How to Provision Windows 10 / 11 Device using Intune and Windows Autopilot

As per Microsoft, Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose, and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that’s easy and simple. In this post, we will discuss about device provision using Windows 10 Autopilot for Azure Active Directory (AAD) joined devices.

Configure Azure Active Directory Automatic Enrollment

Automatic enrollment lets user automatically enroll their Windows devices in Microsoft Intune. Follow the below steps to configure Automatic MDM enrollment from Azure portal.

• Sign in to the Azure portal, and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.
• Configure MDM user scope. If you select Some then you need to select an Azure AD Group.

Note: MDM user scope must be set to an Azure AD group that contains user objects.

Configure Azure Active Directory custom branding (Optional)

The Azure Active Directory custom branding page allow you to configure an organization specific logon page. You can add company branding to your sign-in page in Azure AD. You can configure these settings from Azure portal > Azure AD > Company branding.

Create a device group for Windows Autopilot

A device group is required to assign Windows Autopilot Deployment Profile. We will create a group with dynamic membership using Autopilot device attributes (ZTDId). This will reduce manual efforts of adding each device in group as device automatically become member of this group when hardware hash imported into Windows Autopilot.

To create a group that includes all of your Autopilot devices, use below expression in dynamic membership rule:

(device.devicePhysicalIDs -any (_ -contains “[ZTDId]”))

Create Windows Autopilot Deployment Profile

Autopilot deployment profiles are used to configure the Autopilot devices. A Windows Autopilot Deployment Profile need to be assigned to devices to enable Windows autopilot for them. Follow the below steps to create Autopilot deployment profile.

In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Deployment Profiles

Click on Create Profile > Windows PC

On the Basics page, type a Name and optional Description. Click on Next.

On the Out-of-Box Experience (OOBE) page, we will go ahead with all default settings.

Settings:

• Deployment Mode : User Driven

Devices with this profile requires user enrolling the device using their Azure Active Directory credential.

• Join to Azure AD : Azure AD joined
• Microsoft Software License Terms : Hide
• Privacy Settings : Hide
• Hide change account options : Hide
• User Account type : Standard
• Allow White Glove OOBE : No
• Language (Region) : Operating System default
• Automatically Configure keyboard : Yes
• Apply device name template : Yes

On the Assignment page, add the AAD group you created for Windows Autopilot Devices and click on Next.

On the Review + create page, review the details and click on Create.

The Autopilot deployment profile is now created and you see the same from Devices > Windows Enrollment > Windows Autopilot Deployment Profile.

Configure Enrollment Status Page

The Enrollment Status Page (ESP) shows the progress of device provisioning when a new device enrolled to Intune or a new user sign in to the device. You can show ESP during the default out-of-box experience (OOBE) for Azure AD join, Windows Autopilot scenarios or when new user sign into the device for the first time.

Check out this post for step by step guide to configure Enrollment Status Page.

Manually Register Device with Windows Autopilot

We have configured all required settings in Intune to support Windows autopilot scenarios. Now, we need to manually register device to Windows Autopilot to go ahead with our testing. The manual hardware hash registration process is primarily for testing purpose. An organization should opt for OEMs or CSP partners for Windows Autopilot registration. An OEM or other device provider uses the registration authorization process to perform device registration on your behalf.

Follow the below steps to register device to Windows Autopilot.

• Install Windows 10 on a test device or VM. We will use same device for Autopilot deployment.
• Download PowerShell script (Get-WindowsAutoPilotInfo.ps1) from PowerShell gallery to get a device’s hardware hash and serial number. The serial number is useful for quickly seeing which device the hardware hash belongs to.
• Run the Powershell script on test device which you prepared for Windows Autopilot deployment testing.

Once we done with capturing hardware hash in CSV file the same need to be uploaded to Windows Autopilot. We will use Microsoft Intune to import the device to Windows Autopilot.

In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment and select Devices in Windows Autopilot Deployment Program section

On the next screen, click on Import

On the Add Autopilot devices screen, click on Browse button and select the hardware hash CSV file. Click on Import.

You can see status of import in Notification area.

If Import was successful then you will see the device details in Windows Autopilot Devices page.

Reset the VM to factory settings

Now we need to reset the Windows 10 VM to factory settings. This will force the device to go to Windows setup OOBE stage. The Windows Autopilot profile downloaded at this stage automatically.

Before reset , you need to ensure that machine is connected with network and Internet is accessible.

Perform below steps to reset your Windows OS to factory settings.

• From Start Menu , select Settings
• In Windows Settings window select Update & Security
• In Windows Update window select Recovery from left pane

You will now see Recovery page. Click on Get started under Reset this PC to begin reset process.

Windows 10 – Reset

On the Choose an option page, select Remove everything.

You will see Getting things ready page. The machine reboots once reset process completes and it’s take you to Windows setup OOBE page after reboot.

Out of Box Experience (OOBE)

We have reset our test VM in previous steps. Once reset process is completed, it will go to OOBE screen. The first few screens will have following details. The end user will go thorugh same experience.

Network connection : When you reset a Windows 10 OS, the network details such as WIFI connection and password are saved and automatically restore. Hence, you may not see this screen.

Region settings : Select the region

Keyboard layout : Select the Keyboard layout

Additional keyboard layout: This screen will allow you to add additional keyboard layout

license agreement : Acknowledge license agreement

The next screen will be for user login. If you don’t see your company branding and tenant details here then your device has not been identified as Windows Autopilot device.

The user should log in with their corporate ID and password. Enter your company corporate ID and click on Next.

You will be prompted for the password at next screen. Enter the password and click on Next.

The Enrollment Status Page (ESP) will be displayed on next screen.

The followings stages will be part of Enrollment Status page.

Device Preparation:

The following actions are included in Device preparation stage.

• Securing your hardware
• Joining your organization’s network
• Registering your Device for Mobile Device Management
• Preparing your device for mobile management

Device Setup:

The Device setup stage includes following steps.

• Security Policies
• Certificate
• Network Connections
• Apps

Account Setup:

The Account setup is the last stage of Enrollment Status Page. The following actions are associated with this stage.

• Joining your organization’s network
• Security policies
• Certificates
• Network connections
• Apps

The next screen will be Privacy settings Toggle the settings on or off as per you requirements and click on Accept.

Once configuration finished, user will get a prompt for additional authentication if Multi Factor Authentication (MFA) is enabled.

Your device will be ready to use now.

Related Posts:

• Windows 10 Autopilot Deployment Guide | Intune
• Intune – Configure Enrollment Status Page (ESP)
• Intune – Windows 10 MDM- Basic troubleshooting
• Bulk enrollment of Windows 10/ 11 Device to Intune using Provisioning Package
• Enroll Windows 11 Device to Intune through Azure AD Join method
• Windows 11 enrollment with Provisioning package failed with error code 0x800700b7
• How to Obtain Hardware Hash for Manually Registring Devices with Windows Autopilot