FeaturedIntune

Microsoft Endpoint Manager: Windows Autopilot

Intune windows autopilot

Microsoft Endpoint Manager: Windows Autopilot

This solution helps Organizations to setup and Pre-configure new devices and ready to be shipped to Users.

It uses OEM-optimized version of windows, no need for custom image. It can also be used to reset, repurpose and recover devices without investing a lot time and building infrastructure it needs. Once devices received by user, he/she only needs internet and login with work email account and let configuration of device completes

  • Join Devices to Azure Active Directory (AAD) or hybrid Azure Ad Join (Active Directory)
  • Auto-enroll devices into MDM services (Intune)
  • Restrict the Administrator account creation.
  • Create and auto-assign devices to configuration groups based on a device’s profile.
  • Customize OOBE content specific to the organization.

Windows Autopilot Deployment Scenarios

  • User Driven mode
  • Deploy and configure devices so that an end user can set it up for themselves
  • Self Deploying mode
  • Deploy devices to be automatically configured for shared use, as a kiosk, or as a digital signage device.
  • Reset mode
  • Redeploy a device in a business-ready state
  • Pre-provisioning mode (White glove)
  • Pre-provision a device with up-to-date applications, policies, and settings
  • Press Windows button 5 times during OOBE process when machine boots
  • Existing Devices
  • Upgrade windows 7 & 8 to new version of windows by using Windows Autopilot with SCCM Task sequence

Windows Autopilot registration overview

  • The Devices needs to be registered with Windows Autopilot deployment services
  • The device’s unique hardware identity (known as a hardware hash) needs to be captured and uploaded.
  • The device is associated to an Azure tenant ID.

OEM registration

  • When you purchase devices from an OEM, that OEM can automatically register the devices with the Windows Autopilot.
  • Before an OEM can register devices for an organization, the organization must grant the OEM permission to do so. The OEM begins this process with approval granted by an Azure AD global administrator from your organization
  • Reseller, distributor, or partner registration
  • Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the Cloud Solution Partners (CSP) program, they too can register devices for the customer.
  • Automatic registration
  • Running a supported version of Windows
  • Enrolled in an MDM service such as Intune
  • A corporate device that’s not already registered with Autopilot

Manual registration

  • To manually register a device, you must first capture its hardware hash. Once this process has completed, the resulting hardware hash can be uploaded to the Windows Autopilot service
  • SCCM CMPivot can be able to collect all devices hash ID and export to .csv and upload to Windows Autopilot
  • Use PowerShell script to collect hardware hash ID or upload it directly to Intune using PS script

Collect Individual Device Hash ID

    • New-Item -Type Directory -Path “C:\HWID”
    • Set-Location -Path “C:\HWID”
    • $env:Path += “;C:\Program Files\WindowsPowerShell\Scripts”
    • Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
    • Install-Script -Name Get-WindowsAutoPilotInfo
    • Get-WindowsAutoPilotInfo -OutputFile AutoPilotHWID.csv

Upload Individual device Directly Windows Autopilot

    • PowerShell.exe -ExecutionPolicy Bypass
    • Install-Script -name Get-WindowsAutopilotInfo -Force
    • Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
    • Get-WindowsAutoPilotInfo -Online

Autopilot device group using Intune

Create an Autopilot device group using Intune

    • Group type: Select Security.
    • Group name and Group description: Enter a name and description for your group.
    • Membership type:  Dynamic Device
    • Add dynamic query > Add expression.
    • To create a group that includes all of your Autopilot devices, enter: (device.devicePhysicalIDs -any (_ -contains “[ZTDId]”)).
    • Intune’s group tag field maps to the OrderID attribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), enter: (device.devicePhysicalIds -any (_ -eq “[OrderID]:179887111881″)).
    • To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter: (device.devicePhysicalIds -any (_ -eq “[PurchaseOrderId]:76222342342″))

Windows Autopilot hybrid Azure AD-joined devices

  • Install Intune Connector for Active Directory
  • Increase the computer account limit in the Organizational Unit
    • The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain.
    • Default is 10 computer join
    • Apply delegated permission to computers that host the Intune Connector on the organizational unit where hybrid Azure AD-joined devices are created.
  • Create a new configuration Profile to join to Active Directory (local domain)
    • Name: Enter a descriptive name for the new profile.
    • Description: Enter a description for the profile.
    • Platform: Select Windows 10 and later.
    • Profile type: Select Domain Join.
    • OU=Sub OU,OU=TopLevel OU,DC=contoso,DC=com
    • OU=Mine,DC=contoso,DC=com
  • Create a new Windows Autopilot deployment Profile
    • choose “Join to Azure AD ” as “ Hybrid Azure Ad Joined
  • Prepare Device for OOBE
    • Open CMD, and Run Sysprep:  sysprep.exe /generalize /oobe
    • Remove-appxPackage Microsoft.CompanyPortal_11.0.11832.0_x64__8wekyb3d8bbwe

Requirements

Operating System

A supported version of Windows 10 Semi-Annual Channel or Windows 10 General Availability Channel is required.

  • Windows 10 1903 or higher
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows 10 Pro for Workstations
  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 11

Network

  • Ensure Domain Name Services (DNS) name resolution for internet DNS names.
  • Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP).

License

  • Microsoft 365 Business Premium subscription
  • Microsoft 365 F1 or F3 subscription
  • Microsoft 365 Academic A1, A3, or A5 subscription
  • Microsoft 365 Enterprise E3 or E5 subscription, which include all Windows client, Microsoft 365, and EMS features (Azure AD and Intune).
  • Enterprise Mobility + Security E3 or E5 subscription
  • Intune for Education subscription, which include all needed Azure AD and Intune features.
  • Azure Active Directory Premium P1 or P2 and Microsoft Intune subscription (or an alternative MDM service).

 

Sources:

Overview of Windows Autopilot

Windows Autopilot registration overview

Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot

Windows Autopilot scenarios and capabilities

Microsoft Store for business and Dell Partner for AutoPilot

Show More

Related Articles

Back to top button