Beginners Guide Setup Windows Autopilot Deployment

Beginners Guide Setup Windows Autopilot Deployment. Windows Autopilot is the buzzword & most of the device management folks are talking about Windows Autopilot or Microsoft Autopilot.

I don’t know whether Autopilot is going to replace OSD or not. But, learning a new technology is always good for IT Pros like me.

****Updated on 08th May 2019

Related Posts

This blog has several posts about Windows Autopilot (Microsoft Autopilot). You can refer to all the Autopilot-related blogs from Windows Autopilot section.

Patch My PC

Following are some of the basic posts related to Autopilot. Hopefully, this will help you to start the Windows Autopilot journey.

1. Beginners Guide Setup Windows Autopilot Deployment(this post)

2. Dynamically Deploy Security Policies and Apps to Windows Autopilot Devices

3. Where is Autopilot Assign Profile Button in Intune Portal

Adaptiva

4. Windows Autopilot End to End Process Guide

5. Repurpose/Reprovision Existing Devices to Windows Autopilot

6. Windows AutoPilot Profile AAD Dynamic Device Groups.

7. Windows Autopilot License Requirements

What is Window Autopilot?

In layman’s words, “Windows Autopilot is a mechanism to simplify the OOBE. Windows Autopilot is a group of technologies to CONFIG operating system & deploy applications.”

This technology helps IT Pros deploy standard images across the organization in a modern way. Autopilot deployment won’t deploy the Operating system. The Operating System (OS) should be present there on your device!

Official Statement – Windows Autopilot is a collection of technologies used to set up and pre-configure new devices. You can use Windows Autopilot to reset, repurpose and recover devices.

I would recommend reading Microsoft documentation to understand this more. What are the Prerequisites to set up Windows Autopilot? We have those listed down in the above documentation.

Windows Autopilot Works with VMWare Airwatch and MobileIron?

Yes, Windows AutoPilot works with other MDM providers apart from Microsoft’s MDM solutions like Intune. I never tested the Windows AutoPilot deployment solution with non-Microsoft MDM providers.

Airwatch and Intune Integration along with Microsoft Autopilot scenarios

Windows Autopilot = OSD via SCCM or MDT ? 

Windows Autopilot is not equal to OSD via SCCM and MDT. OSD solutions in SCCM can cater end to end OS deployment scenarios. As I mentioned above, Autopilot can’t deploy the Operating system to a machine.

The Operating system should already be there on a device. Then, only AutoPilot can take care of the customization. But, SCCM/MDT OSD can deploy Boot images, OS images, Install Drivers, Configure OS, Deploy applications, etc…

Video Tutorial Windows Autopilot Deployment

Beginners Guide Setup Windows Autopilot Deployment 1

How to Setup Windows Autopilot Deployment?

In this post, I will give you a walkthrough to set up Windows AutoPilot. This is mainly for lab setup and test purposes. But this idea can be used with physical machines as well. When you use physical machines, you don’t need to go through all the following steps.

Create Hyper-V Machine for Windows Autopilot Deployment

Enable the Hyper-V feature and create a virtual machine on your Windows 10 device. Please run the following PowerShell commands as I showed in the video tutorial.

This PS commands you to create a VM for Windows AutoPilot deployment. This step is not required if you perform an AutoPilot deployment of a physical machine.

I used Windows 10 1803 version in the video and the post to explain the scenario.

  • Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

New-VMSwitch -Name AutopilotExternal -NetAdapterName <Name of Network Adapter with internet access> -AllowManagementOS $true New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal Add-VMDvdDrive -Path <Path to Windows 10 ISO> -VMName WindowsAutopilot Start-VM -VMName WindowsAutopilot

Install Windows 10 1803. Once the installation is complete, create a checkpoint!

  • Checkpoint-VM -Name WindowsAutopilot -SnapshotName “Finished Windows install”

Get the Hardware ID of the VM for Windows Autopilot Deployment

Login to Windows 10 virtual machine which you just created. Run PS commands mentioned below to generate a CSV file with the hardware ID of the VM. The PowerShell commands should be run as administrator. Make sure your virtual machine is connected to the internet.

Also, don’t forget to press Y & A whenever PowerShell prompt to do that 😉  The power shell will automatically download & run the required scripts from the internet.  You can see this as shown in the video tutorial.

The output of the following PS commands is C:\HWID\AutopilotHWID.csv

  • md c:\HWID
  • Set-Location c:\HWID
  • Set-ExecutionPolicy Unrestricted
  • Install-Script -Name Get-WindowsAutopilotInfo
  • Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv

Import Devices in to Intune Portal for Windows Autopilot

Copy the C:\HWID\AutopilotHWID.csv file from the virtual machine and copy it to the file share. This will help you upload the CSV file to Intune. Open Intune blade from Azure portal and Import CSV file, which contains the machine hardware ID and other details.

Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Windows AutoPilot Devices -> Click on IMPORT button -> select the CSV file and upload !

  • Import Windows AutoPilot devices from a .CSV file. 
  • Formatting requirements
  • <Serial Number>, <Windows Product ID>, <Hardware Hash>, (optional <Order ID>)
  • 175 rows maximum allowed

Intune Enrollment Settings, Azure Portal Company Branding, and License

Following are the three (3) steps you need to complete before starting the Windows AutoPilot deployment process.

  • Configure company branding
  • Configure Microsoft Intune auto-enrollment
  • Assign EMS or Microsoft 365 License to the user

You can configure the company branding from azure portal
You can configure Microsoft Intune Auto Enrollment whenever machine joins Azure AD

Create Windows Autopilot Deployment Profiles

To explain the scenario, I will create an AutoPilot Deployment profile to customize the OOBE experience for the end-user.

Windows AutoPilot profile provides only three (3) options to customize. I hope in the future there will be more options. You can see this as shown in the video tutorial.

  1. Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment
  2. Click on Deployment profiles under Windows Autopilot Deployment Program and select Create a profile.
  3. In the Create profile blade, set the name to “IT AutoPilot Profile 1“, click on Out-of-box experience (OOBE) and configure the following:

OOBE Customisation Settings
Privacy Settings >Value > Hide
End-user license agreement (EULA) >Value> Hide
User account type Standard or Administrator >Value> Standard User

Assign Devices to Autopilot Profiles

Once the AutoPilot Deployment profiles are created and configured, assign devices to those profiles. You can see this as shown in the video tutorial.

Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Windows AutoPilot Devices -> select (checkbox) one of the uploaded devices and click on “Assign Profile” button.

On Assign Profile blade, select AutoPilot Profile from the drop-down list and pick the one you want to assign.

We can’t assign devices to Autopilot profiles. Instead, it would help if you gave Autopilot profiles to Azure AD groups. I have explained this process in the following blog post.

How to assign Autopilot profiles to Azure AD groups

Configure AutoPilot Enrollment Screen for Windows AutoPilot Deployment

Configuring the AutoPilot Enrollment screen is pretty new to Autopilot deployment. This will give the user an indication of the timing of the enrollment process. 

You can see this as shown in the video tutorial. This is available for Windows 10 1803 and later versions.

What is Windows Intune Enrollment Screen?

The enrollment status page appears during the initial device setup. If enabled, users can see the installation progress of assigned apps and profiles. I would recommend reading Microsoft documentation.

  1. Navigate via Azure Portal -> Microsoft Intune -> Device Enrollment – Windows Enrollment -> Enrollment Status Page
  2. Choose Default > Settings.
  3. For Show app and profile installation progress, choose Yes.
  4. Choose the other settings you want to turn on and then choose Save.

The enrollment status page is deployed to all users by default. Intune admins don’t have an option to deploy Intune enrollment status page to the custom set of users.

At this moment, Intune enrollment status page is a global setting for your tenant. Following are the setting customization options available on the Enrollment Status page. I’m sure this will evolve, and Microsoft will add new features.

Show app & profile installation progress
  Block device use until all apps and profiles are installed
      Allow users to use the device if an installation error occurs
  Show error when installation takes longer than the specified number of minutes
  Show custom message when an error occurs
  Allow Users to collect logs about installation errors

Windows AutoPilot Deployment Enrollment Status Page
Beginners Guide Setup Windows Autopilot Deployment 2

End User Experience of Windows Autopilot Deployment

This section will discuss the end-user experience of Windows AutoPilot with Intune enrollment status page or screen. You can also see this in the video tutorial.

To test the Intune Enrollment Status page, I have deployed some applications to all users, dynamic AAD user groups, and AAD device groups.

How to Reset Windows 10 1803 virtual machine

This is required ONLY when you are testing in your Hyper-V lab. When you have a physical machine, you should find a method to re-provision it to reach Windows 10 OOBE.
Once it’s on the OOBE screen, Windows AutoPilot will take care of the predefined tasks.

Windows 10 devices can be reset from Windows 10 – Settings page.

Go to Settings > Update & Security > Recovery on the Virtual Machine and click on Get started under Reset this PC. Select Remove everything and remove my files. Finally, click on Reset.

How to Start Windows Autopilot Deployment

Make sure Windows 10 machine has an internet connection. Wi-Fi is the preferred option. The internet behind the corporate proxy can create some issues. You may have to open required ports and raise proxy exception requests.

You can get the end-to-end experience of AutoPilot from the video tutorial. The Autopilot is a cloud service from Microsoft, and it takes control of the Windows OOBE screen.

Beginners Guide Setup Windows Autopilot Deployment 3

User Login and AAD Branding Page

User Login and AAD branding page will show the details of the branding stuff you have completed in the above stages. The user should log in with their corp ID and password.

This will take care of the user identification and authentication part. You can have MFA (Multi-Factor Authentication) enabled to have more security.

End-User Experience – Intune Enrollment Status Page

Intune enrollment status page has 3 (three) parts.

  1. Device Preparation
  2. Device Setup
  3. User Account Setup

Device Preparation stage – Windows Intune Enrollment Status Page

Device Preparation and Device Setup. The device hardware verification, AAD Join, and MDM/Intune enrollment will happen at this stage.

Securing your hardware
Joining your organization’s network (Azure AD Join or Domain Join)
Registering your Device for Mobile Device Management (Intune, Airwatch, etc..)

Windows AutoPilot Deployment Enrollment Status Page Device Prep
Beginners Guide Setup Windows Autopilot Deployment 4

Device Setup – Intune enrollment status page

The device setup stage in the Intune enrollment status page is where device-targeted applications and security configurations will get deployed.

Security Policies (Configuration/Compliance policies)
Certificate Profile Deployments
Network Connections (VPN Profile deployments?)
Application Deployments

Account Setup (User Side) Windows Intune Enrollment Status Page

Account setup (User Side) is the last stage of the Autopilot enrollment status screen.  Windows Autopilot Enrollment is the stage where the user profile creation and user-targeted deployments will kick and install in the background.

This stage will start only after the user’s login to the device or Windows 10 1803 machine.

Security Policies (Configuration/Compliance policies)
Certificate Profile Deployments
Network Connections (VPN Profile deployments?)
Application Deployments

Windows AutoPilot Deployment Enrollment Status Page Account Setup
Beginners Guide Setup Windows Autopilot Deployment 5

Verification of Windows AutoPilot Deployment

This is the final stage where you will see the deployment of Windows Autopilot. You can log in to Windows 10 1803 machine and confirm whether all the policies and apps are already there on the device or not.

As I mentioned before, I tested the following deployment scenarios all worked well for me. But, I’m not sure whether dynamic device groups based app installation happened during or after the AutoPilot enrollment status screen. That requires more testing!

  • App Deployment to Azure AD Dynamic Device Groups
  • App Deployment to All Devices
  • Configuration/Security Policy (Disable Cortana) to All Users

Resources

Evaluating/Testing/Demoing modern deployment with Windows Autopilot

15 thoughts on “Beginners Guide Setup Windows Autopilot Deployment”

      • It seems some changes were made in the Intune console and we cannot Assign Profile. However this is possible from the Microsoft Store for Business (Strange).

      • Yes, I know. I have a post to explain this changes in AutoPilot framework. Azure AD object is created when you import a machine and they you can add that AAD object to AAD Group. Once the device is added to AAD group, then that group can be used in AutoPilot Profile assignments.

  1. Hello,
    Thanks for this very useful post.
    I discover Windows AutoPilot and would like to know which methods to re-provision physical machines are available to reach Windows 10 OOBE

    Reply
    • Hello Jean – Good Question. We can use SCCM or MDT to re-provision the existing devices and help them to reach Windows 10 OOBE screen. Once the devices are in Windows 10 OOBE screen, we can use AutoPilot to deploy machines using that workflow.

      Reply
  2. Hello, Mr. Nair!
    If a user recives a new device from his/her organization. It is set up to enroll using widnows autopilot. When the user turns on the device, in order for the windows autopilot to work, does the user then need to have a wired connection to internet, or will the windows autopilot prompt the user to connect to wifi?

    -Bendik G

    Reply
    • Hi Bendik,

      The user will be prompted to connect to a WiFi network if no wired network is detected. The user however does have the option to bypass the WiFi network selection page and proceed with OOBE setup during which no Autopilot profile information will be received due to lack of network connectivity. I confirmed with Microsoft that there is no way around this.

      Reply
  3. How to separate Client Apps installation during AutoPilot and post-enrollment. I don’t want them to get installed during AutoPilot but once the computer is enrolled and user logs into their desktop, then it should start installing the applications.

    Reply
  4. Are there special considerations for VMs created in VMWare ESXi? Solution works fine for physical hardware as well as Hyper-V VMs but VMWare ESXi VMs don’t want to take the reimage…

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.