Let’s check and learn about Windows Autopilot from the Step-by-Step Guide on Windows AutoPilot Process with Intune. You can look at the latest guide about Provisioning Windows 10 (Windows 11 as well) with Windows AutoPilot Step-by-Step Admin Guide.
Windows AutoPilot service is a collection of technologies to Simplify and automate the Windows Out of Box Experience (OOBE experience). There are three (3) scenarios in Windows AutoPilot. You can also learn about 3 or more entities of Windows Autopilot from the below section.
Having feedback from fellow IT Pros on modern management and Windows AutoPilot topics was great. There are many other posts in the HTMD community to learn deep dive into Windows Autopilot scenarios. Some of them are listed below to complete your Windows Autopilot learning journey.
Windows Autopilot PreProvisioning Backend Process- Deep Dive – Post 4, Windows Autopilot Processes from Device Side – Part 3. Windows Autopilot Behind The Scenes Secrets – Admin Side – Part 2.
Video – Windows Autopilot Training
Latest Windows Autopilot Training by Joy Microsoft MVP. This video covers end-to-end Windows Autopilot scenarios, including Background processes, Real World Issues, FIXES, Tips, and Tricks.
- Get to know Windows Autopilot
- Compare and contrast Windows Autopilot with Traditional Windows Provisioning
- Know the benefits of using Windows Autopilot
- Deep dive into how Windows Autopilot works
Windows Autopilot FAQ Clarifying the General Misconceptions Part 1. Learn How to Decide Windows Autopilot Profile Types | Intune Architecture. Windows Autopilot Hybrid Azure AD Join Troubleshooting Tips
- Windows Autopilot Hybrid Domain Join Step-by-Step Implementation Guide
Windows Autopilot Related Posts
I had an opportunity to present the end-to-end Windows AutoPilot process flow at the Bangalore IT Pro user group meeting. I covered the end-to-end process of provisioning Windows 10 devices via the Windows AutoPilot service with Intune.
Windows Autopilot Video Starter Kit Beginners Guide Setup Windows AutoPilot Deployment Dynamically Deploy Security Policies and Apps to Windows AutoPilot Devices Where is AutoPilot Assign Profile Button in Intune Portal Windows AutoPilot End to End Process Guide(This Post) Windows Autopilot Deployment Scenarios – On-Prem Hybrid Domain Join
Topics – Windows AutoPilot Process
- Why a shift toward Modern Management?
- What is Existing Approach to deploying Windows machines?
- What is Windows Autopilot?
- What are the Prerequisites for AutoPilot?
- What are the Technical Components of AutoPilot?
- What are the three Entities of AutoPilot?
- Which Hardware vendors support AutoPilot?
- How to Get Ready for AutoPilot Testing or PoC?
- How to get Devices into Windows 10 OOBE Screen?
- How to Get Device ID for Windows AutoPilot?
- How to Register Devices for AutoPilot testing?
- How to Create Azure AD Groups for AutoPilot?
- How to Create AutoPilot Profiles?
- What is the Enrollment Status Screen?
- End to the End Process flow of AutoPilot
- AutoPilot Troubleshooting Tips
- Download PowerPoint Slide
Why a shift toward Modern Management?
Modern device management should be agile and handle multiple flavors of devices for users. Modern device management solutions should be able to manage and deploy SaaS applications, protect against current security threats, and apply security policies via the MDM channel.
Automation, Pro-Activeness, and Self Service are the other three (3) trigger points for modern device management.
What is the Existing Approach to Deploying Windows Machines?
Let’s do a recap of the existing Windows imaging process. Windows imaging is a complicated process for most organizations. Following are the high-level steps that need to follow for the Windows imaging process for a global organization.
- Define an approved list or catalog of supported devices.
- Create a Golden Image for those devices with Drivers, Applications, Settings, and Policies – 1-2 months of activity, depending on model and vendor.
- Distribute Golden image using SCCM/MDT.
- Maintain the golden image with new updates – Windows 10 gets updates every six (6) months.
- A more detailed explanation is in the video
What is Windows Autopilot?
Windows AutoPilot service is a collection of technologies to Simplify and automate the Windows Out of Box Experience (OOBE experience). There are three (3) scenarios in Windows AutoPilot.
AutoPilot service helps the organization pre-configure New devices, Recover Devices, Re-purpose Devices, and Reset Devices. I will cover Windows Autopilot User-Driven installations in this post.
KIOSK (Self Deployment)
User-Driven
IT Driven (Bulk Enrollment)
Windows Autopilot Cost Benefits – Presales Tips
Windows Autopilot Cost Benefits | Reduce Operational Cost? User Experience Enhancements by Kannan CS. Recording of HTMD Community user group event March 2023. Support Management to Service Delivery and Digital Experience Measurement.
What are the Prerequisites for AutoPilot?
You need to ensure that you are ready with all prerequisites of Windows AutoPilot. Once all the requirements are prepared, you can start your LAB or PoC testing.
I have explained the prerequisites in the following section. Proxy and Firewall are critical requirements if you are planning to do PoC from your office network.
Windows 10 1703 Prof / ENT or later OOBE Setup
Internet Access (proxy Firewall exceptions)
Get the Hardware Hash, the Device ID of the Windows 10 device
Users must be allowed to join devices into Azure AD
Microsoft Intune or other MDM services to manage devices
EMS / Microsoft 365 Licence
I would recommend reading Microsoft doc about Windows AutoPilot prerequisites. I would recommend reading network connectivity requirement documentation on Microsoft doc.
Windows Autopilot Profile Types
Let’s understand the table and go through each column to understand the Windows Autopilot profile types better. Let me know if you have any questions in the comments section.
Type 1 | Type 2 | Type 3 | Type 4 |
---|---|---|---|
User-driven mode (classic autopilots) | Self-deploying mode | Hybrid Azure AD join | Existing Devices |
•Join device to AAD •Enroll in Intune | •Join device to AAD Enroll in Intune | •Join device to on Prem AD + registered in azure •Enroll in Intune | •Join device to AAD •Enroll in Intune |
•Require user credential for Azure AD join and Intune enrollment | •No need to provide user credentials to authenticate for Intune and Azure AD join. Instead, a TPM chip is used for authentication. | • Require user credential for AAD and Intune enrollment | •Require user credential for AAD and Intune enrollment • Can Copy Offline Autopilot profile |
Challenges: •More user wait time. This wait time can be reduced using the white glove process. | NA | Challenges: •Require Intune connector to be installed for AD Join. • More End-user wait time. | Challenges: • Require Task sequence • More End-user wait time. This wait time can be reduced using the white glove process. |
Persona criteria: •Don’t have on-premise Dependency for application and AD policy •Recommended for Remote users or sales users who don’t often connect to the corporate network | Persona criteria: •Don’t have on-premise Dependency for application and AD policy •Recommended for Windows 10 kiosk scenarios or a shared device users | Persona criteria: • Recommended for users who have an on-premise dependency for apps and policy | Persona criteria: •Recommended for users who don’t have an on-premise dependency This approach can be used if businesses want to achieve mass Win 10 rollout. without |
What are the Technical Components of Autopilot?
Following are the technical components of the Windows Autopilot process or service. This section gives you an understanding of the elements involved in the service.
Windows store for business* – Comes with Azure AD
AutoPilot Deployment Service
Microsoft Intune
Azure Active Directory
Windows 10
MDT / SCCM (Might be required for re-provisioning of devices)?
*Check out Micheal N’s comment in the comment section.
What are the three Entities of AutoPilot?
Following are the three(3) entities of the Windows Autopilot process. Hardware vendors (Dell, Microsoft, Lenovo, HP, etc.) is one of the important entities of Autopilot service. They will help to upload the device details to the Autopilot profile.
Hardware vendor – Upload Hardware Details
IT Admin – Customise the AutoPilot Process
User – Self Service part of device deployment
Which Hardware vendors support AutoPilot?
Microsoft is working with many vendors to onboard them into the Windows AutoPilot process. When writing this post, Microsoft and Lenovo’s new devices are available for the Windows AutoPilot service.
There is an extra cost involved in this process; I heard vendors might charge 4-5 dollars for enrolling the device into AutoPilot service.
- Microsoft
- Lenovo
- Dell
- HP
- Toshiba
- Etc…
More updated details of supported vendors will be available in the Microsoft doc. I would recommend reading the updated doc from Microsoft.
How to Get Ready for AutoPilot Testing or PoC?
Following is the high-level Windows AutoPilot process flow. I have a blog post covering the end-to-end process of lab setup for Windows Autopilot. I will include all the following points in this blog post.
Get Devices into Windows 10 OOBE Setup
Device registration into AutoPilot Deployment Service via Windows Store for Business or Intune*
Create Azure AD Group (Dynamic/Static)
Create an AutoPilot Profile
Assign Autopilot Profile
How to get Devices into Windows 10 OOBE Screen?
To start the Windows AutoPilot process, you need to ensure that your Windows 10 device is on the OOBE screen. How to make all Windows devices in your organization to the OOBE screen? This process is a bit challenging and time-consuming. Roger has a post about the AutoPilot automation workflow. I would recommend reading that to get more details.
Device Vendors can help with new machines
Existing machines? Can we use SCCM/ MDT?
How to Get Device ID for Windows AutoPilot?
For testing scenarios, you can log in to a Windows 7 or Windows 10 device and run the PowerShell script provided by Microsoft to get the device ID, hardware hash, and other details required. Also, you can automate this process to Azure Runbook Automation.
Get hardware ID details from the vendor
Use PowerShell script to get the hardware details
Use the ORDER ID field to automate Autopilot profile assignment
Azure Run-book to provision Windows 7 machines
PowerShell Command =>.\Get-WindowsAutoPilotInfo.ps1 -OutputFile .\MyComputer.csv
OrderID attribute and tags in the Device details CSV file can help you have automatic deployments for AutoPilot profiles. And this Oder ID attribute and tags will help create dynamic device groups for each department or other condition. Mike has a blog post to explain this process.
How to Register Devices for AutoPilot testing?
This device registration is the third stage of the Windows AutoPilot Process. Following is one of the ways to upload the device ID to Intune.
This import process is the one that the IT Admin of your organization should accompany. Each vendor has its way of uploading the device information to the AutoPilot Deployment service.
Update/Comment from Michael Niehaus – Technically, when you add a device to Autopilot via Intune, it’s added to the Autopilot deployment service.
This has nothing to do with the Microsoft Store for Business (which also adds machines to the Autopilot deployment service).
The biggest difference: Intune uses a sync process to push and pull devices from the Autopilot deployment service, while the Microsoft Store for Business talks directly to the Autopilot deployment service.
IT Admin – Navigate to Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment-> Windows AutoPilot Devices -> Click on IMPORT button -> select the CSV file and upload.
Your device is ready for testing once the Autopilot profile status is moved from Not Assigned – Assigning – Assigned.
My previous post, Beginners Guide Setup Windows AutoPilot Deployment, has more details and video explanations.
How to Create Azure AD Groups for AutoPilot?
Once the device is uploaded to the AutoPilot service (Intune), an Azure AD object for that device will get created.
The device object created will appear with the device’s serial number until the Azure AD join process is completed for that device. A Dynamic Azure AD group can be created with that AAD device object.
I used the following query to TAG (OrderID) specific departments in my test scenarios.
- (device.devicePhysicalIds -any _ -contains “HRDept”)
- (device.devicePhysicalIds -any _ -contains “SalesDept”)
How to Create AutoPilot Profiles?
You can create an AutoPilot Deployment profile to customize the Windows OOBE experience for the end-user. Windows AutoPilot profile provides only three (3) options to customize. I hope in the future there will be more options. You can see this as shown in the video tutorial.
- Navigate via Microsoft Intune Admin Center -> Device Enrollment – Windows Enrollment
- Click on Deployment profiles under Windows Autopilot Deployment Program and select Create a profile.
- In the Create profile blade, set the name to “IT AutoPilot Profile 1“, click on Out-of-box experience (OOBE), and configure the following:
OOBE Customisation Settings
Privacy Settings >Value > Hide
End-user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User
Once the Autopilot profile is ready, you can deploy it to Azure AD dynamic device groups. I recommend reading the AutoPilot profile assignment post to get more details about the AutoPilot profile assignment.
What is Windows Enrollment Status Page?
Intune Enrollment status page is new to some of us. The enrollment status page policy is global, and once enabled, it applies to all the users. I recommend reading the Windows Enrollment Status page post to get more details.
End to the End Process flow of AutoPilot
I have explained the end-to-end Windows AutoPilot process flow in this blog post. This flow is a quick recap of the steps we followed in the above section of this post.
- Get the Device ID from Vendor Let the vendor upload the Device ID PS script to collect the Hardware ID from existing machines.
- UPLOAD – Hardware ID or Harvest ID to Intune
- The Device gets Registered to AutoPilot Deployment Service via WSfB or Intune.
- AAD Device Record will get created
- AAD Device Object will get assigned to AAD Dynamic Groups
- Autopilot Profile will get automatically assigned
- Windows 10 1703 or later OOBE setup
- Windows Enrollment Screen – Security Policies – App deployment
- Ready to Use
AutoPilot Troubleshooting Tips
The best way to troubleshoot Windows autopilot deployment is from the Windows Enrollment status screen. As I mentioned in the above section of this post, I recommend reading my previous post about Windows Enrollment Status Screen Troubleshooting.
I would recommend the following process to troubleshoot Windows AutoPilot-related issues.
- Azure Portal Notifications
- Enrollment Status Page
- Intune Troubleshooting Blade
- MDM Diagnostics report
- Event Viewer
- Registry
When you want to do deep-level troubleshooting of Windows AutoPilot, there are resources available from Michael Niehaus.
- Troubleshooting Windows AutoPilot (level 100/200)
- Troubleshooting Windows AutoPilot (station 300/400)
- Troubleshooting Improvements in Windows AutoPilot
Resources
- Windows AutoPilot – https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot
- Windows AutoPilot Prerequisites – https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot#prerequisites
- Windows AutoPilot Video Tutorial – https://www.youtube.com/watch?v=Hb4V7uaqEm4
- Azure Runbook automation – https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo/1.3/DisplayScript
- Download the PS Script – https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.3/Content/Get-WindowsAutoPilotInfo.ps1
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 17 years of experience (calculation done in the year 2018) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc…
Technically, when you add a device to Autopilot via Intune, it’s being added to the Autopilot deployment service. This has nothing to do with the Microsoft Store for Business (which also adds machines to the Autopilot deployment service).
The biggest difference: Intune uses a sync process to push and pull devices from the Autopilot deployment service, while the Microsoft Store for Business talks directly to the Autopilot deployment service.
Thank you much Mike. I have updated the content and added you comments also to the post.
Greate guide! I’m doing extensive testing with AutoPilot but keep running into errors when using self-deploying mode. Do you know if this will this be stable at the 1809 release?
It would be great if you can explain the details about the error. We didn’t any critical errors which will stop from going into production.
Trying to figure out how to use AutoPilot for my particular case… still learning quite a bit! I have a couple questions I was hoping someone could help me clarify.
Is AutoPilot the only way to have a device automatically enroll as corporate owned?
In a post above, Michael mentioned it is possible to enroll a device through the Microsoft Store for Business, how can I go about doing this?
I’ve been using a PowerShell and batch file to pull the autopilot information into a spreadsheet on a USB drive to add existing devices manually. I figured we should have our current laptops enrolled in AutoPilot anyway in case we need to autopilot wipe a device remotely and have it enrolled as corporate-owned instead vs. personal and assigned to a particular user for the OOBE sign in.
And lastly, what would be recommended if the user who enrolled through AAD join and is intune licensed is off-boarded and the 365 user account is disabled. Would the device simply stop syncing, and we would need to refresh or wipe to have another user sign in? Or possibly perform the autopilot wipe? What would be the best option to change the user attached to a device, can that be done in the Intune portal instead?
Thanks!
1. Windows devices – Autopilot or SCCM OSD are two methods to enroll corp owned devices
2. Best Practice is to use Intune console to upload Autopilot hash details
3. There should be an internal organizational process to remote wipe before disable the account etc..but I never tested this scenario. My experience is shared https://www.anoopcnair.com/intune-help-desk-support-tools/
Thank you!
Hello,
We search information about urls for proxy & firewall for the autopilot deployment.
Have you those information please ?
Hello, There is no specific proxy and Firewall for Autopilot itself. Check out Windows 10 requirements of proxy and firewall. This list keeps on changing with latest version of Windows 10 https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints
Below some information we discussed with MS for outdated web site (Autopilot corporate LAN requirements):
– Network requirements: https://docs.microsoft.com/intune/network-bandwidth-use
– Intune Endpoints: https://docs.microsoft.com/intune/intune-endpoints
For long term approach MS will use the O365 web service and associated docs targeting normally end of the year.
Antonio – What you think about the following details Windows 10 Proxy and network Requirements Modern Windows Deployment https://www.anoopcnair.com/windows-10-proxy-requirements-for-intune/
Hi Anoop,
Is there a way to automate collecting the HWIDs for multiple devices?
Thanks
There are many processes shared by my Mvp colleagues using Azure runbooks etc
Here is one example https://oliverkieselbach.com/2017/11/16/gather-windows-10-autopilot-info-in-azure-blob-storage-during-wipe-and-reload/
If the device is already running Windows 10 and enrolled in Intune, you just need to check a box and Intune will take care of it for you. Otherwise, we suggest Windows Autopilot for existing devices, https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices.
Below some information we discussed with MS for outdated web site (Autopilot corporate LAN requirements):
– Network requirements: https://docs.microsoft.com/intune/network-bandwidth-use
– Intune Endpoints: https://docs.microsoft.com/intune/intune-endpoints
For long term approach MS will use the O365 web service and associated docs targeting normally end of the year.
For testing purposes I would like to understand the best way forward to re-enroll windows Autopilot members
I use a dynamic device group for hybrid Azure AD joined over VPN, but it looks like the machines en-rolled are not able to reuse again to re-enroll, I have to remove them from the autopilot devices , delete all related Associated Azure Devices before it could work again, howeverI struggle really hard to reuse a device for autopilot after this one was enrolled. whats the way to do testing ernollment in a decent way with the same machine?