilot recently so I decided to write down my experience and share with the world.

This blog will basically be advising how to do a basic User-driven Autopilot configuration of a new Windows 10 machine (hosted on Hyper-V)

For those that don’t already know, Autopilot is a Microsoft technology to allow OOBE on new devices to enable them as corporate devices. This is designed to leverage Azure AD Join and Intune to bring a new Windows 10 machine into corporate compliance, all from the device location. This means no more shipping laptops to HQ to image before sending out!

Autopilot Requirements

Before we start with the instructions it is important to note that Autopilot does have some Device and Licensing requirements that must be satisfied if you want to use it.

The Windows 10 devices must be running a supported version of the Semi-Annual Channel release. And be one of the following editions.

  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows 10 Pro for Workstations
  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Enterprise 2019 LTSC

Also most importantly Autopilot requires the use of Intune for the relevant Configuration and Compliance policies. This will need to be obtained via one of following subscriptions

  • Microsoft 365 Business Premium
  • Microsoft 365 F1
  • Microsoft 365 Academic A1, A3, or A5
  • Microsoft 365 Enterprise E3, or E5
  • Enterprise Mobility + Security E3 or E5
  • Intune for Education
  • Azure Active Directory Premium P1 or P2 and Microsoft Intune

Full requirements for Autopilot can be found in the following link

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements

Autopilot Configuration

Firstly we need to create the relevant Autopilot configuration in the Azure Portal.

Autopilot Device Group

The very first thing we need to do is create the an Autopilot Dynamic Group in Azure AD. This will be used to automatically pick up Autopilot devices for policy assignment.

Navigate to Azure AD > Groups and create a new group.

Enter the required Name and Description, then set the Group type as Security and Membership type as Dynamic Device.
Now click Edit dynamic query

We need to click Edit above the Rule Syntax box.

Edit is above the Rule Syntax box at the right.

Then enter the following in the Rule Syntax section.

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
This rule will pick up ALL Autopilot devices

Save this rule and then save the new Group.

Autopilot Deployment Profile

Now we need to create the Autopilot Deployment Profile. This is the profile that will be targeted at the machines to specify their configuration.

Navigate to Intune > Device Enrollment.

Under the Windows Autopilot Deployment Program click Deployment Profiles then Create a new Profile.

Enter the required Name and Description for the Profile and then Next

We then need to configure the settings for this Profile. In this case we will use User-Driven. This will require input from the end-user to enter their credentials during the deployment.

We are able to select Self-Deploying (preview) but this is realistically better used on Kiosk style devices (terminals etc) so we will not use this now.

Configure the various options as your business requires. I have set the Language to English (United Kingdom) and set that the user will be added as a Standard user.

Options, options, options!

Scope tags are next. Leave these as default unless you have a need for using Scopes in your organization.

I don’t wont be using Scope Tags so this will be left as Default

Finally, we need to assign the Profile to a relevant device group. In this case we will select the AutoPilot Devices group we created earlier.

Enrollment Status Page (Optional)

We can also configure the Enrollment Status Page to be displayed during deployment. This is an optional setting but I like to configure it ensure Autopilot is doing its thing.

Navigate to Intune > Device Enrollment > Windows Enrollment and select Enrollment Status Page.

Now click on the Default setting’s name.

We are just going to enable the Enrollment Status Page. To do this set the Show app and profile configuration progress option to Yes

Ensure that Block device use until all apps and profiles are installed is set to Yes

Importing Machine into Autopilot

Now all the profiles and settings have been configured, we need to import the required machine into Intune as an Autopilot device.

Importing the device will allow it to be pre-staged in Azure AD, and picked up by the AutoPilot Devices dynamic group. So when the device communicates with Intune the Autopilot profile is deployed and the machine configured.

In order to import the machine we need to obtain hardware information about the machine.

In a enterprise environment when purchasing the machines, suppliers like Dell, and HP will be able to pre-import this hardware information into your Autopilot account. This allows you to ship devices straight to user with no intervention.

In my case as this is an already provisioned machine, I shall be obtaining the hardware information manually.

First, login to the machine and open an Administrative PowerShell session.

We then need to run the following


Mkdir C:\scripts\
CD C:\Scripts\
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
Save-Script -Name Get-WindowsAutoPilotInfo -path C:\Scripts\
Get-WindowsAutoPilotInfo -OutputFile AutoPilotID.csv

Open the folder and copy the AutoPilotID.csv file to your machine

In the Azure Portal navigate to Intune > Device Enrollment > Windows Enrollment then select Devices under Windows Autopilot Deployment Program

Select Import

Click the Blue Folder icon and select the recently created AutoPilotID.csv file. Then click Import.

The import of the device can take quite a while so be patient.

Once completed you will be able to see the Device in the list.

We know need to check that the device (in this case 0554-7912-1491-9755-4398-0762-82) is showing in the dynamic group, and has been added to Azure AD Devices.

Navigate to Azure Active Directory > Devices. If you filter the search by Enabled: Disabled you should see the device in this list.

The device will show as Disabled

Also checking under the previously created AutoPilot Devices group we should see the device as a member of that group.

Testing

We should now be able to actually run a test of the Autopilot provisioning.

I have already provisioned a brand new Windows 10 Virtual Machine in Hyper-V. In order to test we need to reset the Windows Installation so the OOBE is triggered.

In my case I will use the Reset Windows option in Settings (although you could choose to reinstall over the top via Boot media)

Open Settings and go to Update & Security then Recovery

Under Reset this PC click Get started

Choose the Remove everything option.

Click next at the Additional settings page.

Finally, click Reset

Bye bye Windows!

The reset will take a few minutes so again be patient.

Once the machine has reset we can test if the Autopilot Profile is picked up.

First select the required language and click Yes

Then the Keyboard Layout

On the Additional Keyboard screen click Skip

The machine will then do some background setup and reboot. Once done you should be present with the Account screen.

Most importantly if the Device has added correctly you should see your organization login!

Enter a user that has the required Autopilot licence requirement. See below:

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements

Enter the relevant password and click Next

The device will then start configuring. As we have enabled the Enrollment Status page we should see something like below

This will update as the progress of the enrollment completes. Once all tasks are complete the machine will reboot and we will be greeted by the standard This might take several minutes screen.

Once rebooted you should see the standard login screen. Login as your domain user.

The machine is picking up my Intune policies and enforcing Windows Hello! Victory!

Checking in Azure AD I can now see the device specified by its required name

And there we have it Autopilot configured for a Windows 10 machine to turn it into a fully fledge corporate device!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s