This month, I have made some blogs about Microsoft Intune. If you have followed these blogs, you got have nice environment. Good job! This time I want to write about Windows Autopilot. This feature is new since the Windows 10 Creators Update and will help the IT guys and girls to deliver the device faster to the end-users then before.
What does Windows Autopilot do?
Windows Autopilot make it you easier to enroll the devices into your environment. This will enable end-user to get productive very quickly and without Administrator intervention. The nice part of this is, that the device can be delivered to the end-user directly, without a stopover at the IT department for configuring. The user unboxes the device and turn the device for the first time on. the out of box experience is starting up and the user has to follow few steps. One of these steps is the make a connection with the Internet, like a Wi-Fi connection. Then the user has to enter his or her AD credentials. Based on the hardware ID and the AD credentials, the device will automatically join the Azure AD and enroll the device into Microsoft Intune. These processes will be running on the background, no interaction of the user is needed. If the user is a member of a group which is assigned to an app, then the app will be automatically pushed to the device. After the device is complete with out of box experience, the user has a full blown configured device which is joined and managed by Azure AD and Microsoft Intune.
How does Autopilot know which device must be configured by Autopilot?
Autopilot works with hardware ID. Each device has a unique hardware ID. This hardware ID is based 3 several IDs which is, Device Serial Number, Windows Product ID and Hardware Hash. Your supplier or hardware vendor has this information. You can also get this information by running a PowerShell script (later in this blog). The hardware supplier or vendor, like HP, Lenovo or Dell, does have the option and specific kind of access to add the hardware ID’s, which you have ordered of course, into Microsoft Intune. This will be done during the ordering of the new devices. Based on this information, Autopilot does know which device must be configured by Autopilot.
Because of this feature, the device has not to be delivered at the IT department for preparing. This step can be skipped. There is also no support from System Center Configuration Manager (SCCM) server. I see this most of the time at customers. The old or current way is mostly that the device is delivered at the IT department for prepare the corporate image on the device. Before you can use an image on a device, you have to make a new image and then test the image on several devices. After that you can use this image for production purpose. This is a lot of time consuming. Autopilot make this more efficient by skipping this process and without the help of SCCM. This will spare a lot of time.
For more information about Windows Autopilot, see this link: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot
Or watch this video: https://www.youtube.com/watch?time_continue=42&v=JrEU84KK2lQ
Before we begin configuring the Autopilot profile, you need the hardware info of your test machine. There is a PowerShell script you can use. You can find it here: https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.3/DisplayScript
Note: this is only if you already have the device and if you are using virtual machine. The advantage of Autopilot is that the hardware supplier can deliver the correct hardware information to you or into Autopilot. This without approaching you for acceptance. The supplier got the restrict access to your tenant for adding the hardware IDs. They have a kind of database of these hardware IDs. For them is it easier to find the IDs. So, this part can be skipped if you have ordered a new device and the supplier can add the IDs into Intune. For this example I use a virtual machine and because of that I have to find the IDs by myself.
To get the information, open a PowerShell prompt with admin privileges.
Enter this command: Install-Script -Name Get-WindowsAutoPilotInfo and hit the Y for Yes.
And Yes again, because we need that script.
Oke, the script is downloaded. Enter Get-WindowsAutoPilotInfo.ps1 -outputfile C:\temp\autopilot.csv (are you can use the TAB function to autocomplete the name of the script) and hit the enter key.
Maybe you will get this warning. You have to change the execution policy within PowerShell.
Please run this command: Set-ExecutionPolicy -ExecutionPolicy Bypass (use the tab, make it easier to type the command)
Answer this question with Y for Yes. You can change it back later by using the same command, but instead of Bypass you have to type Restricted.
Oke, that is set. Now run the script again, Get-WindowsAutoPilotInfo.ps1 -Outputfile C:\temp\autopilot.csv
You need the CSV to import the computer into Microsoft Intune. Go to the MS Intune portal -> Device enrollment -> Windows enrollment.
Click on Devices.
Click on the button Import to import the CSV.
Browse to your CSV file and click on the Ok button.
The results are good and click on the import button to import the device.
You will get this message. The sync will take few minutes.
The results; the device is imported. Now we have to make a profile or just edit the default Autopilot profile. Go to MS Intune portal -> Device enrollment -> Windows enrollment.
Click on Deployment Profiles.
Click on Autopilot Profile to edit.
Click on Settings
Here you can change the OOBE (Out of Box Experience) settings. This is default, so I didn’t change these settings.
You see that there no devices are assigned to this profile. So, we have to go back to Devices.
Select the specific device and click on the Assign profile button.
Choose the profile, like Autopilot Profile and click on the button Assign.
Status is Assigning. Wait for few minutes and click on the Refresh button for a refresh.
The status is changed to Assigned. The device is prepared for Autopilot.
There is a new option to follow the process of Autopilot. You can see the status which part of autopilot is running.
To enable this option, you have to go MS Intune portal -> Device enrollment -> Windows enrollment.
Click on Enrollment Status Page (Preview)
Click on Default to edit.
Click on Settings and change some settings. After that click on the Save button.
You are done with configure Autopilot. Now you have to use a not configured Windows 10 installation. So, for me in example, I have to reinstall Windows 10 in my virtual machine again. To be sure that I’m not have got a configured device. Maybe you have enrolled the device also. Then you have to delete the device from Intune and also from Azure AD, to be sure.
Oke, after the installation of Windows 10 I got this. The default steps in OOBE.
Choose your region and click on the Yes button.
Choose the keyboard layout and click on the Yes button.
Click on the Skip button.
Enter here the login name or email address. Click on the Next button.
Enter here your password, click on the Next button.
Enter here the code which you have received by SMS or phone call. Click on the Next button.
You have to wait for this process to be complete.
During “Setting up” the device has been added to Azure AD and enrolled into Intune.
And on the background, Autopilot is working on security policies and installing the apps which are set on required. Click on Show details for more information. This view has been set by the profile of enrollment result page.
Autopilot part is done and now you have to set up a PIN.
Enter the code which you have received by a SMS or phone call. Click Next.
You have to enter a PIN code. Sorry about the screenshot, I have missed this one…
You see that the apps are installed, and everything is configured by Intune.
This is how Autopilot works. Simple and easy for the end-user but also for the IT guy or girl. They spare a lot of time for other things.
Next blog will be all about Windows Automatic Redeployment. Stay tuned for the next blog! Thanks for reading the blog and if you have some question, don’t hesitate to send me a comment or email.
See you and greetings, Albert