Windows Autopilot is the buzzword & most of the device management folks are talking about Windows Autopilot or Microsoft Autopilot. I don’t know whether Autopilot is going to replace OSD or not. But, learning a new technology is always good for IT Pros like me.
****Updated on 08th May 2019
Related Posts
We have several posts about Windows Autopilot (Microsoft Autopilot) in this blog. You can refer to all the Autopilot related blogs from Windows Autopilot section.
Following are some of the basics posts related to Autopilot. Hopefully, this will help you to start the Windows Autopilot journey.
1. Beginners Guide Setup Windows Autopilot Deployment(this post) 2. Dynamically Deploy Security Policies and Apps to Windows Autopilot Devices 3. Where is Autopilot Assign Profile Button in Intune Portal 4. Windows Autopilot End to End Process Guide 5. Repurpose/Reprovision Existing Devices to Windows Autopilot 6. Windows AutoPilot Profile AAD Dynamic Device Groups. 7. Windows Autopilot License Requirements
What is Window Autopilot?
In layman’s words “Windows Autopilot is a mechanism to simplify the OOBE. Windows Autopilot is a group of technologies to CONFIG operating system & deploy applications”.
This technology helps IT Pros to deploy standard image across the organization in a modern way. Autopilot deployment won’t deploy Operating system. The Operating System (OS) should be present there on your device!
Official Statement – Windows Autopilot is a collection of technologies used to set up and pre-configure new devices. You can use Windows Autopilot to reset, re-purpose and recover devices.
I would recommend reading Microsoft documentation to understand this more. What are the Prerequisites to setup Windows Autopilot? We have those listed down in the above documentation.
Windows Autopilot Works with VMWare Airwatch and MobileIron?
Yes, Windows AutoPilot works with other MDM providers apart from Microsoft’s MDM solution like Intune. I never tested Windows AutoPilot deployment solution with non Microsoft MDM providers.
Airwatch and Intune Integration along with Microsoft Autopilot scenarios are explained in the following link here.
Windows Autopilot = OSD via SCCM or MDT ?
Windows Autopilot is not equal to OSD via SCCM and MDT. OSD solution in SCCM can cater end to end OS deployment scenarios. As I mentioned above, Autopilot can’t deploy the Operating system to a machine.
The Operating system should already be there on a device then only AutoPilot can take care of customization. But, SCCM/MDT OSD can deploy Boot images, OS images, Install Drivers, Configure OS, Deploy applications, etc…
Video Tutorial Windows Autopilot Deployment
How to Setup Windows Autopilot Deployment?
I will give you a walkthrough to setup Windows AutoPilot in this post. This is mainly for lab setup and test purpose. But this idea can be used with physical machines as well. When you use physical machines, you don’t need to go through all the following steps.
Create Hyper-V Machine for Windows Autopilot Deployment
Enable the Hyper-V feature and create a virtual machine on your Windows 10 device. Run following PowerShell commands as I shown in the video tutorial. These PS commands create a VM for Windows AutoPilot deployment. This step is not required if you are performing an AutoPilot deployment of a physical machine.
I used Windows 10 1803 version in the video and the post to explain the scenario.
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -AllNew-VMSwitch -Name AutopilotExternal -NetAdapterName <Name of Network Adapter with internet access> -AllowManagementOS $true New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal Add-VMDvdDrive -Path <Path to Windows 10 ISO> -VMName WindowsAutopilot Start-VM -VMName WindowsAutopilot
Install Windows 10 1803 Once the installation is complete, create a checkpoint !
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
Get Hardware ID of the VM for Windows Autopilot Deployment
Login to Windows 10 virtual machine which you just created. Run PS commands mentioned below to generate a CSV file with hardware ID of the VM. The PowerShell commands should be run as administrator. Make sure your virtual machine is connected to the internet.
Also, don’t forget press Y & A whenever PowerShell prompt to do that 😉 The power shell will automatically download & run the required scripts from the internet. You can see this as shown in the video tutorial.
The output of the following PS commands is C:\HWID\AutopilotHWID.csv
md c:\HWID Set-Location c:\HWID Set-ExecutionPolicy Unrestricted Install-Script -Name Get-WindowsAutopilotInfo Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
Import Devices in to Intune Portal for Windows Autopilot
Copy the C:\HWID\AutopilotHWID.csv file from the virtual machine and copy it to the file share. This will help you upload CSV file to Intune. Open Intune blade from Azure portal and Import CSV file which contains the machine hardware ID and other details.
Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Windows AutoPilot Devices -> Click on IMPORT button -> select the CSV file and upload !
Import Windows AutoPilot devices from a .CSV file. Formatting requirements
<Serial Number>, <Windows Product ID>, <Hardware Hash>, (optional <Order ID>)
175 rows maximum allowed
Intune Enrollment Settings, Azure Portal Company Branding and License
Following are the three (3) steps you need to complete before the start of Windows AutoPilot deployment process.
Configure company branding Configure Microsoft Intune auto-enrollment Assign EMS or Microsoft 365 License to the user
You can configure the company branding from azure portal
You can configure Microsoft Intune Auto Enrollment whenever machine joins to Azure AD
Create Windows Autopilot Deployment Profiles
To explain the scenario, I will create an AutoPilot Deployment profile to customize the OOBE experience for the end user. Windows AutoPilot profile provides only three (3) options to customize. I hope in the future there will be more options. You can see this as shown in the video tutorial.
- Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment
- Click on Deployment profiles under Windows Autopilot Deployment Program and select Create profile.
- In the Create profile blade, set the name to “IT AutoPilot Profile 1“, click on Out-of-box experience (OOBE) and configure the following:
OOBE Customisation Settings
Privacy Settings >Value > Hide
End user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User
Assign Devices to Autopilot Profiles
Once the AutoPilot Deployment profiles are created and Configured then, assign devices to those profiles. You can see this as shown in the video tutorial.
Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Windows AutoPilot Devices -> select (checkbox) one of the uploaded devices and click on “Assign Profile” button.
On Assign Profile blade select AutoPilot Profile from the drop-down list and pick the one which you want to assign.
We can’t assign device to Autopilot profiles. Instead you need to assign Autopilot profiles to Azure AD groups. I have explained this process in the following blog post.
How to assign Autopilot profiles to Azure AD groups
Configure AutoPilot Enrollment Screen for Windows AutoPilot Deployment
Configure the AutoPilot Enrollment screen is pretty new to Autopilot deployment. This will give the user an indication of the timing of enrollment process. You can see this as shown in the video tutorial. This is available for Windows 10 1803 and later versions.
What is Windows Intune Enrollment Screen?
The enrollment status page appears during initial device setup. If enabled, users can see the installation progress of assigned apps and profiles. I would recommend reading Microsoft documentation.
- Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Enrollment Status Page
- Choose Default > Settings.
- For Show app and profile installation progress, choose Yes.
- Choose the other settings that you want to turn on and then choose Save.
The enrollment status page is deployed to all users by default. Intune admins don’t have an option to deploy Intune enrollment status page to the custom set of users.
At this moment, Intune enrollment status page is a global setting for your tenant. Following are the setting customization options available in Enrollment Status page and I’m sure this will evolve and Microsoft will add loads of new features.
Show app & profile installation progress
Block device use until all apps and profiles are installed
Allow users to use device if installation error occurs
Show error when installation takes longer than specified number of minutes
Show custom message when an error occurs
Allow Users to collect logs about installation errors
End User Experience of Windows Autopilot Deployment
In this section, we will the end user experience of Windows AutoPilot with Intune enrollment status page or screen. You can also see this in the video tutorial.
To test the Intune Enrollment Status page, I have deployed some applications to all users, dynamic AAD user groups, and AAD device groups.
How to Reset Windows 10 1803 virtual machine
This is required ONLY when you are testing in your Hyper-V lab. When you have a physical machine, you should find a method to re-provision it to reach Windows 10 OOBE
screen once it’s in OOBE screen Windows AutoPilot will take care of the predefined tasks.
Reset of Windows 10 devices can be done from Windows 10 – Settings page.
On the Virtual Machine, go to Settings > Update & Security > Recovery and click on Get started under Reset this PC. Select Remove everything and Just remove my files. Finally, click on Reset.
How to Start Windows Autopilot Deployment
Make sure Windows 10 machine has an internet connection. Wi-Fi is the preferred option. The internet behind the corporate proxy can create some issues. You may have to open required ports and raise proxy exception requests. This is already explained in one of my previous post here.
You can get the end to end experience of AutoPilot from the video tutorial. The Autopilot is cloud service from Microsoft and it takes control of the Windows OOBE screen.
User Login and AAD Branding Page
User Login and AAD branding page will show the details of the branding stuff you have completed in the above stages. The user should log in with their corp ID and password. This will take care of user identification and authentication part. You can have MFA (Multi Factor Authentication) enabled to have more security.
End User Experience – Intune Enrollment Status Page
Intune enrollment status page has 3 (three) parts.
- Device Preparation
- Device Setup
- User Account Setup
Device Preparation stage – Windows Intune Enrollment Status Page
Device Preparation and Device Setup. At this stage, the device hardware verification, AAD Join and MDM/Intune enrollment will happen.
Securing your hardware
Joining your organization’s network (Azure AD Join or Domain Join)
Registering your Device for Mobile Device Management (Intune, Airwatch etc..)
Device Setup – Intune enrollment status page
Device setup stage in Intune enrollment status page is the stage where device targeted applications, security configurations will get deployed.
Security Policies (Configuration/Compliance policies)
Certificate Profile Deployments
Network Connections (VPN Profile deployments?)
Application Deployments
Account Setup (User Side) Windows Intune Enrollment Status Page
Account setup (User Side) is the last stage of the Autopilot enrollment status screen. Windows Autopilot Enrollment is the stage where the user profile creation and user targeted deployments will kick and install in the background.
This stage will start only after the user’s login to the device or Windows 10 1803 machine.
Security Policies (Configuration/Compliance policies)
Certificate Profile Deployments
Network Connections (VPN Profile deployments?)
Application Deployments
Verification of Windows AutoPilot Deployment
This is the final stage where you will see the deployment of Windows Autopilot. You can login to Windows 10 1803 machine and confirm whether all the policies and apps are already there in the device or not.
As I mentioned before, I tested following deployment scenarios all worked well for me. But, I’m not sure whether dynamic device groups based app installation happened during or after AutoPilot enrollment status screen. That requires more testing !
App Deployment to Azure AD Dynamic Device Groups App Deployment to All Devices Configuration/Security Policy (Disable Cortana) to All Users
Resources
Evaluating/Testing/Demoing modern deployment with Windows Autopilot
great video and information
thanks
Fj
Thank you for the feedback !
Thanks Anoop. Easy to understand:)
Thank you for the feedback !
I cant see the Assign Profile button in my device overview..
I think all your imported devices are (already) assigned to at least one profile…
It seems some changes were made in the Intune console and we cannot Assign Profile. However this is possible from the Microsoft Store for Business (Strange).
Yes, I know. I have a post to explain this changes in AutoPilot framework. Azure AD object is created when you import a machine and they you can add that AAD object to AAD Group. Once the device is added to AAD group, then that group can be used in AutoPilot Profile assignments.
Hello,
Thanks for this very useful post.
I discover Windows AutoPilot and would like to know which methods to re-provision physical machines are available to reach Windows 10 OOBE
Hello Jean – Good Question. We can use SCCM or MDT to re-provision the existing devices and help them to reach Windows 10 OOBE screen. Once the devices are in Windows 10 OOBE screen, we can use AutoPilot to deploy machines using that workflow.
Hello, Mr. Nair!
If a user recives a new device from his/her organization. It is set up to enroll using widnows autopilot. When the user turns on the device, in order for the windows autopilot to work, does the user then need to have a wired connection to internet, or will the windows autopilot prompt the user to connect to wifi?
-Bendik G
Hi Bendik,
The user will be prompted to connect to a WiFi network if no wired network is detected. The user however does have the option to bypass the WiFi network selection page and proceed with OOBE setup during which no Autopilot profile information will be received due to lack of network connectivity. I confirmed with Microsoft that there is no way around this.
How to separate Client Apps installation during AutoPilot and post-enrollment. I don’t want them to get installed during AutoPilot but once the computer is enrolled and user logs into their desktop, then it should start installing the applications.
Are there special considerations for VMs created in VMWare ESXi? Solution works fine for physical hardware as well as Hyper-V VMs but VMWare ESXi VMs don’t want to take the reimage…
I have done this testing with Hyper-V but not sure about ESXi VMs. I never tested this. Also always check whether this is officially supported by both the vendors or not.