Let’s check out and learn about Windows Autopilot from the Step-by-Step Guide on the Windows AutoPilot Process with Intune. You can also look at the latest guide about Provisioning Windows 10 (and Windows 11 as well) with the Windows AutoPilot Step-by-Step Admin Guide.
Windows AutoPilot service is a collection of technologies that simplify and automate the Windows Out of Box Experience (OOBE experience). There are three (3) scenarios in Windows AutoPilot. You can also learn about 3 or more Windows Autopilot entities from the section below.
Having feedback from fellow IT Pros on modern management and Windows AutoPilot topics was great. There are many other posts in the HTMD community to learn deep dive into Windows Autopilot scenarios. Some of them are listed below so you can complete your Windows Autopilot learning journey.
Windows Autopilot PreProvisioning Backend Process- Deep Dive – Post 4, Windows Autopilot Processes from Device Side – Part 3. Windows Autopilot Behind The Scenes Secrets – Admin Side – Part 2.
Table of Contents
Video – Windows Autopilot Training
Latest Windows Autopilot Training by Joy, Microsoft MVP. This video covers end-to-end Windows Autopilot scenarios, including Background processes, Real-World Issues, fixes, Tips, and Tricks.
- Get to know Windows Autopilot
- Compare and contrast Windows Autopilot with Traditional Windows Provisioning
- Know the benefits of using Windows Autopilot
- Deep dive into how Windows Autopilot works
Windows Autopilot FAQ Clarifying the General Misconceptions Part 1. Learn How to Decide Windows Autopilot Profile Types | Intune Architecture. Windows Autopilot Hybrid Azure AD Join Troubleshooting Tips
- Windows Autopilot Hybrid Domain Join Step-by-Step Implementation Guide
- How To Decide Windows Autopilot Profile Types | Intune Architecture
Windows Autopilot Related Posts
I had an opportunity to present the end-to-end Windows AutoPilot process flow at the Bangalore IT Pro user group meeting. I covered the end-to-end process of provisioning Windows 10 devices via the Windows AutoPilot service with Intune.
Windows Autopilot Video Starter Kit Beginners Guide Setup Windows AutoPilot Deployment Dynamically Deploy Security Policies and Apps to Windows AutoPilot Devices Where is AutoPilot Assign Profile Button in Intune Portal Windows AutoPilot End to End Process Guide(This Post) Windows Autopilot Deployment Scenarios – On-Prem Hybrid Domain Join
Topics – Windows AutoPilot Process
- Why a shift toward Modern Management?
- What is the Existing Approach to deploying Windows machines?
- What is Windows Autopilot?
- What are the Prerequisites for AutoPilot?
- What are the Technical Components of AutoPilot?
- What are the three Entities of AutoPilot?
- Which Hardware vendors support AutoPilot?
- How do you get ready for AutoPilot Testing or PoC?
- How to get Devices into Windows 10 OOBE Screen?
- How do I get the Device ID for Windows AutoPilot?
- How to Register Devices for AutoPilot Testing?
- How do you create Azure AD Groups for AutoPilot?
- How to Create AutoPilot Profiles?
- What is the Enrollment Status Screen?
- End to the End Process flow of AutoPilot
- AutoPilot Troubleshooting Tips
- Download PowerPoint Slide
Why a shift toward Modern Management?
Modern device management should be agile and handle multiple flavors of devices for users. Solutions should be able to manage and deploy SaaS applications, protect against current security threats, and apply security policies via the MDM channel.
Automation, Pro-Activeness, and Self Service are the other three (3) trigger points for modern device management.
What is the Existing Approach to Deploying Windows Machines?
Let’s recap the existing Windows imaging process. Windows imaging is complicated for most organizations. The following are the high-level steps that need to be followed for the Windows imaging process for a global organization.
- Define an approved list or catalog of supported devices.
- Create a golden image for devices with Drivers, Applications, Settings, and Policies—1-2 months of activity, depending on model and vendor.
- Distribute Golden image using SCCM/MDT.
- Maintain the golden image with new updates – Windows 10 gets updates every six (6) months.
- A more detailed explanation is in the video
What is Windows Autopilot?
Windows AutoPilot service is a collection of technologies that simplify and automate the Windows Out of Box Experience (OOBE experience). There are three (3) scenarios in Windows AutoPilot.
The AutoPilot service helps the organization pre-configure New, Recovered, Repurposed, and Reset Devices. In this post, I will cover Windows Autopilot User-Driven installations.
- KIOSK (Self Deployment)
- User-Driven
- IT Driven (Bulk Enrollment)
Windows Autopilot Cost Benefits – Presales Tips
Windows Autopilot Cost Benefits | Reduce Operational Cost? User Experience Enhancements by Kannan CS. Recording of HTMD Community user group event March 2023. Support Management to Service Delivery and Digital Experience Measurement.
What are the Prerequisites for AutoPilot?
You need to ensure that you are ready with all the prerequisites of Windows AutoPilot. Once you have prepared all the requirements, you can start your LAB or PoC testing.
I have explained the prerequisites in the following section. Proxy and Firewall are critical requirements if you plan to do PoC from your office network.
- Windows 10 1703 Prof / ENT or later OOBE Setup
- Internet Access (proxy Firewall exceptions)
- Get the Hardware Hash, the Device ID of the Windows 10 device
- Users must be allowed to join devices into Azure AD
- Microsoft Intune or other MDM services to manage devices
- EMS / Microsoft 365 Licence
I would recommend reading Microsoft doc about Windows AutoPilot prerequisites. I would recommend reading network connectivity requirement documentation on Microsoft Docs.
Windows Autopilot Profile Types
Please review the table and each column to better understand the Windows Autopilot profile types. In the comments section, let me know if you have any questions.
| Type 1 | Type 2 | Type 3 | Type 4 |
|---|---|---|---|
| User-driven mode (classic autopilots) | Self-deploying mode | Hybrid Azure AD join | Existing Devices |
| •Join device to AAD •Enroll in Intune | •Join device to AAD Enroll in Intune | •Join device to on Prem AD + registered in azure •Enroll in Intune | •Join device to AAD •Enroll in Intune |
| •Require user credential for Azure AD join and Intune enrollment | •No need to provide user credentials to authenticate for Intune and Azure AD join. Instead, a TPM chip is used for authentication. | • Require user credential for AAD and Intune enrollment | •Require user credential for AAD and Intune enrollment • Can Copy Offline Autopilot profile |
| Challenges: •More user wait time. This wait time can be reduced using the white glove process. | NA | Challenges: •Require Intune connector to be installed for AD Join. • More End-user wait time. | Challenges: • Require Task sequence • More End-user wait time. This wait time can be reduced using the white glove process. |
| Persona criteria: •Don’t have on-premise Dependency for application and AD policy •Recommended for Remote users or sales users who don’t often connect to the corporate network | Persona criteria: •Don’t have on-premise Dependency for application and AD policy •Recommended for Windows 10 kiosk scenarios or a shared device users | Persona criteria: • Recommended for users who have an on-premise dependency for apps and policy | Persona criteria: •Recommended for users who don’t have an on-premise dependency This approach can be used if businesses want to achieve mass Win 10 rollout. without |
What are the Technical Components of Autopilot?
Following are the technical components of the Windows Autopilot process or service. This section gives you an understanding of the elements involved in the service.
Windows store for business* – Comes with Azure AD
AutoPilot Deployment Service
Microsoft Intune
Azure Active Directory
Windows 10
MDT / SCCM (Might be required for re-provisioning of devices)?
*Check out Michael N’s comment in the comment section.
What are the three Entities of AutoPilot?
The following are the three(3) entities of the Windows Autopilot process. Hardware vendors (Dell, Microsoft, Lenovo, HP, etc.) are one of the important entities of the Autopilot service. They will help upload the device details to the Autopilot profile.
Hardware vendor – Upload Hardware Details
IT Admin – Customise the AutoPilot Process
User – Self Service part of device deployment
Which Hardware vendors support AutoPilot?
Microsoft is working with many vendors to onboard them into the Windows AutoPilot process. At the time of this post, Microsoft and Lenovo’s new devices were available for the Windows AutoPilot service.
This process involves an extra cost; I heard vendors might charge 4-5 dollars to enrol the device in the AutoPilot service.
- Microsoft
- Lenovo
- Dell
- HP
- Toshiba
- Etc…
The Microsoft document will provide more updated details of supported vendors. I recommend reading it.
How to Get Ready for AutoPilot Testing or PoC?
The following is the high-level Windows AutoPilot process flow. I have a blog post covering the end-to-end process of lab setup for Windows Autopilot. I will include all the following points in this post.
Get Devices into Windows 10 OOBE Setup
Device registration into AutoPilot Deployment Service via Windows Store for Business or Intune*
Create Azure AD Group (Dynamic/Static)
Create an AutoPilot Profile
Assign Autopilot Profile
How to get Devices into Windows 10 OOBE Screen?
To start the Windows AutoPilot process, you must ensure your Windows 10 device is on the OOBE screen. How do you make all Windows devices in your organization on the OOBE screen? This process is a bit challenging and time-consuming. Roger has a post about the AutoPilot automation workflow. I recommend reading that to get more details.
Device Vendors can help with new machines
Existing machines? Can we use SCCM/ MDT?
How to Get Device ID for Windows AutoPilot?
For testing scenarios, you can log in to a Windows 7 or Windows 10 device and run the PowerShell script provided by Microsoft to get the device ID, hardware hash, and other details required. Also, you can automate this process to Azure Runbook Automation.
Get hardware ID details from the vendor
Use PowerShell script to get the hardware details
Use the ORDER ID field to automate Autopilot profile assignment
Azure Run-book to provision Windows 7 machines
PowerShell Command =>.\Get-WindowsAutoPilotInfo.ps1 -OutputFile .\MyComputer.csv
OrderID attribute and tags in the Device details CSV file can help you have automatic deployments for AutoPilot profiles. This Oder ID attribute and tags will help create dynamic device groups for each department or other condition. Mike has a blog post to explain this process.
How to Register Devices for AutoPilot Testing?
This device registration is the third stage of the Windows AutoPilot Process. The following is one way to upload the device ID to Intune.
Your organization’s IT Admin should accompany this import process. Each vendor uploads the device information to the AutoPilot Deployment service in its own way.
Update/Comment from Michael Niehaus – Technically, when you add a device to Autopilot via Intune, it’s added to the Autopilot deployment service.
This has nothing to do with the Microsoft Store for Business (which also adds machines to the Autopilot deployment service).
The biggest difference is that Intune uses a sync process to push and pull devices from the Autopilot deployment service, while the Microsoft Store for Business talks directly to it.
IT Admin – Navigate to Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment-> Windows AutoPilot Devices -> Click on IMPORT button -> select the CSV file and upload.
Your device is ready for testing once the Autopilot profile status is moved from Not Assigned – Assigning – Assigned.
My previous post, Beginners Guide Setup Windows AutoPilot Deployment, has more details and video explanations.
How to Create Azure AD Groups for AutoPilot?
Once the device is uploaded to the AutoPilot service (Intune), an Azure AD object will be created for it.
The device object created will appear with the device’s serial number until the Azure AD join process is completed for that device. A Dynamic Azure AD group can be created with that AAD device object.
I used the following query to TAG (OrderID) specific departments in my test scenarios.
- (device.devicePhysicalIds -any _ -contains “HRDept”)
- (device.devicePhysicalIds -any _ -contains “SalesDept”)
How to Create AutoPilot Profiles?
You can create an AutoPilot Deployment profile to customize the Windows OOBE experience for the end-user. The Windows AutoPilot profile provides only three (3) customization options. I hope there will be more options in the future. You can see this in the video tutorial.
- Navigate via Microsoft Intune Admin Center -> Device Enrollment – Windows Enrollment
- Click on Deployment profiles under Windows Autopilot Deployment Program and select Create a profile.
- In the Create profile blade, set the name to “IT AutoPilot Profile 1“, click on Out-of-box experience (OOBE), and configure the following:
OOBE Customisation Settings
Privacy Settings >Value > Hide
End-user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User
Once the Autopilot profile is ready, you can deploy it to Azure AD dynamic device groups. For more details about the AutoPilot profile assignment, I recommend reading the post.
What is the Windows Enrollment Status Page?
Some of us are new to the Intune Enrollment status page. The enrollment status page policy is global, and once enabled, it applies to all users. I recommend reading the Windows Enrollment Status page post for more details.
End to the End Process flow of AutoPilot
I have explained the end-to-end Windows AutoPilot process flow in this blog post. This flow is a quick recap of the steps we followed in the above section of this post.
- Get the Device ID from the Vendor. Let the vendor upload the Device ID PS script to collect the Hardware ID from existing machines.
- UPLOAD – Hardware ID or Harvest ID to Intune
- The Device gets Registered to AutoPilot Deployment Service via WSfB or Intune.
- AAD Device Record will be created
- AAD Device Object will get assigned to AAD Dynamic Groups
- Autopilot Profile will get automatically assigned
- Windows 10 1703 or later OOBE setup
- Windows Enrollment Screen – Security Policies – App deployment
- Ready to Use
AutoPilot Troubleshooting Tips
The best way to troubleshoot Windows autopilot deployment is from the Windows Enrollment status screen. As I mentioned in the above section of this post, I recommend reading my previous post about Windows Enrollment Status Screen Troubleshooting.
I would recommend the following process to troubleshoot Windows AutoPilot-related issues.
- Azure Portal Notifications
- Enrollment Status Page
- Intune Troubleshooting Blade
- MDM Diagnostics report
- Event Viewer
- Registry
When you want to do deep-level troubleshooting of Windows AutoPilot, there are resources available from Michael Niehaus.
- Troubleshooting Windows AutoPilot (level 100/200)
- Troubleshooting Windows AutoPilot (station 300/400)
- Troubleshooting Improvements in Windows AutoPilot
Resources
- Windows AutoPilot – https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot
- Windows AutoPilot Prerequisites – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot#prerequisites
- Windows AutoPilot Video Tutorial – https://www.youtube.com/watch?v=Hb4V7uaqEm4
- Azure Runbook automation – https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo/1.3/DisplayScript
- Download the PS Script – https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.3/Content/Get-WindowsAutoPilotInfo.ps1
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Technically, when you add a device to Autopilot via Intune, it’s being added to the Autopilot deployment service. This has nothing to do with the Microsoft Store for Business (which also adds machines to the Autopilot deployment service).
The biggest difference: Intune uses a sync process to push and pull devices from the Autopilot deployment service, while the Microsoft Store for Business talks directly to the Autopilot deployment service.
Thank you much Mike. I have updated the content and added you comments also to the post.
Greate guide! I’m doing extensive testing with AutoPilot but keep running into errors when using self-deploying mode. Do you know if this will this be stable at the 1809 release?
It would be great if you can explain the details about the error. We didn’t any critical errors which will stop from going into production.
Trying to figure out how to use AutoPilot for my particular case… still learning quite a bit! I have a couple questions I was hoping someone could help me clarify.
Is AutoPilot the only way to have a device automatically enroll as corporate owned?
In a post above, Michael mentioned it is possible to enroll a device through the Microsoft Store for Business, how can I go about doing this?
I’ve been using a PowerShell and batch file to pull the autopilot information into a spreadsheet on a USB drive to add existing devices manually. I figured we should have our current laptops enrolled in AutoPilot anyway in case we need to autopilot wipe a device remotely and have it enrolled as corporate-owned instead vs. personal and assigned to a particular user for the OOBE sign in.
And lastly, what would be recommended if the user who enrolled through AAD join and is intune licensed is off-boarded and the 365 user account is disabled. Would the device simply stop syncing, and we would need to refresh or wipe to have another user sign in? Or possibly perform the autopilot wipe? What would be the best option to change the user attached to a device, can that be done in the Intune portal instead?
Thanks!
1. Windows devices – Autopilot or SCCM OSD are two methods to enroll corp owned devices
2. Best Practice is to use Intune console to upload Autopilot hash details
3. There should be an internal organizational process to remote wipe before disable the account etc..but I never tested this scenario. My experience is shared https://www.anoopcnair.com/intune-help-desk-support-tools/
Thank you!
Hello,
We search information about urls for proxy & firewall for the autopilot deployment.
Have you those information please ?
Hello, There is no specific proxy and Firewall for Autopilot itself. Check out Windows 10 requirements of proxy and firewall. This list keeps on changing with latest version of Windows 10 https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints
Below some information we discussed with MS for outdated web site (Autopilot corporate LAN requirements):
– Network requirements: https://docs.microsoft.com/intune/network-bandwidth-use
– Intune Endpoints: https://docs.microsoft.com/intune/intune-endpoints
For long term approach MS will use the O365 web service and associated docs targeting normally end of the year.
Antonio – What you think about the following details Windows 10 Proxy and network Requirements Modern Windows Deployment https://www.anoopcnair.com/windows-10-proxy-requirements-for-intune/
Hi Anoop,
Is there a way to automate collecting the HWIDs for multiple devices?
Thanks
There are many processes shared by my Mvp colleagues using Azure runbooks etc
Here is one example https://oliverkieselbach.com/2017/11/16/gather-windows-10-autopilot-info-in-azure-blob-storage-during-wipe-and-reload/
If the device is already running Windows 10 and enrolled in Intune, you just need to check a box and Intune will take care of it for you. Otherwise, we suggest Windows Autopilot for existing devices, https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices.
Below some information we discussed with MS for outdated web site (Autopilot corporate LAN requirements):
– Network requirements: https://docs.microsoft.com/intune/network-bandwidth-use
– Intune Endpoints: https://docs.microsoft.com/intune/intune-endpoints
For long term approach MS will use the O365 web service and associated docs targeting normally end of the year.
For testing purposes I would like to understand the best way forward to re-enroll windows Autopilot members
I use a dynamic device group for hybrid Azure AD joined over VPN, but it looks like the machines en-rolled are not able to reuse again to re-enroll, I have to remove them from the autopilot devices , delete all related Associated Azure Devices before it could work again, howeverI struggle really hard to reuse a device for autopilot after this one was enrolled. whats the way to do testing ernollment in a decent way with the same machine?
Hello, we are doing testing with autopilot right now. I’ve found your article very useful, I appreciate all you do. We are getting an issue when trying to enroll the device via autopilot. The device comes to the OOBE and asks to select keyboard, then it tries to connect to the network on a corporate LAN (Palo Alto firewall) and it never connects to the network or goes to the enrollment page. When I connect directly to the internet, it goes to the enrollment page and asks me to sign in with Entra ID. We’ve been diagnosing this for months and cannot figure out what is going on. We have set a rule to “allow all” traffic through a specific IP we’ve reserved for this machine. However, not even this allows the enrollment page to come up. Have you seen or heard of anything happening on corporate networks?