I had an opportunity to present end to end Windows AutoPilot process flow at Bangalore IT Pro user group meeting. I covered end to end process to provision Windows 10 devices via Windows AutoPilot service with Intune. It was great to have feedback from fellow IT Pros on modern management and Windows AutoPilot topics.
[Windows Autopilot Related Posts]
Windows Autopilot Video Starter Kit Beginners Guide Setup Windows AutoPilot Deployment Dynamically Deploy Security Policies and Apps to Windows AutoPilot Devices Where is AutoPilot Assign Profile Button in Intune Portal Windows AutoPilot End to End Process Guide(This Post) Windows Autopilot Deployment Scenarios – On-Prem Hybrid Domain Join
TL;DR
Topics – Windows AutoPilot Process
- Why a shift toward Modern Management?
- What is Existing Approach to deploy Windows machines?
- What is Windows Autopilot?
- What are the Prerequisites for AutoPilot?
- What are the Technical Components of AutoPilot?
- What are three Entities of AutoPilot?
- Which are are the Hardware vendors supports AutoPilot?
- How to Get Ready for AutoPilot Testing or PoC?
- How to get Devices into Windows 10 OOBE Screen?
- How to Get Device ID for Windows AutoPilot?
- How to Register Devices for AutoPilot testing?
- How to Create Azure AD Groups for AutoPilot?
- How to Create AutoPilot Profiles?
- What is the Enrollment Status Screen?
- End to End Process flow of AutoPilot
- AutoPilot Troubleshooting Tips
- Download PowerPoint Slide
Why a shift toward Modern Management?
Modern device management should be agile and able to handle multiple flavors of devices for users. Modern device management solutions should be able to manage and deploy SaaS applications, protect modern security threats, and apply security policies via MDM channel. Automation, Pro-Activeness, and Self Service are the other three (3) trigger points for modern device management.
What is Existing Approach to Deploy Windows Machines?
Let’s do a recap of the existing Windows imaging process. Windows imaging is a complicated process for most of the organizations. Following are the high-level steps which need to follow for Windows imaging process for a global organization.
- Define an approved list or catalog of supported devices.
- Create a Golden Image for those devices with Drivers, Applications, Settings, and Policies – 1-2 months activity depending on model and vendor.
- Distribute Golden image using SCCM/MDT.
- Maintain the golden image with new updates – Windows 10 gets updates every six (6) months.
More detailed explanation in the video here.
What is Windows Autopilot?
Windows AutoPilot service is a collection of technologies to Simplify and automate Windows Out of Box Experience (OOBE experience). There are three (3) scenarios in Windows AutoPilot. AutoPilot service helps the organization to Pre-configure New devices, Recover Devices, Re-purpose Devices, and Reset Devices. I will cover Windows Autopilot User-Driven installations in this post.
KIOSK (Self Deployment)
User Driven
IT Driven (Bulk Enrollment)
What are the Prerequisites for AutoPilot?
You need to ensure that you are ready with all prerequisites of Windows AutoPilot. Once all the prerequisites are prepared, you can start your LAB or PoC testing of this. I have explained the prerequisites in the following section. Proxy and Firewall are requirements critical if you are planning to do PoC from your office network.
Windows 10 1703 Prof / ENT or later OOBE Setup
Internet Access (proxy Firewall exceptions)
Get the Hardware Hash, Device ID of Windows 10 device
Users must be allowed to join devices into Azure AD
Microsoft Intune or other MDM services to manage devices
EMS / Microsoft 365 Licence
I would recommend reading Microsoft doc about Windows AutoPilot prerequisites. I would recommend reading network connectivity requirement documentation on Microsoft doc.
What are the Technical Components of AutoPilot?
Following are the technical components of Windows Autopilot process or service. This section is to give you an understanding of the elements involved in the service.
Windows store for business* – Comes with Azure AD
AutoPilot Deployment Service
Microsoft Intune
Azure Active Directory
Windows 10
MDT / SCCM (Might be required for re-provisioning of devices)?
*Checkout Micheal N’s comment in the comment section.
What are three Entities of AutoPilot?
Following are the three(3) entities of Windows Autopilot process. Hardware vendor(Dell, Microsoft, Lenovo, HP, etc.) is one of the important entity of Autopilot service. They will help to upload the device details to Autopilot profile.
Hardware vendor – Upload Hardware Details
IT Admin – Customise the AutoPilot Process
User – Self Service part of device deployment
Which are are the Hardware vendors supports AutoPilot?
Microsoft is working with many vendors to onboard them into Windows AutoPilot process. At the time of writing this post, Microsoft and Lenovo new devices are available for Windows AutoPilot service. There is an extra cost involved in this process; I heard vendors might charge 4-5 dollars for enrolling the device into AutoPilot service.
Microsoft
Lenovo
Dell?
HP (Coming Soon)
Toshiba (Coming Soon)
More updated details of supported vendors will be available in the Microsoft doc. I would recommend reading the updated doc from Microsoft.
How to Get Ready for AutoPilot Testing or PoC?
Following are the high-level Windows AutoPilot process flow. I have a blog post which covers end to end process of lab setup for Windows Autopilot. I will include all the following points in this blog post.
Get Devices into Windows 10 OOBE Setup
Device registration into AutoPilot Deployment Service via Windows Store for Business or Intune*
Create Azure AD Group (Dynamic/Static)
Create an AutoPilot Profile
Assign Autopilot Profile
How to get Devices into Windows 10 OOBE Screen?
To start the Windows AutoPilot process, you need to ensure that your Windows 10 device is in OOBE screen. How to make all Windows devices in your organization to OOBE screen? This process is a bit challenging and time-consuming. Roger has a post about the AutoPilot automation workflow. I would recommend reading that to get more details.
Device Vendors can help with new machines
Existing machines? Can we use SCCM/ MDT?
How to Get Device ID for Windows AutoPilot?
For testing scenarios, you can log in to a Windows 7 or Windows 10 device and run the PowerShell script provided by Microsoft to get the device ID, hardware hash and other details required. Also, you can automate this process to Azure Run-book Automation.
Get hardware ID details from the vendor
Use PowerShell script to get the hardware details
Use ORDER ID field to automate Autopilot profile assignment
Azure Run-book to provision Windows 7 machines
PowerShell Command =>.\Get-WindowsAutoPilotInfo.ps1 -OutputFile .\MyComputer.csv
OrderID attribute and tags in the Device details CSV file can help you to have automatic deployments for AutoPilot profiles. And this Oder ID attribute and tags will help create dynamic device groups for each department or some other condition. Mike has a blog post to explain this process.
How to Register Devices for AutoPilot testing?
This device registration is the third stage of Windows AutoPilot Process. Following is one of the way to upload the device ID to Intune. This import process is the one which should be accompanied by IT Admin of your organization. Each vendor has their way of uploading the device information to AutoPilot Deployment service.
Update/Comment from Michael Niehaus – Technically, when you add a device to Autopilot via Intune, it’s being added to the Autopilot deployment service. This has nothing to do with the Microsoft Store for Business (which also adds machines to the Autopilot deployment service).
The biggest difference: Intune uses a sync process to push and pull devices from the Autopilot deployment service, while the Microsoft Store for Business talks directly to the Autopilot deployment service.
IT Admin – Navigate to Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment-> Windows AutoPilot Devices -> Click on IMPORT button -> select the CSV file and upload.
Your device is ready for testing once the Autopilot profile status is moved from Not Assigned – Assigning – Assigned.
More details and video explanation available in my previous post Beginners Guide Setup Windows AutoPilot Deployment.
How to Create Azure AD Groups for AutoPilot?
Once the device is uploaded to AutoPilot service (Intune), an Azure AD object for that device will get created. The device object created will appear with the serial number of the device until the Azure AD join process is completed for that device. A Dynamic Azure AD group can be created with that AAD device object.
I used the following query to TAG (OrderID) specific departments in my test scenarios.
(device.devicePhysicalIds -any _ -contains "HRDept") (device.devicePhysicalIds -any _ -contains "SalesDept")
How to Create AutoPilot Profiles?
You can create an AutoPilot Deployment profile to customize the Windows OOBE experience for the end user. Windows AutoPilot profile provides only three (3) options to customize. I hope in the future there will be more options. You can see this as shown in the video tutorial.
- Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment
- Click on Deployment profiles under Windows Autopilot Deployment Program and select Create profile.
- In the Create profile blade, set the name to “IT AutoPilot Profile 1“, click on Out-of-box experience (OOBE) and configure the following:
OOBE Customisation Settings
Privacy Settings >Value > Hide
End user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User
Once the Autopilot profile is ready, you can deploy it to Azure AD dynamic device groups. I would recommend reading the AutoPilot profile assignment post to get more details about the AutoPilot profile assignment.
What is Windows Enrollment Status Page?
Intune Enrollment status page is new to some of us. Enrollment status page policy is a global policy and once enabled it’s applicable for all the users. I would recommend reading Windows Enrollment Status page post to get more details.
End to End Process flow of AutoPilot
I have explained end to end Windows AutoPilot process flow in this blog post. This flow is a quick recap of the steps which we followed in the above section of this post.
- Get the Device ID from Vendor Let the vendor upload the Device ID PS script to collect the Hardware ID from existing machines
- UPLOAD – Hardware ID or Harvest ID to Intune
- The Device gets Registered to AutoPilot Deployment Service via WSfB or Intune
- AAD Device Record will get created
- AAD Device Object will get assigned to AAD Dynamic Groups
- Autopilot Profile will get automatically assigned
- Windows 10 1703 or later OOBE setup
- Windows Enrollment Screen – Security Policies – App deployment
- Ready to Use
AutoPilot Troubleshooting Tips
The best way to troubleshoot Windows autopilot deployment is from Windows Enrollment status screen. As I mentioned in the above section of this post, I would recommend reading my previous post about Windows Enrollment Status Screen Troubleshooting.
I would recommend to the following process to troubleshoot Windows AutoPilot related issues.
- Azure Portal Notifications
- Enrollment Status Page
- Intune Troubleshooting Blade
- MDM Diagnostics report
- Event Viewer
- Registry
When you want to do deep level troubleshooting of Windows AutoPilot, there are resources available from Michael Niehaus.
Troubleshooting Windows AutoPilot (level 100/200)
Troubleshooting Windows AutoPilot (level 300/400)
Troubleshooting Improvements in Windows AutoPilot
Download PowerPoint Slide
[slideshare id=108689684&doc=windowsautopilot-180805125115]
Resources:-
Windows AutoPilot – https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot
Windows AutoPilot Prerequisites – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot#prerequisites
AutoPilot Network Connectivity Requirements – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot#network-connectivity-requirements
Windows 10 Activation – https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation
Windows Autopilot Deployment – https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices
Windows AutoPilot Video Tutorial – https://www.youtube.com/watch?v=Hb4V7uaqEm4
Azure Run-book automation – https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo/1.3/DisplayScript
Download the PS Script – https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.3/Content/Get-WindowsAutoPilotInfo.ps1
AutoPilot Automation – https://rzander.azurewebsites.net/automatically-register-existing-device-in-autopilot/
Overview of Windows Autopilot – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot
Technically, when you add a device to Autopilot via Intune, it’s being added to the Autopilot deployment service. This has nothing to do with the Microsoft Store for Business (which also adds machines to the Autopilot deployment service).
The biggest difference: Intune uses a sync process to push and pull devices from the Autopilot deployment service, while the Microsoft Store for Business talks directly to the Autopilot deployment service.
Thank you much Mike. I have updated the content and added you comments also to the post.
Greate guide! I’m doing extensive testing with AutoPilot but keep running into errors when using self-deploying mode. Do you know if this will this be stable at the 1809 release?
It would be great if you can explain the details about the error. We didn’t any critical errors which will stop from going into production.
Trying to figure out how to use AutoPilot for my particular case… still learning quite a bit! I have a couple questions I was hoping someone could help me clarify.
Is AutoPilot the only way to have a device automatically enroll as corporate owned?
In a post above, Michael mentioned it is possible to enroll a device through the Microsoft Store for Business, how can I go about doing this?
I’ve been using a PowerShell and batch file to pull the autopilot information into a spreadsheet on a USB drive to add existing devices manually. I figured we should have our current laptops enrolled in AutoPilot anyway in case we need to autopilot wipe a device remotely and have it enrolled as corporate-owned instead vs. personal and assigned to a particular user for the OOBE sign in.
And lastly, what would be recommended if the user who enrolled through AAD join and is intune licensed is off-boarded and the 365 user account is disabled. Would the device simply stop syncing, and we would need to refresh or wipe to have another user sign in? Or possibly perform the autopilot wipe? What would be the best option to change the user attached to a device, can that be done in the Intune portal instead?
Thanks!
1. Windows devices – Autopilot or SCCM OSD are two methods to enroll corp owned devices
2. Best Practice is to use Intune console to upload Autopilot hash details
3. There should be an internal organizational process to remote wipe before disable the account etc..but I never tested this scenario. My experience is shared https://www.anoopcnair.com/intune-help-desk-support-tools/
Thank you!
Hello,
We search information about urls for proxy & firewall for the autopilot deployment.
Have you those information please ?
Hello, There is no specific proxy and Firewall for Autopilot itself. Check out Windows 10 requirements of proxy and firewall. This list keeps on changing with latest version of Windows 10 https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints
Below some information we discussed with MS for outdated web site (Autopilot corporate LAN requirements):
– Network requirements: https://docs.microsoft.com/intune/network-bandwidth-use
– Intune Endpoints: https://docs.microsoft.com/intune/intune-endpoints
For long term approach MS will use the O365 web service and associated docs targeting normally end of the year.
Antonio – What you think about the following details Windows 10 Proxy and network Requirements Modern Windows Deployment https://www.anoopcnair.com/windows-10-proxy-requirements-for-intune/
Hi Anoop,
Is there a way to automate collecting the HWIDs for multiple devices?
Thanks
There are many processes shared by my Mvp colleagues using Azure runbooks etc
Here is one example https://oliverkieselbach.com/2017/11/16/gather-windows-10-autopilot-info-in-azure-blob-storage-during-wipe-and-reload/
If the device is already running Windows 10 and enrolled in Intune, you just need to check a box and Intune will take care of it for you. Otherwise, we suggest Windows Autopilot for existing devices, https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices.
Below some information we discussed with MS for outdated web site (Autopilot corporate LAN requirements):
– Network requirements: https://docs.microsoft.com/intune/network-bandwidth-use
– Intune Endpoints: https://docs.microsoft.com/intune/intune-endpoints
For long term approach MS will use the O365 web service and associated docs targeting normally end of the year.
For testing purposes I would like to understand the best way forward to re-enroll windows Autopilot members
I use a dynamic device group for hybrid Azure AD joined over VPN, but it looks like the machines en-rolled are not able to reuse again to re-enroll, I have to remove them from the autopilot devices , delete all related Associated Azure Devices before it could work again, howeverI struggle really hard to reuse a device for autopilot after this one was enrolled. whats the way to do testing ernollment in a decent way with the same machine?