As per Microsoft, Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose, and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that’s easy and simple.
In this post, we will discuss about Windows 10 / Windows 11 device provision using Windows Autopilot for Azure Active Directory (AAD) joined devices.
Table of Contents
- Configure Azure AD Automatic Enrollment
- Configure Azure AD custom branding
- Create a Device group for Windows Autopilot devices
- Create Windows Autopilot Deployment Profile
- Configure Enrollment Status Page
- Register device with Windows Autopilot
- Reset the VM to factory settings
- Out of Box Experience (OOBE)
Best Windows Autopilot deployment Guide
Before you use Windows Autopilot, few configurations are required to support Autopilot scenarios.
Configure Azure Active Directory Automatic Enrollment
Automatic enrollment lets user enroll their Windows devices in Microsoft Intune. Follow the below steps to configure Automatic MDM enrollment.
- Sign in to the Azure portal, and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.
- Configure MDM user scope. If you select Some then you need to select an Azure AD Group.
Note: MDM user scope must be set to an Azure AD group that contains user objects.
Configure Azure Active Directory custom branding (Optional)
The Azure Active Directory custom branding page allow you to configure an organization specific logon page. You can add company branding to your sign-in page in Azure AD. You can configure these settings from Azure portal > Azure AD > Company branding.
Create a device group for Windows Autopilot
A device group is required to assign Windows Autopilot Deployment Profile. We will create a group with dynamic membership using Autopilot device attributes (ZTDId). This will reduce manual efforts of adding each device in group as device automatically become member of this group when hardware hash imported into Windows Autopilot.
To create a group that includes all of your Autopilot devices, use below expression in dynamic membership rule:
(device.devicePhysicalIDs -any (_ -contains “[ZTDId]”))
Create Windows Autopilot Deployment Profile
Autopilot deployment profiles are used to configure the Autopilot devices. A Windows Autopilot Deployment Profile need to be assigned to devices to enable Windows autopilot for them. Follow the below steps to create Autopilot deployment profile.
In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Deployment Profiles
Click on Create Profile > Windows PC
On the Basics page, type a Name and optional Description. Click on Next.
On the Out-of-Box Experience (OOBE) page, we will go ahead with all default settings.
- Deployment Mode : User Driven
Devices with this profile requires user enrolling the device using their Azure Active Directory credential.
- Join to Azure AD : Azure AD joined
- Microsoft Software License Terms : Hide
- Privacy Settings : Hide
- Hide change account options : Hide
- User Account type : Standard
- Allow White Glove OOBE : No
- Language (Region) : Operating System default
- Automatically Configure keyboard : Yes
- Apply device name template : Yes
On the Assignment page, add the AAD group you created for Windows Autopilot Devices and click on Next.
On the Review + create page, review the details and click on Create.
The Autopilot deployment profile is now created and you see the same from Devices > Windows Enrollment > Windows Autopilot Deployment Profile.
Configure Enrollment Status Page
The Enrollment Status Page (ESP) shows the progress of device provisioning when a new device enrolled to Intune or a new user sign in to the device. You can show ESP during the default out-of-box experience (OOBE) for Azure AD join, Windows Autopilot scenarios or when new user sign into the device for the first time.
Check out this post for step by step guide to configure Enrollment Status Page.
Manually Register Device with Windows Autopilot
We have configured all required settings in Intune to support Windows autopilot scenarios. Now we need to manually register device to Windows Autopilot to go ahead with our testing. The manual registration process is primarily for testing purpose. An organization should opt for OEMs or CSP partners for Windows Autopilot registration. An OEM or other device provider uses the registration authorization process to perform device registration on your behalf.
Follow the below steps to register device to Windows Autopilot.
- Install Windows 10 on a test device or VM. We will use same device for Autopilot deployment.
- Download PowerShell script (Get-WindowsAutoPilotInfo.ps1) from PowerShell gallery to get a device’s hardware hash and serial number. The serial number is useful for quickly seeing which device the hardware hash belongs to.
- Run the Powershell script on test device which you prepared for Windows Autopilot deployment testing.
Once we done with capturing hardware hash in CSV file the same need to be uploaded to Windows Autopilot. We will use Microsoft Intune to import the device to Windows Autopilot.
In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment and select Devices in Windows Autopilot Deployment Program section
On the next screen, click on Import
On the Add Autopilot devices screen, click on Browse button and select the hardware hash CSV file. Click on Import.
You can see status of import in Notification area.
If Import was successful then you will see the device details in Windows Autopilot Devices page.
Reset the VM to factory settings
Now we need to reset the Windows 10 VM to factory settings. This will force the device to go to Windows setup OOBE stage. The Windows Autopilot profile will get downloaded at this stage automatically.
Before reset , you need to ensure that machine is connected with network and Internet is accessible.
Perform below steps to reset your Windows OS to factory settings.
- From Start Menu , select Settings
- In Windows Settings window select Update & Security
- In Windows Update window select Recovery from left pane
You will now see Recovery page. Click on Get started under Reset this PC to begin reset process.
Windows 10 – Reset
On the Choose an option page, select Remove everything.
You will see Getting things ready page. The machine will be rebooted once reset completed and it will take you to Windows setup OOBE page.
Out of Box Experience (OOBE)
We have reset our test VM in previous steps. Once reset process is completed, it will go to OOBE screen. The first few screens will have following details. The end user will go thorugh same experience.
Network connection : When you reset a Windows 10 OS, the network details such as WIFI connection and password are saved and automatically restore. Hence, you may not see this screen.
Region settings : Select the region
Keyboard layout : Select the Keyboard layout
Additional keyboard layout: This screen will allow you to add additional keyboard layout
license agreement : Acknowledge license agreement
The next screen will be for user login. If you don’t see your company branding and tenant details here then your device has not been identified as Windows Autopilot device.
The user should log in with their corporate ID and password. Enter your company corporate ID and click on Next.
On the next screen, you will be prompted for the password. Enter the password and click on Next.
The Enrollment Status Page (ESP) will be displayed on next screen.
The followings stages will be part of Enrollment Status page.
The following actions are included in Device preparation stage.
- Securing your hardware
- Joining your organization’s network
- Registering your Device for Mobile Device Management
- Preparing your device for mobile management
The Device setup stage includes following steps.
- Security Policies
- Network Connections
The Account setup is the last stage of Enrollment Status Page. The following actions are associated with this stage.
- Joining your organization’s network
- Security policies
- Network connections
The next screen will be Privacy settings Toggle the settings on or off as per you requirements and click on Accept.
Once configuration finished, user will get a prompt for additional authentication if Multi Factor Authentication (MFA) is enabled.
Your device will be ready to use now.