I’m not expert in SCCM OSD and tried to spend time on OSD. So I never invested time to test Windows Autopilot deployment. Windows Autopilot is the buzzword, and most of the device management folks are talking about Windows AutoPilot. I don’t know whether AutoPilot is going to replace OSD or not. But, I can assure you not very soon it’s going to happen.
Are you looking to use Azure AD user dynamic device groups to automate App and security policies as part of Windows AutoPilot deployment? I have a blog about Windows AutoPilot Profile AAD Dynamic Device Groups.
Content:-
- What is Window AutoPilot?
- Windows AutoPilot Works with VMWare Airwatch and MobileIron?
- Windows AutoPilot = OSD via SCCM or MDT ?
- Video Tutorial Windows AutoPilot Deployment
- How to Setup Windows AutoPilot Deployment?
5.1 Create Hyper-V Machine for Windows AutoPilot Deployment
5.2 Install Windows 10 1803 Once the installation is complete, create a checkpoint
5.3 Get Hardware ID of the VM for Windows AutoPilot Deployment
5.4 Import Devices into Intune Portal for Windows AutoPilot
5.5 Intune Enrollment Settings, Azure Portal Company Branding and License
5.6 Create Windows AutoPilot Deployment Profiles
5.7 Assign Devices to AutoPilot Profiles - Configure AutoPilot Enrollment Screen for Windows AutoPilot Deployment
6.1 What is Windows AutoPilot Enrollment Screen? - End User Experience of Windows AutoPilot Deployment
7.1 How to Reset Windows 10 1803 virtual machine
7.2 How to Start Windows AutoPilot Deployment
7.3 User Login and AAD Branding Page
7.4 End User Experience – AutoPilot Enrollment Status Page
7.4.1 Device Preparation stage – Windows AutoPilot Enrollment Status Page
7.4.2 Device Setup – AutoPilot enrollment status page
7.4.3 Account Setup (User Side) Windows AutoPilot Enrollment Status Page
7.5 Verification of Windows AutoPilot Deployment
What is Window AutoPilot?
In layman’s words “Windows AutoPilot is a mechanism to simplify the OOBE. Windows AutoPilot is a group of technologies to CONFIG operating system & deploy applications”. This helps IT Pros to deploy standard image across the organization in a modern way. Autopilot deployment won’t deploy Operating system. The Operating System (OS) should be present there on your device!
Official Statement – Windows Autopilot is a collection of technologies used to set up and pre-configure new devices. You can use Windows Autopilot to reset, re-purpose and recover devices. I would recommend reading Microsoft documentation to understand this more. What are the Prerequisites to setup Windows AutoPilot? We have those listed down in the above documentation.
Windows AutoPilot Works with VMWare Airwatch and MobileIron?
Yes, Windows AutoPilot works with other MDM providers apart from Microsoft’s MDM solution like Intune. I never tested Windows AutoPilot deployment solution with non Microsoft MDM providers.
Windows AutoPilot = OSD via SCCM or MDT ?
Windows AutoPilot is not equal to OSD via SCCM and MDT. OSD solution in SCCM can cater end to end OS deployment scenarios. As I mentioned above, AutoPilot can’t deploy the Operating system to a machine. The Operating system should already be there on a device then only AutoPilot can take care of customization. But, SCCM/MDT OSD can deploy Boot images, OS images, Install Drivers, Configure OS, Deploy applications, etc…
Video Tutorial Windows AutoPilot Deployment
How to Setup Windows AutoPilot Deployment?
I will give you a walkthrough to setup Windows AutoPilot in this post. This is mainly for lab setup and test purpose. But this idea can be used with physical machines as well. When you use physical machines, you don’t need to go through all the following steps.
Create Hyper-V Machine for Windows AutoPilot Deployment
Enable the Hyper-V feature and create a virtual machine on your Windows 10 device. Run following PowerShell commands as I shown in the video tutorial. These PS commands create a VM for Windows AutoPilot deployment. This step is not required if you are performing an AutoPilot deployment of a physical machine.
I used Windows 10 1803 version in the video and the post to explain the scenario.
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -AllNew-VMSwitch -Name AutopilotExternal -NetAdapterName <Name of Network Adapter with internet access> -AllowManagementOS $true New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal Add-VMDvdDrive -Path <Path to Windows 10 ISO> -VMName WindowsAutopilot Start-VM -VMName WindowsAutopilot
Install Windows 10 1803 Once the installation is complete, create a checkpoint !
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
Get Hardware ID of the VM for Windows AutoPilot Deployment
Login to Windows 10 virtual machine which you just created. Run PS commands mentioned below to generate a CSV file with hardware ID of the VM. The PowerShell commands should be run as administrator. Make sure your virtual machine is connected to the internet.
Also, don’t forget press Y & A whenever PowerShell prompt to do that 😉 The power shell will automatically download & run the required scripts from the internet. You can see this as shown in the video tutorial.
The output of the following PS commands is C:\HWID\AutopilotHWID.csv
md c:\HWID Set-Location c:\HWID Set-ExecutionPolicy Unrestricted Install-Script -Name Get-WindowsAutopilotInfo Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
Import Devices in to Intune Portal for Windows AutoPilot
Copy the C:\HWID\AutopilotHWID.csv file from the virtual machine and copy it to the file share. This will help you upload CSV file to Intune. Open Intune blade from Azure portal and Import CSV file which contains the machine hardware ID and other details.
Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Windows AutoPilot Devices -> Click on IMPORT button -> select the CSV file and upload !
Import Windows AutoPilot devices from a .CSV file. Formatting requirements
<Serial Number>, <Windows Product ID>, <Hardware Hash>, (optional <Order ID>)175 rows maximum allowed
Intune Enrollment Settings, Azure Portal Company Branding and License
Following are the three (3) steps you need to complete before the start of Windows AutoPilot deployment process.
Configure company branding Configure Microsoft Intune auto-enrollment Assign EMS or Microsoft 365 License to the user
You can configure the company branding from azure portal
You can configure Microsoft Intune Auto Enrollment whenever machine joins to Azure AD
Create Windows AutoPilot Deployment Profiles
To explain the scenario, I will create an AutoPilot Deployment profile to customize the OOBE experience for the end user. Windows AutoPilot profile provides only three (3) options to customize. I hope in the future there will be more options. You can see this as shown in the video tutorial.
- Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment
- Click on Deployment profiles under Windows Autopilot Deployment Program and select Create profile.
- In the Create profile blade, set the name to “IT AutoPilot Profile 1“, click on Out-of-box experience (OOBE) and configure the following:
OOBE Customisation Settings
Privacy Settings >Value > Hide
End user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User
Assign Devices to AutoPilot Profiles
Once the AutoPilot Deployment profiles are created and Configured then, assign devices to those profiles. You can see this as shown in the video tutorial.
Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Windows AutoPilot Devices -> select (checkbox) one of the uploaded devices and click on “Assign Profile” button.
On Assign Profile blade select AutoPilot Profile from the drop-down list and pick the one which you want to assign.
Configure AutoPilot Enrollment Screen for Windows AutoPilot Deployment
Configure the AutoPilot Enrollment screen is pretty new to Autopilot deployment. This will give the user an indication of the timing of enrollment process. You can see this as shown in the video tutorial. This is available for Windows 10 1803 and later versions.
What is Windows AutoPilot Enrollment Screen?
The enrollment status page appears during initial device setup. If enabled, users can see the installation progress of assigned apps and profiles. I would recommend reading Microsoft documentation.
- Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Enrollment Status Page
- Choose Default > Settings.
- For Show app and profile installation progress, choose Yes.
- Choose the other settings that you want to turn on and then choose Save.
The enrollment status page is deployed to all users by default. Intune admins don’t have an option to deploy Autopilot enrollment status page to the custom set of users.
At this moment, AutoPilot enrollment status page is a global setting for your tenant. Following are the setting customization options available in Enrollment Status page and I’m sure this will evolve and Microsoft will add loads of new features.
Show app & profile installation progress
Block device use until all apps and profiles are installed
Allow users to use device if installation error occurs
Show error when installation takes longer than specified number of minutes
Show custom message when an error occurs
Allow Users to collect logs about installation errors
End User Experience of Windows AutoPilot Deployment
In this section, we will the end user experience of Windows AutoPilot with AutoPilot enrollment status page or screen. You can also see this in the video tutorial. To test the AutoPilot Enrollment Status page, I have deployed some applications to all users, dynamic AAD user groups, and AAD device groups.
How to Reset Windows 10 1803 virtual machine
This is required ONLY when you are testing in your Hyper-V lab. When you have a physical machine, you should find a method to re-provision it to reach Windows 10 OOBE
screen once it’s in OOBE screen Windows AutoPilot will take care of the predefined tasks.
Reset of Windows 10 devices can be done from Windows 10 – Settings page.
On the Virtual Machine, go to Settings > Update & Security > Recovery and click on Get started under Reset this PC. Select Remove everything and Just remove my files. Finally, click on Reset.
How to Start Windows AutoPilot Deployment
Make sure Windows 10 machine has an internet connection. Wi-Fi is the preferred option. The internet behind the corporate proxy can create some issues. You may have to open required ports and raise proxy exception requests. This is already explained in one of my previous post here.
You can get the end to end experience of AutoPilot from the video tutorial. The Autopilot is cloud service from Microsoft and it takes control of the Windows OOBE screen.
User Login and AAD Branding Page
User Login and AAD branding page will show the details of the branding stuff you have completed in the above stages. The user should log in with their corp ID and password. This will take care of user identification and authentication part. You can have MFA (Multi Factor Authentication) enabled to have more security.
End User Experience – AutoPilot Enrollment Status Page
Autopilot enrollment status page has 3 (three) parts.
- Device Preparation
- Device Setup
- User Account Setup
Device Preparation stage – Windows AutoPilot Enrollment Status Page
Device Preparation and Device Setup. At this stage, the device hardware verification, AAD Join and MDM/Intune enrollment will happen.
Securing your hardware
Joining your organization’s network (Azure AD Join or Domain Join)
Registering your Device for Mobile Device Management (Intune, Airwatch etc..)
Device Setup – AutoPilot enrollment status page
Device setup stage in AutoPilot enrollment status page is the stage where device targeted applications, security configurations will get deployed.
Security Policies (Configuration/Compliance policies)
Certificate Profile Deployments
Network Connections (VPN Profile deployments?)
Application Deployments
Account Setup (User Side) Windows AutoPilot Enrollment Status Page
Account setup (User Side) is the last stage of the Autopilot enrollment status screen. Windows AutoPilot Enrollment is the stage where the user profile creation and user targeted deployments will kick and install in the background.
This stage will start only after the user’s login to the device or Windows 10 1803 machine.
Security Policies (Configuration/Compliance policies)
Certificate Profile Deployments
Network Connections (VPN Profile deployments?)
Application Deployments
Verification of Windows AutoPilot Deployment
This is the final stage where you will see the deployment of Windows Autopilot. You can login to Windows 10 1803 machine and confirm whether all the policies and apps are already there in the device or not.
As I mentioned before, I tested following deployment scenarios all worked well for me. But, I’m not sure whether dynamic device groups based app installation happened during or after AutoPilot enrollment status screen. That requires more testing !
App Deployment to Azure AD Dynamic Device Groups App Deployment to All Devices Configuration/Security Policy (Disable Cortana) to All Users
Resources :-
Demo the Windows Autopilot Deployment Program on a Virtual Machine
great video and information
thanks
Fj
Thank you for the feedback !
Thanks Anoop. Easy to understand:)
Thank you for the feedback !