Beginners Guide Setup Windows AutoPilot Deployment

I’m not expert in SCCM OSD and tried to spend time on OSD. So I never invested time to test Windows Autopilot deployment. Windows Autopilot is the buzzword, and most of the device management folks are talking about Windows AutoPilot. I don’t know whether AutoPilot is going to replace OSD or not. But, I can assure you not very soon it’s going to happen.

[Windows Autopilot Related Posts]

Beginners Guide Setup Windows AutoPilot Deployment(this post)
Dynamically Deploy Security Policies and Apps to Windows AutoPilot Devices
Where is AutoPilot Assign Profile Button in Intune Portal
Windows AutoPilot End to End Process Guide

Are you looking to use Azure AD user dynamic device groups to automate App and security policies as part of Windows AutoPilot deployment? I have a blog about Windows AutoPilot Profile AAD Dynamic Device Groups.

Content:-

1. What is Window AutoPilot?
2. Windows AutoPilot Works with VMWare Airwatch and MobileIron?
3. Windows AutoPilot = OSD via SCCM or MDT ? 
4. Video Tutorial Windows AutoPilot Deployment
5. How to Setup Windows AutoPilot Deployment?
      5.1 Create Hyper-V Machine for Windows AutoPilot Deployment
      5.2 Install Windows 10 1803 Once the installation is complete, create a checkpoint
      5.3 Get Hardware ID of the VM for Windows AutoPilot Deployment
      5.4 Import Devices into Intune Portal for Windows AutoPilot
      5.5 Intune Enrollment Settings, Azure Portal Company Branding and License
      5.6 Create Windows AutoPilot Deployment Profiles
      5.7 Assign Devices to AutoPilot Profiles
6. Configure Intune Enrollment Screen for Windows AutoPilot Deployment
      6.1 What is Windows Intune Enrollment Screen?
7. End User Experience of Windows AutoPilot Deployment
      7.1 How to Reset Windows 10 1803 virtual machine
      7.2 How to Start Windows AutoPilot Deployment
      7.3 User Login and AAD Branding Page
      7.4 End User Experience – Intune Enrollment Status Page
           7.4.1 Device Preparation stage –  Intune Enrollment Status Page
           7.4.2 Device Setup – Intune enrollment status page
           7.4.3 Account Setup (User Side) Windows Intune Enrollment Status Page
      7.5 Verification of Windows AutoPilot Deployment

What is Window AutoPilot?

In layman’s words “Windows AutoPilot is a mechanism to simplify the OOBE. Windows AutoPilot is a group of technologies to CONFIG operating system & deploy applications”. This helps IT Pros to deploy standard image across the organization in a modern way. Autopilot deployment won’t deploy Operating system. The Operating System (OS) should be present there on your device!

Official Statement – Windows Autopilot is a collection of technologies used to set up and pre-configure new devices. You can use Windows Autopilot to reset, re-purpose and recover devices. I would recommend reading Microsoft documentation to understand this more. What are the Prerequisites to setup Windows AutoPilot? We have those listed down in the above documentation.

Windows AutoPilot Works with VMWare Airwatch and MobileIron?

Yes, Windows AutoPilot works with other MDM providers apart from Microsoft’s MDM solution like Intune. I never tested Windows AutoPilot deployment solution with non Microsoft MDM providers.

Windows AutoPilot = OSD via SCCM or MDT ? 

Windows AutoPilot is not equal to OSD via SCCM and MDT. OSD solution in SCCM can cater end to end OS deployment scenarios. As I mentioned above, AutoPilot can’t deploy the Operating system to a machine. The Operating system should already be there on a device then only AutoPilot can take care of customization. But, SCCM/MDT OSD can deploy Boot images, OS images, Install Drivers, Configure OS, Deploy applications, etc…

Video Tutorial Windows AutoPilot Deployment

How to Setup Windows AutoPilot Deployment?

I will give you a walkthrough to setup Windows AutoPilot in this post. This is mainly for lab setup and test purpose. But this idea can be used with physical machines as well. When you use physical machines, you don’t need to go through all the following steps.

Create Hyper-V Machine for Windows AutoPilot Deployment

Enable the Hyper-V feature and create a virtual machine on your Windows 10 device. Run following PowerShell commands as I shown in the video tutorial. These PS commands create a VM for Windows AutoPilot deployment. This step is not required if you are performing an AutoPilot deployment of a physical machine.

I used Windows 10 1803 version in the video and the post to explain the scenario.

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

New-VMSwitch -Name AutopilotExternal -NetAdapterName <Name of Network Adapter with internet access> -AllowManagementOS $true 
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal 
Add-VMDvdDrive -Path <Path to Windows 10 ISO> -VMName WindowsAutopilot 
Start-VM -VMName WindowsAutopilot

Install Windows 10 1803 Once the installation is complete, create a checkpoint !

Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"

Get Hardware ID of the VM for Windows AutoPilot Deployment

Login to Windows 10 virtual machine which you just created. Run PS commands mentioned below to generate a CSV file with hardware ID of the VM. The PowerShell commands should be run as administrator. Make sure your virtual machine is connected to the internet.

Also, don’t forget press Y & A whenever PowerShell prompt to do that 😉  The power shell will automatically download & run the required scripts from the internet.  You can see this as shown in the video tutorial.

The output of the following PS commands is C:\HWID\AutopilotHWID.csv

md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv

Import Devices in to Intune Portal for Windows AutoPilot

Copy the C:\HWID\AutopilotHWID.csv file from the virtual machine and copy it to the file share. This will help you upload CSV file to Intune. Open Intune blade from Azure portal and Import CSV file which contains the machine hardware ID and other details.

Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Windows AutoPilot Devices -> Click on IMPORT button -> select the CSV file and upload !

Import Windows AutoPilot devices from a .CSV file. 
Formatting requirements

• <Serial Number>, <Windows Product ID>, <Hardware Hash>, (optional <Order ID>)

• 175 rows maximum allowed

Intune Enrollment Settings, Azure Portal Company Branding and License

Following are the three (3) steps you need to complete before the start of Windows AutoPilot deployment process.

Configure company branding
Configure Microsoft Intune auto-enrollment
Assign EMS or Microsoft 365 License to the user

You can configure the company branding from azure portal
You can configure Microsoft Intune Auto Enrollment whenever machine joins to Azure AD

Create Windows AutoPilot Deployment Profiles

To explain the scenario, I will create an AutoPilot Deployment profile to customize the OOBE experience for the end user. Windows AutoPilot profile provides only three (3) options to customize. I hope in the future there will be more options. You can see this as shown in the video tutorial.

1. Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment
2. Click on Deployment profiles under Windows Autopilot Deployment Program and select Create profile.
3. In the Create profile blade, set the name to “IT AutoPilot Profile 1“, click on Out-of-box experience (OOBE) and configure the following:

OOBE Customisation Settings
Privacy Settings >Value > Hide
End user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User

Assign Devices to AutoPilot Profiles

Once the AutoPilot Deployment profiles are created and Configured then, assign devices to those profiles. You can see this as shown in the video tutorial.

Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Windows AutoPilot Devices -> select (checkbox) one of the uploaded devices and click on “Assign Profile” button.

On Assign Profile blade select AutoPilot Profile from the drop-down list and pick the one which you want to assign.

We can’t assign device to Autopilot profiles. Instead you need to assign Autopilot profiles to Azure AD groups. I have explained this process in the following blog post.

How to assign Autopilot profiles to Azure AD groups

Configure AutoPilot Enrollment Screen for Windows AutoPilot Deployment

Configure the AutoPilot Enrollment screen is pretty new to Autopilot deployment. This will give the user an indication of the timing of enrollment process. You can see this as shown in the video tutorial. This is available for Windows 10 1803 and later versions.

What is Windows Intune Enrollment Screen?

The enrollment status page appears during initial device setup. If enabled, users can see the installation progress of assigned apps and profiles. I would recommend reading Microsoft documentation.

1. Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Enrollment Status Page
2. Choose Default > Settings.
3. For Show app and profile installation progress, choose Yes.
4. Choose the other settings that you want to turn on and then choose Save.

The enrollment status page is deployed to all users by default. Intune admins don’t have an option to deploy Intune enrollment status page to the custom set of users.

At this moment, Intune enrollment status page is a global setting for your tenant. Following are the setting customization options available in Enrollment Status page and I’m sure this will evolve and Microsoft will add loads of new features.

Show app & profile installation progress
  Block device use until all apps and profiles are installed
      Allow users to use device if installation error occurs
  Show error when installation takes longer than specified number of minutes
  Show custom message when an error occurs
  Allow Users to collect logs about installation errors

End User Experience of Windows AutoPilot Deployment

In this section, we will the end user experience of Windows AutoPilot with Intune enrollment status page or screen. You can also see this in the video tutorial. To test the Intune

Enrollment Status page, I have deployed some applications to all users, dynamic AAD user groups, and AAD device groups.

How to Reset Windows 10 1803 virtual machine

This is required ONLY when you are testing in your Hyper-V lab. When you have a physical machine, you should find a method to re-provision it to reach Windows 10 OOBE
screen once it’s in OOBE screen Windows AutoPilot will take care of the predefined tasks.

Reset of Windows 10 devices can be done from Windows 10 – Settings page.

On the Virtual Machine, go to Settings > Update & Security > Recovery and click on Get started under Reset this PC. Select Remove everything and Just remove my files. Finally, click on Reset.

How to Start Windows AutoPilot Deployment

Make sure Windows 10 machine has an internet connection. Wi-Fi is the preferred option. The internet behind the corporate proxy can create some issues. You may have to open required ports and raise proxy exception requests. This is already explained in one of my previous post here.

You can get the end to end experience of AutoPilot from the video tutorial. The Autopilot is cloud service from Microsoft and it takes control of the Windows OOBE screen.

User Login and AAD Branding Page

User Login and AAD branding page will show the details of the branding stuff you have completed in the above stages. The user should log in with their corp ID and password. This will take care of user identification and authentication part. You can have MFA (Multi Factor Authentication) enabled to have more security.

End User Experience – Intune Enrollment Status Page

Intune enrollment status page has 3 (three) parts.

Device Preparation stage –  Windows Intune Enrollment Status Page

Device Preparation and Device Setup. At this stage, the device hardware verification, AAD Join and MDM/Intune enrollment will happen.

Securing your hardware
Joining your organization’s network (Azure AD Join or Domain Join)
Registering your Device for Mobile Device Management (Intune, Airwatch etc..)

Device Setup – Intune enrollment status page

Device setup stage in Intune enrollment status page is the stage where device targeted applications, security configurations will get deployed.

Security Policies (Configuration/Compliance policies)
Certificate Profile Deployments
Network Connections (VPN Profile deployments?)
Application Deployments

Account Setup (User Side) Windows Intune Enrollment Status Page

Account setup (User Side) is the last stage of the Autopilot enrollment status screen.  Windows AutoPilot Enrollment is the stage where the user profile creation and user targeted deployments will kick and install in the background.

This stage will start only after the user’s login to the device or Windows 10 1803 machine.

Security Policies (Configuration/Compliance policies)
Certificate Profile Deployments
Network Connections (VPN Profile deployments?)
Application Deployments

Verification of Windows AutoPilot Deployment

This is the final stage where you will see the deployment of Windows Autopilot. You can login to Windows 10 1803 machine and confirm whether all the policies and apps are already there in the device or not.

As I mentioned before, I tested following deployment scenarios all worked well for me. But, I’m not sure whether dynamic device groups based app installation happened during or after AutoPilot enrollment status screen. That requires more testing !

App Deployment to Azure AD Dynamic Device Groups
App Deployment to All Devices 
Configuration/Security Policy (Disable Cortana) to All Users

Resources :- 

Demo the Windows Autopilot Deployment Program on a Virtual Machine