You know the scenario: setting up and configuring new devices in your company can be a tedious task. Fortunately, there is a solution: Windows Autopilot, available within Microsoft Intune. With Autopilot, you can streamline this process.
This post is the fourth part of the "Intune Starter Series"
Table of Contents
What is Windows Autopilot?
Windows Autopilot is an integral part of Mobile Device Management (MDM) with Microsoft Intune. It enables the automated deployment of Windows 10 devices without the need for a fresh operating system installation. Instead, Autopilot leverages existing images, saving both time and eliminating the need for physical presence of devices in the IT department.
Registration made easy
Configuring Autopilot is remarkably straightforward. You can create configurations that can be uploaded directly by hardware suppliers. These configurations use unique device IDs to link licenses, user profiles, and endpoints together.
The result? Devices can be shipped directly to end-users without going through the IT department.
Autopilot registration via Intune
Are your devices already managed with Intune?
Then you have the option to assign them an Autopilot profile and register them right away.
My experience has shown that this covers 80-90% of your devices; a small portion may require manual intervention.
Here's how to activate the "Convert all targeted devices to Autopilot" function:
1. Create a new Autopilot profile or edit an existing one. You can find both options in Intune under:
Devices > Windows > Windows Enrollment > Deployment Profiles
2. When creating or editing, you will see the option "Convert all targeted devices to Autopilot" on the first tab (Basics).
3. After applying the profile, patience is required; sometimes it takes a long time for the devices to appear. That's why I often resort to the PowerShell option, as described in the next section.
For a deep dive into the function, check here: Convert All targeted Devices to Autopilot | Intune Flow (call4cloud.nl)
Autopilot registration via PowerShell
If you have existing or new devices that are neither in Intune nor registered by the supplier, you can also import them via PowerShell.
You just need to run a few commands with administrator rights on a device. In the first example below, a CSV file is placed on the "C" drive in the "HWID" folder, which can then be uploaded to Intune.
New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile C:\HWID\APHash.csv
Code language: PowerShell (powershell)
In Intune, you can find the upload under:
Devices > Enrollment > Windows > Devices
You can also perform the upload directly from the device, but in addition to administrator rights, you will need an Intune or Global Administrator in your tenant.
The PowerShell commands for this look like this:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -Online
Code language: JavaScript (javascript)
Would you like to automate this process?
Then I have a solution for you: Windows Autopilot Registration with App registration | scloud
Der Setup-Prozess
Setting up Autopilot is done through the Intune Admin Center. Here, you can select the user group allowed to identify themselves with their devices in Intune.
Make sure that in Intune, under "Devices > Windows > Enrollment > Automatic Enrollment" users are allowed. Either for all or for a defined user group.
The choice between (Azure AD) Azure Joined and Hybrid Azure AD Joined
Depending on your company's requirements, you can choose whether devices exist only in the cloud as objects (Azure Joined) or are also available in your local Active Directory (Hybrid Azure AD Joined). This choice has implications for device management, administration, and, most importantly, the user experience.
Enrollment for hybrid devices is significantly more complex, error-prone, and time-consuming.
That's why my recommendation is to go with Cloud Only.
If you need to authenticate against local resources such as network drives or printers, you can do so using "Cloud only" and "Cloud Kerberos Trust".
Creating an Autopilot profile
Autopilot enables you to create profiles for automatically configuring devices. You can apply these profiles to a group of devices or all devices, including those already in use. However, for devices already in operation, Autopilot takes effect during the next OOBE (Out of Box Experience) phase run.
You can choose between user-driven (User-Driven) and self-deployment mode (Self-Deployment Mode) to meet your company's needs.
You create the profile under:
Devices > Windows > Windows Enrollment > Deployment Profiles
Select "Create profile" and choose the "Windows PC" type.
Then define a name and an optional description.
Next, you must decide the profile type, which you cannot change later. However, you can always create a new profile and assign it to your devices.
In most cases, the "User Driven" and "Azure AD joined" option is the right one. You can also define whether the user should be an administrator or not (preferably not). I typically enable pre-provisioning, even though it isn't always necessary.
For the language, you can predefine a region and optionally a keyboard layout. In Switzerland, I usually don't set the keyboard layout as it often selects the wrong one. Finally, you can define a name template (the random numbers won't be in ascending order), and if the name exceeds 15 characters, the serial number will undergo truncation.
We won't go into scope tags in this post, and they are not strictly necessary.
When assigning the profile, you have the option to assign it to either all devices or a specific group. If you assign it to all devices, you won't have the option to exclude certain devices from the profile.
In the next step, simply click "Save" and then wait a moment until the profile is assigned to your device.
You can determine which profile a device has assigned and check its status here:
Devices > Windows > Windows Enrollment > Devices
Show Progress: Enrollment Status Page (ESP)
Once a user logs in to a device for the first time, the Enrollment Status Page (ESP) displays the progress of device configuration. At the same time, the ESP ensures that the device is in the expected state before the user can access their desktop for the first time.
The ESP tracks the installation of applications, security policies, certificates, and network connections to ensure a smooth and secure user experience.
You can preconfigure behavior and certain functionalities here:
Devices > Windows > Windows Enrollment > Enrollment Status Page
Here, you can either edit the Default Policy or create a specific one for a user group.
In the first section, you define whether the page should appear at all, and I highly recommend doing so. You also need to set an installation timeout that will result in process failure if exceeded. My goal is always to keep the ESP phase as short as possible.
In the following sections, you can enable or disable various functions. Especially for testing, I recommend the settings below.
As the last option, you can define which assigned apps to install. Try to limit these apps to a minimum. The goal is to get the user to their desktop as quickly as possible and have them start simple tasks. All other assigned applications will install automatically after the first login.
End-User Experience
The goal of Windows Autopilot Deployment is that the user only has to go through the following steps when using a new device:
- Start the device
- User logs in
- Register the device
- Install applications
- Complete device configuration
- And you're good to go!
Demo User Experience
The end user experiences the whole process as show here:
Conclusion
In summary, Windows Autopilot offers an efficient way to automate and simplify the deployment and management of Windows devices. I hope this information helps you introduce and configure Autopilot. Also, check out my other posts and tips to assist you in working with Microsoft Intune and other Microsoft 365 products!
Thanks for your excellent knowledge. I am setting my first steps with AD/Intune.
For the moment we are using a PXE server which setups all of our laptops and joins them into or AD.
They are for example "Hybrid Azure AD joined". I want them to become all "Azure AD joined"
Is there a way to do this?
Unfortunately, there is no supported way to do this.
The way I do it most of the time is to instruct the user to reset their device.
If you want to do the PXE stuff, you can, but should not do the local AD join. Just register the devices with Autopilot so the join to the Entra ID (ex Azure AD) will happen automatically.
After the user login its asking in the account setup again for the user credentials. This is just the normal windows screen.
This is also when we pre-provisioning the laptop. So when its sealed its asks again for the password after the enrollment screen.
Is there an reason for? Could it be something with the bitlocker?
Usually this happens if the provisioning process takes too much time.
Florian, what if you have AAD Joined device but you still want it to talk to the Domain Resources like FileShares etc and being able to authenitcate via Kerberos? What would be starting point in your opinion here?
To do this, you can configure the "Cloud Kerberos Trust". With that and a line of sight to the DC, you can use your identities to access local resources such as printers and network shares.
https://scloud.work/windows-hello-for-business-cloud-trust-hybrid/
The only requirement for the identities is that they are synchronized via Entra Connect.