This post is a step-by-step Windows Autopilot setup guide. Especially this guide should be helpful if you are new to Intune.
In this post I will make sure to cover the Windows Autopilot prerequisites, and step-by step process, and End User experience.
Windows Autopilot Licensing Requirements
There are multiples options for licensing to be used with Autopilot.
- Microsoft 365 Enterprise E3 or E5 subscription, which include all Windows 10, Microsoft 365, and EM+S features (Azure AD and Intune).
- Enterprise Mobility + Security E3 or E5 subscription, which include all needed Azure AD and Intune features.
- Microsoft 365 Business Premium subscription
- Microsoft 365 F1 or F3 subscription
- Microsoft 365 Academic A1, A3, or A5 subscription
- Intune for Education subscription, which include all needed Azure AD and Intune features.
- Azure Active Directory Premium P1 or P2 and Microsoft Intune subscription (or an alternative MDM service).
Windows Autopilot Pre-requisites
- Windows 10 version 1703 or higher
- Only the following Windows 10 editions are supported:Pro
- Education
- Enterprise
- The latest Windows 10 2019 LTSC is also supported
Windows Autopilot Setup Process Overview
Enable "Users may join devices to Azure AD" from Azure Portal,
Go to Azure Portal > Azure AD > Devices > Device Settings to enable this setting.
Note: if you have enabled selected group, make sure you are going to use those accounts for the enrollment process. This should be required if you go with user driven.
Configure Microsoft Intune auto-enrollment
If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step. Open Mobility (MDM and MAM) in Azure Active Directory and select Microsoft Intune. If you do not see Microsoft Intune, click Add application and choose Intune. For the purposes of this demo, select All under the MDM user scope and click Save.
In my case I have targeted to All users.
Create a device group for Windows Autopilot
When you create a Autopilot deployment profile it requires a device group and we will create it now.
Note: In my case I am going to create a assigned device group, but we may create a device group with dynamic query for take imported Autopilot devices to the device group automatically. if you want to create device group with dynamic query below is the rule syntax.
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))
Please follow below steps to create a assigned security group.
- In the Microsoft Endpoint Manager admin center, choose Groups > New group.
- For Group type, choose Security.
- Type a Group name and Group description (ex: Windows Autopilot Lab).
- Azure AD roles can be assigned to the group: No
- For Membership type, choose Assigned.
Create the Windows Autopilot Deployment Profile
Let’s create a new Windows Autopilot deployment profile.
- In the Microsoft Endpoint Manager admin center, click Devices.
- Then under Enroll devices | Windows enrollment select Deployment Profiles.
- Click on Create profile and then select Windows PC.
on the Create profile page, specify the name for the Autopilot profile. Let convert all targeted devices to Autopilot be set to No. Click Next.
On the Out of box experience (OOBE) page there are lot of settings that you can specify. To keep it simple I am not going to change any values here and go with following default values.
- Deployment Mode – User Driven
- Join to Azure AD as – Azure AD joined
- Microsoft Software License Terms – Hide
- Privacy Settings – Hide
- Hide change account options – Hide
- User Account type – Standard
- Allow White Glove OOBE – No
- Language (Region) – Operating System default
- Automatically Configure keyboard – Yes
- Apply device name template – Yes
On the Assignments page, Select groups to include. Click the Windows Autopilot Lab group, and then click Select. Click Next to continue.
In my case, I will be targeting on same device group which I have create on previous step.
Click Create to create a Autopilot deployment profile.
Capture the Hardware ID
In order to import devices, we need find out serial numbers, Windows product IDs & hardware hashes. To do that log in to your windows 10 machine and install following script. Then we can create CSV with relevant info
New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo -OutputFile AutoPilotHWID.csv
When you are prompted to install the NuGet package, choose Yes.
Autopilot Registration using Intune
In this step we will register our Windows 10 VM using Intune for Windows Autopilot.
- Login to the Microsoft Endpoint Manager admin center.
- Choose Devices > Device enrollment | Enroll devices.
- Select Windows enrollment > Windows Autopilot Deployment Program | Devices.
- On the Windows Autopilot devices page, choose Import.
Under Add Windows Autopilot devices, click the folder icon and browse to the AutopilotHWID.csv file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). Click Import.
When you click Import, the process to import a device may take up to 15 minutes. You may click Refresh to verify your VM or device has been added.
You should wait for few more minutes until you see the profile status as Not Assigned. In addition, you can also hit the sync button and confirm if the sync is successful or not.
Once profile status not assigned status, Go back to the device group we have created in previous step(in my case Dev-Autopilot) and add the autopilot device to the group.
After you adding device to the device group, profile status will be changing from Not assigned to Assigned.
Configure Company Branding in Azure Portal
Optional: if require to the process to be friendly and familiar for the users, can be configure company branding by go to Azure AD > Company branding settings. Then these settings will show up to end users during AutoPilot configurations.
To configure company branding in Azure Portal, Navigate to Company branding in Azure Active Directory, click on Configure and configure any type of company branding you’d like to see during the OOBE. However this is optional and I will be covering step by step process of company branding section in another article.
Once you finish the company branding, click Save.
Reset the Windows 10 back to Out-Of-Box-Experience (OOBE)
On the Windows 10 Machine, go to Settings > Update & Security > Recovery and click on Get started under Reset this PC.
Reset the Windows 10 VM back to Out-Of-Box-Experience (OOBE)
If you are asked How would you like to reinstall Windows, select Local reinstall.
Note: if you have fast Internet connection, I can select Cloud download.
End User Experience:
Well, below is the looks like after restarting the PC.
Troubleshooting
- The Windows 10 VM must have an internet connection. So check the adapter settings and ensure it can communicate to internet.
- Must be enabled Secure Boot in order to use Autopilot on Windows 10 client machine.
- Must be Converted the Windows 10 Client PC firmware from BIOS to UEFI.
References
Thank You!