I had an opportunity to present end to end Windows AutoPilot process flow at Bangalore IT Pro user group meeting. I covered end to end process to provision Windows 10 devices via Windows AutoPilot service with Intune. It was great to have feedback from fellow IT Pros on modern management and Windows AutoPilot topics.
[Windows Autopilot Related Posts]
Beginners Guide Setup Windows AutoPilot Deployment Dynamically Deploy Security Policies and Apps to Windows AutoPilot Devices Where is AutoPilot Assign Profile Button in Intune Portal Windows AutoPilot End to End Process Guide(This Post) Windows Autopilot Deployment Scenarios – On-Prem Hybrid Domain Join
Topics – Windows AutoPilot Process
- Why a shift toward Modern Management?
- What is Existing Approach to deploy Windows machines?
- What is Windows Autopilot?
- What are the Prerequisites for AutoPilot?
- What are the Technical Components of AutoPilot?
- What are three Entities of AutoPilot?
- Which are are the Hardware vendors supports AutoPilot?
- How to Get Ready for AutoPilot Testing or PoC?
- How to get Devices into Windows 10 OOBE Screen?
- How to Get Device ID for Windows AutoPilot?
- How to Register Devices for AutoPilot testing?
- How to Create Azure AD Groups for AutoPilot?
- How to Create AutoPilot Profiles?
- What is the Enrollment Status Screen?
- End to End Process flow of AutoPilot
- AutoPilot Troubleshooting Tips
- Download PowerPoint Slide
Why a shift toward Modern Management?
Modern device management should be agile and able to handle multiple flavors of devices for users. Modern device management solutions should be able to manage and deploy SaaS applications, protect modern security threats, and apply security policies via MDM channel. Automation, Pro-Activeness, and Self Service are the other three (3) trigger points for modern device management.
What is Existing Approach to Deploy Windows Machines?
Let’s do a recap of the existing Windows imaging process. Windows imaging is a complicated process for most of the organizations. Following are the high-level steps which need to follow for Windows imaging process for a global organization.
- Define an approved list or catalog of supported devices.
- Create a Golden Image for those devices with Drivers, Applications, Settings, and Policies – 1-2 months activity depending on model and vendor.
- Distribute Golden image using SCCM/MDT.
- Maintain the golden image with new updates – Windows 10 gets updates every six (6) months.
More detailed explanation in the video here.
What is Windows Autopilot?
Windows AutoPilot service is a collection of technologies to Simplify and automate Windows Out of Box Experience (OOBE experience). There are three (3) scenarios in Windows AutoPilot. AutoPilot service helps the organization to Pre-configure New devices, Recover Devices, Re-purpose Devices, and Reset Devices. I will cover Windows Autopilot User-Driven installations in this post.
KIOSK (Self Deployment)
IT Driven (Bulk Enrollment)
What are the Prerequisites for AutoPilot?
You need to ensure that you are ready with all prerequisites of Windows AutoPilot. Once all the prerequisites are prepared, you can start your LAB or PoC testing of this. I have explained the prerequisites in the following section. Proxy and Firewall are requirements critical if you are planning to do PoC from your office network.
Windows 10 1703 Prof / ENT or later OOBE Setup
Internet Access (proxy Firewall exceptions)
Get the Hardware Hash, Device ID of Windows 10 device
Users must be allowed to join devices into Azure AD
Microsoft Intune or other MDM services to manage devices
EMS / Microsoft 365 Licence
What are the Technical Components of AutoPilot?
Following are the technical components of Windows Autopilot process or service. This section is to give you an understanding of the elements involved in the service.
Windows store for business* – Comes with Azure AD
AutoPilot Deployment Service
Azure Active Directory
MDT / SCCM (Might be required for re-provisioning of devices)?
*Checkout Micheal N’s comment in the comment section.
What are three Entities of AutoPilot?
Following are the three(3) entities of Windows Autopilot process. Hardware vendor(Dell, Microsoft, Lenovo, HP, etc.) is one of the important entity of Autopilot service. They will help to upload the device details to Autopilot profile.
Hardware vendor – Upload Hardware Details
IT Admin – Customise the AutoPilot Process
User – Self Service part of device deployment
Microsoft is working with many vendors to onboard them into Windows AutoPilot process. At the time of writing this post, Microsoft and Lenovo new devices are available for Windows AutoPilot service. There is an extra cost involved in this process; I heard vendors might charge 4-5 dollars for enrolling the device into AutoPilot service.
HP (Coming Soon)
Toshiba (Coming Soon)
More updated details of supported vendors will be available in the Microsoft doc. I would recommend reading the updated doc from Microsoft.
How to Get Ready for AutoPilot Testing or PoC?
Following are the high-level Windows AutoPilot process flow. I have a blog post which covers end to end process of lab setup for Windows Autopilot. I will include all the following points in this blog post.
Get Devices into Windows 10 OOBE Setup
Device registration into AutoPilot Deployment Service via Windows Store for Business or Intune*
Create Azure AD Group (Dynamic/Static)
Create an AutoPilot Profile
Assign Autopilot Profile
How to get Devices into Windows 10 OOBE Screen?
To start the Windows AutoPilot process, you need to ensure that your Windows 10 device is in OOBE screen. How to make all Windows devices in your organization to OOBE screen? This process is a bit challenging and time-consuming. Roger has a post about the AutoPilot automation workflow. I would recommend reading that to get more details.
Device Vendors can help with new machines
Existing machines? Can we use SCCM/ MDT?
How to Get Device ID for Windows AutoPilot?
For testing scenarios, you can log in to a Windows 7 or Windows 10 device and run the PowerShell script provided by Microsoft to get the device ID, hardware hash and other details required. Also, you can automate this process to Azure Run-book Automation.
Get hardware ID details from the vendor
Use PowerShell script to get the hardware details
Use ORDER ID field to automate Autopilot profile assignment
Azure Run-book to provision Windows 7 machines
PowerShell Command =>.\Get-WindowsAutoPilotInfo.ps1 -OutputFile .\MyComputer.csv
OrderID attribute and tags in the Device details CSV file can help you to have automatic deployments for AutoPilot profiles. And this Oder ID attribute and tags will help create dynamic device groups for each department or some other condition. Mike has a blog post to explain this process.
How to Register Devices for AutoPilot testing?
This device registration is the third stage of Windows AutoPilot Process. Following is one of the way to upload the device ID to Intune. This import process is the one which should be accompanied by IT Admin of your organization. Each vendor has their way of uploading the device information to AutoPilot Deployment service.
Update/Comment from Michael Niehaus – Technically, when you add a device to Autopilot via Intune, it’s being added to the Autopilot deployment service. This has nothing to do with the Microsoft Store for Business (which also adds machines to the Autopilot deployment service).
The biggest difference: Intune uses a sync process to push and pull devices from the Autopilot deployment service, while the Microsoft Store for Business talks directly to the Autopilot deployment service.
IT Admin – Navigate to Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment-> Windows AutoPilot Devices -> Click on IMPORT button -> select the CSV file and upload.
Your device is ready for testing once the Autopilot profile status is moved from Not Assigned – Assigning – Assigned.
More details and video explanation available in my previous post Beginners Guide Setup Windows AutoPilot Deployment.
How to Create Azure AD Groups for AutoPilot?
Once the device is uploaded to AutoPilot service (Intune), an Azure AD object for that device will get created. The device object created will appear with the serial number of the device until the Azure AD join process is completed for that device. A Dynamic Azure AD group can be created with that AAD device object.
I used the following query to TAG (OrderID) specific departments in my test scenarios.
(device.devicePhysicalIds -any _ -contains "HRDept") (device.devicePhysicalIds -any _ -contains "SalesDept")
You can create an AutoPilot Deployment profile to customize the Windows OOBE experience for the end user. Windows AutoPilot profile provides only three (3) options to customize. I hope in the future there will be more options. You can see this as shown in the video tutorial.
- Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment
- Click on Deployment profiles under Windows Autopilot Deployment Program and select Create profile.
- In the Create profile blade, set the name to “IT AutoPilot Profile 1“, click on Out-of-box experience (OOBE) and configure the following:
OOBE Customisation Settings
Privacy Settings >Value > Hide
End user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User
Once the Autopilot profile is ready, you can deploy it to Azure AD dynamic device groups. I would recommend reading the AutoPilot profile assignment post to get more details about the AutoPilot profile assignment.
What is Windows Enrollment Status Page?
Intune Enrollment status page is new to some of us. Enrollment status page policy is a global policy and once enabled it’s applicable for all the users. I would recommend reading Windows Enrollment Status page post to get more details.
End to End Process flow of AutoPilot
I have explained end to end Windows AutoPilot process flow in this blog post. This flow is a quick recap of the steps which we followed in the above section of this post.
- Get the Device ID from Vendor Let the vendor upload the Device ID PS script to collect the Hardware ID from existing machines
- UPLOAD – Hardware ID or Harvest ID to Intune
- The Device gets Registered to AutoPilot Deployment Service via WSfB or Intune
- AAD Device Record will get created
- AAD Device Object will get assigned to AAD Dynamic Groups
- Autopilot Profile will get automatically assigned
- Windows 10 1703 or later OOBE setup
- Windows Enrollment Screen – Security Policies – App deployment
- Ready to Use
AutoPilot Troubleshooting Tips
The best way to troubleshoot Windows autopilot deployment is from Windows Enrollment status screen. As I mentioned in the above section of this post, I would recommend reading my previous post about Windows Enrollment Status Screen Troubleshooting.
I would recommend to the following process to troubleshoot Windows AutoPilot related issues.
- Azure Portal Notifications
- Enrollment Status Page
- Intune Troubleshooting Blade
- MDM Diagnostics report
- Event Viewer
When you want to do deep level troubleshooting of Windows AutoPilot, there are resources available from Michael Niehaus.
Download PowerPoint Slide
Windows AutoPilot – https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot
Windows AutoPilot Prerequisites – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot#prerequisites
AutoPilot Network Connectivity Requirements – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot#network-connectivity-requirements
Windows Autopilot Deployment – https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices
Windows AutoPilot Video Tutorial – https://www.youtube.com/watch?v=Hb4V7uaqEm4
Azure Run-book automation – https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo/1.3/DisplayScript
AutoPilot Automation – https://rzander.azurewebsites.net/automatically-register-existing-device-in-autopilot/
Overview of Windows Autopilot – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot