Let’s discuss the Windows AutoPilot Step-by-Step Admin Guide to Provision Windows 10 11 Devices. In this post, I will describe how to provision Windows 10 devices with AutoPilot service, enrol them into Intune, create a deployment profile, import device information into Intune, and set up Windows 10 devices.
HTMD Community recommends going through 12 hours for a self-learning track to learn Intune. More details on Intune Training Course 2023. Windows Autopilot PreProvisioning Backend Process- Deep Dive – Post 4, Windows Autopilot Processes from Device Side – Part 3. Windows Autopilot Behind The Scenes Secrets – Admin Side – Part 2.
Windows Autopilot streamlines setting up and configuring new devices for immediate use. It works for deploying Windows PCs and HoloLens 2 devices.
If most of you are Microsoft 365 subscribers, you may already have Windows Autopilot included at no additional cost.
- Part 1 Windows Autopilot FAQ Clarifying the General Misconceptions
- Part 2 Windows Autopilot from the perspective of IT Admin setup
- Part 3 Windows Autopilot In-Depth Processes from Device Side
- Part 4 Windows Autopilot WhiteGlove Provisioning Deep Dive (This Post)
Learn How to Decide Windows Autopilot Profile Types | Intune Architecture. Windows Autopilot Hybrid Azure AD Join Troubleshooting Tips.
The Windows AutoPilot service is a collection of technologies designed to simplify and automate the Windows Out-of-Box Experience (OOBE experience). It has three (3) scenarios. The Windows AutoPilot Process End-to-end Guide provides more information on the basics of Windows AutoPilot.
Video – Windows Autopilot Training
Joy, a Microsoft MVP, provides the latest Windows Autopilot training. This video covers end-to-end Windows Autopilot scenarios, including Background processes, Real-World Issues, fixes, Tips, and Tricks.
- Get to know Windows Autopilot.
- Compare and contrast Windows Autopilot with Traditional Windows Provisioning.
- Know the benefits of using Windows Autopilot
- Deep dive into how Windows Autopilot works
Windows AutoPilot Admin Guide to Provision Windows 10 11 Devices
The provision of Windows 10 with AutoPilot is part of modern technology. Everything seems to be moving into the cloud and automation. Building and managing operating systems is time-consuming. Windows Autopilot is the provisioning service.
With the help of Intune and AutoPilot, you can pre-configure, reset, re-purpose, and recover your devices. You can customize and deploy the setting without re-imaging, which saves you a lot of time.
I would not go into details for describing Windows AutoPilot, as much Microsoft Documentation is available. We also have posts from Anoop, Joy, and Vimal about Windows AutoPilot and MS Intune.
- Please go through with Windows AutoPilot.
Related Post-Beginners Guide Setup Windows Autopilot Deployment, Windows Autopilot FAQ Clarifying the General Misconceptions Part 1, Windows AutoPilot and Microsoft Documentation
While enrolling Windows 10/11 devices in Intune, we must configure certain prerequisites as outlined below. I would not detail the licensing and other requirements that information you can get from Microsoft documents.
- Configure Device Setting
- Mobility (MDM and MAM)
- Company Branding
- Deployment Profile
- Create Groups
- Creation of Users
Configure Device Setting – Provision Windows 10 11 with Windows AutoPilot Step-by-Step Admin Guide
To configure the device setting, you have to go to:
- Login to Azure Portal
- Navigate via Azure active directory->Devices->Device Settings
The first option is that users may join devices to Azure AD, which I have selected all, you can choose the desired option also if you want to have some selected users join the machines to Azure, but in my case, I have set all.
The next option is to create an additional local administrator for Windows 10 Azure AD joined devices.
- Here, you can select which users will have local device admin rights. By default, global administrators and device owners are granted local device admin rights.
- After that, configure the other settings and click save.
Mobility (MDM and MAM)
The next step is Mobility (MDM and MAM) configurations:
- Login to Azure Portal
- Navigate to Azure Active Directory
- Open the Mobility (MDM and MAM) blade and click on Microsoft Intune
- Save the settings
Create Azure AD Group for Windows Autopilot
Next, we will create an Azure AD group, which will be dynamic and have rules. You can complete this step either from Intune Blade ->Groups or Azure AD -> Groups.
NOTE! – Another option is to use the Microsoft 365 Device Management portal.
Click on New Group and provide all the information, whichever you want.
Configure Dynamic Query
I selected the membership type as dynamic devices (the same as SCCM, where we create query-based collections) and then clicked on add the Azure Active Directory query. More Details – Windows AutoPilot Profile AAD Dynamic Device Groups (anoopcnair.com).
use the rule as "(device.devicePhysicalIDs -any _ -contains "[ZTDId]")"
Azure AD dynamic group with device physical ID attribute.
- Now, you can see that the rule syntax query has been added. Save the setting, and click on Create.
Now the Azure AD group is created. So what will happen with this rule and group?
NOTE! – Once you import a Windows 10 device in Intune, that device will be added to this group automatically. And whatever profiles are assigned in this group will be applied to devices.
Create Deployment Profile
The next step I followed was to create a deployment profile, which will be used for Windows AutoPilot deployment.
- Go to Intune->Device Enrollment->Windows Enrollment. On the right side, you will see the Windows autopilot Deployment program.
Click on deployment profiles, then click on Create a profile.
Click on the NEXT button.
Configure Out-Of-Box experience (OOBE) for AutoPilot
We will configure the OOBE settings for Windows AutoPilot devices in this window.
- In Deployment Mode, select the user-driven
- Join Azure AD as Azure AD joined
- Microsoft Software Licence Terms hide
- Privacy Settings hide
- Hide Change account options Hide
- User Account Type standard
- Allow While Glove OOBE No
- Apply Device name Template No
Click Next to continue.
NOTE! – You have a new option to pre-provision the apps and policies to the device so that users don’t have to wait for a long time during the Windows Autopilot enrollment process. More details on this process – Windows Autopilot WhiteGlove Provisioning Backend Process- Deep Dive.
Let’s examine group assignments. To create dynamic groups for Autopilot devices, use the Windows AutoPilot Profile AAD Dynamic Device Groups post.
- In Assignment, click on Select Groups to include.
Assignments
Now, it’s time to assign the Azure AD device group to the Autopilot profile.
Select the Azure AD group to deploy the Windows Autopilot Profiles.
On the right hand, you can see all the available groups are visible, and you can select which group needs to be assigned for the deployment profile.
- I created Windows AutoPilot and selected that.
NOTE! If you want to exclude any group, you can select otherwise, click on next, review the settings, and click on create.
Enrollment setup Page
On the enrollment setup page, there is a default profile created. Here we are going to create a new profile for Windows Autopilot.
Create an Enrollment Status Page to track the status of the enrollment of Windows 10 or 11 devices. For more details, see Intune Enrollment Status Page (ESP) Troubleshooting (anoopcnair.com).
- Save the settings and create the Profile.
NOTE! – Remember, this Profile can be assigned to user groups only. The device group won’t be assigned.
Generate WindowsAutoPilotInfo file
Now we are all set. It’s time to add the existing Windows 10 device to Intune.
- Before adding existing devices, we must run a few power-shell commands on the new greenfield Windows 10 device
- And import the CSV file in Intune. Next, I will log in on my Windows 10 device.
- Open PowerShell with the administrator and run the following command.
CD\
md AutoPilot
cd AutoPilotThen enter then type the following command
save-script -name get-WindowsAutoPilotInfo -Path C:\AutoPilot\
Now you can see in the directory that one PS file is created with the name of windowsautopilotinfo.
We will get the output file into CSV, which will be used to import it into Intune. Run the command \Get-WindowsAutoPilotInfo.ps1 -outputfile C:\AutoPilot\AutoPilot.csv
You have a CSV file with you with all the information about the device for Windows autopilot. Which will have the knowledge of Device Serial Number, Windows Product ID, and Hardware Hash
Import Device into Intune
Now open the Microsoft Store for business and import the CSV file.
NOTE! Might you have a question? Why am I not importing into Intune? The problem I faced was that I couldn’t assign the deployment profile I had created. Why? Maybe I need to have some patience. 🙂 But it appeared quickly within Microsoft Store for Business, and I could assign the Profile without any problem.
- Go to Manage then devices from the Microsoft Store for Business portal.
- Import the devices with OEM information generally used by vendors (like Dell, HP, and Lenovo).
You can also import devices using a CSV file we just created. Click on Add Devices, then select the file you have generated.
Once You select, you will see a window asking you to choose the deployment group. I clicked on the NO thanks option.
Select the device from the uploaded list. Microsoft Store for Business is retiring soon. I don’t recommend using MSfB to import/register devices into Windows Autopilot. Microsoft Store for Business Education Retirement Postponed HTMD Blog (anoopcnair.com).
Once the device is added, click on Profile, then select the deployment profile created. Once the Profile is assigned, return to the Intune portal and see the status.
- Navigate to Microsoft Intune-> Device enrollment->Windows enrollment->Windows Autopilot Devices
- Here you can see the profile status is assigned. In the initial stage, the class will be set, which takes a few visits,c and the status gets changed to assigned.
- All set, the device is imported, and the deployment profile is assigned. The next step is to login into the Windows 10/11 machine and reset it.
Download Windows Autopilot Deployment Flowchart
Happy Autopiloting:) Bonus tip: The Windows 10/11 Autopilot deployment process PDF can be downloaded from the link. You can also download the Windows Autopilot Deployment Flowchart prepared by Michael Niehaus.
End-User Experience – Provision of Windows 10 Experience with Windows Autopilot
Once you reset the Windows 10/11 (or a new machine that is autopilot enabled) and restart the device, you will see the following screen indicating your device is ready to join Windows Autopilot.
You need to select the keyboard layout as shown below to continue.
The following screenshot shows that you now have some important setup to do.
The above picture says you now have some important setup to do. Yes, you will join Windows Autopilot, and you are excited.
- The next screen will tell about the complete form.
Enter the username and password.
Password used for your corp email access.
If the password is expired, you might get this screen, or if the new password is enabled by the organization to have better security.
The following screen shows the Enrollment Status Page (ESP).
Windows Hello for Business setup is the screen is shown now.
Let you set up the PIN to log in.
This is the MFA configuration if you have enabled this option as part of Windows Autopilot enrollment. The background and logo, which you can see, are configured during the company branding.
Enter the details for Multi-Factor Authentication (MFA).
Now it’s time to log in. ESP is completed, and all the apps and policies must be installed on the device before the user can log in.
Now log in to the Windows 10 device with the Azure ID and pin you just set. Go to the settings-> accounts-> Access work or school here. You can see your computer is connected to Azure AD.
You can confirm whether the device is managed by Intune by going to the Settings page.
When you go to the MS Intune-> Devices, then you can see enrolled devices.
You can see the device is enrolled and shows as compliant as per the compliance policy in Intune.
Newly imported Windows 10 has joined Windows autopilot. Now, you can deploy applications, settings, and configurations. In the next part, we will discuss the deployment of applications and software updates.
Resources
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Sharad Singh has been working in the industry since 2007. Since then, he’s worked with Active Directory, Group Policy, SCCM SCOM, MS Intune, and PowerShell. Sharad currently works as a Senior consultant in Japan. Most recently, his focus has been on SQL reporting for SCCM, MS Intune, and SCCM migration.
Anoop, will autopilot works for virtual devices? And is autopilot recommended for large complex environment 1.5lks devices.. how about managing legacy devices with intune win7, 8.0, 8.1 etc any options available.. any thoughts on managing server os with intune
I think all these 150000 devices won’t be migrated to Intune and Windows Autopilot in couple of months. So, you shall think about starting the journey towards Autopilot and Intune management for small set of devices like 100 for 1st year and then continue with the deployments.
Its really good explanation about Auto Pilot implementation .Is any thing on MDATP for windows 10 devices with Servers
Some devices will not be having hardware hash. In that case how can I add the device to intune ?
Thank you very much Sir.
This step by step guide was very helpful for Autopiolting.Its really good explanation.
I run into errors “something went wrong” during ESP page after i get prompted for MFA on the third step of ESP. How can avoid the errors or setup MFA so it will only prompt after the ESP page is completed or during company branding. Thank you
kindly share the steps how to export hardware hash file from VM to local host looking steps