Configuring Microsoft Autopilot

Hi All,

Today I am going to walk you through the setup of an Autopilot demonstration scenario that I recently set up for a customer.

What is Autopilot?

OK, so firstly let’s cover off the basic question of ‘What is Autopilot and why would I want to use it?’

Autopilot was first introduced in Windows 10 1703 and is a new deployment methodology from Microsoft that allows Organisations to make use of Azure Active Directory and Microsoft Intune to take ownership of -and fully configure-, the Windows 10 installation that comes pre-loaded onto new hardware by the OEM manufacturer. The benefit of this is that Organisations no longer have to purchase hardware, have it shipped to the IT department, wipe the existing OS and load a custom Windows image.

The wipe-and-reload methodology has been around for the last few decades and has worked well for Organisations. Nonetheless, it does come with downsides such as:

  • Creating the custom image
  • Deploying technology (such as MDT or SCCM) to deliver the image
  • Additional workload for IT to perform the wipe-and-reload process
  • Maintaining a driver catalogue each time new hardware types are procured
  • Maintaining Operating System updates within the custom image
  • Maintaining the custom applications installed within the custom image
  • Delay between purchase of hardware and delivery to end-user

Therefore, the ability to simply make use of the OEM image without having to perform the functions listed above has the potential to allow for new hardware to be delivered directly to end users, saving time and money. Additionally, the initial setup of the device could also be performed by the end user, totally removing the overheads for the IT department.

So, now that the purpose and advantages of Autopilot is more clear, let’s start to create a demo lab so we can test the functionality…

Pre-requisites

In order to proceed with this lab you will need the following:

  • A single Windows 10 workstation (can be physical or virtual),
    • Build 1703 or above (I will be using 1903 for this demo), LTSC 2019 also supported
    • Professional, Education or Enterprise edition
  • Existing Azure Tennant with demo users
  • One of the following licenses assigned to demo users
    • Microsoft 365 E3
    • EMS E3
    • Azure Active Directory P1 & Intune

Obtaining the Hardware ID

The first thing you should know when testing Autopilot is that when a Windows 10 workstation is booted for the first time during the OOBE (Out Of Box Experience) the setup process contacts Intune to see if the workstation has been registered for this functionality. This process is performed every time a Windows 10 workstation is booted for the first time. Note that if the hardware ID is not registered (or the workstation cannot contact Intune due to lack of internet connectivity) then the OOBE silently continues with user interaction. However, if the hardware ID has been registered for Autopilot then the OOBE branches into that process.

In a production environment this registration will be performed by the OEM who will provide Microsoft with a list of hardware IDs for the workstations being purchased and the Azure Tennant ID that the workstation should be assigned to. Obviously you will need to have provided your Tennant ID to the OEM at the time of purchase.

However, in our lab we are not purchasing new hardware but using a VM that has been created specifically for the purpose of testing Autopilot, so we need to manually complete this hardware ID registration by performing the following process:

  • Install Windows 10 on workstation from Microsoft installation media
    • Complete the standard Windows Setup experience using the default options as below
    • Complete the OOBE experience by simply creating ‘user1’ with a temporary password
  • Run the following PowerShell script which will generate the hardware ID for the test workstation and export it to a .CSV file
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo -Force
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv

Noteu – I did find on my vanilla workstation that I had to modify the execution policy to allow scripts to be run and also accept the installation of the NuGet provider

Copy the .csv created in c:\HWID to location that can be accessed from a seperate workstation where the Azure portal will be used to make the configuration changes.

Reset the VM

Now that we have the Hardware ID extracted from our test machine we can reset the workstation so that it will perform the OOBE and we can simulate the end user experience.

To do this open Settings > Update & Security > Recovery and click on Get started under Reset this PC. Select Remove everything and Just remove my files. Finally, click on Reset.

This process will take some time and the workstation will restart several times during this process, so we can move on to the next steps while this is processing.

Importing the Hardware ID file

Now we have the .csv file containing the hardware ID we need to upload this into the Intune portal so Autopilot knows the ID. To do this simply open the Azure portal and navigate to the blade Microsoft Intune – Device Enrollment – Windows Enrollment – Devices

You can see the option to Import at the top of the page. Click this and navigate to the .csv file that was previously created.

This process will eventually complete and you will see the device listed.

You will also note that if you browse to Azure Active Directory – Devices you will see the device we have just imported. Note though that the device is only listed by its serial number as it does not yet have a name (at least not one that is known to AzureAD).

Preparing AzureAD

We now need to configure our environment appropriately to allow Autopilot to function.

Firstly navigate to Azure Active Directory – Devices – Device Settings and enable the option to allow users to register devices in Azure Active Directory. In this demo I am allowing all users to register devices, but you may want to limit this to a test group.

Then we need to set Intune as the MDM authority so that systems that join AzureAD are automatically registered and managed with Intune. We set this in Azure Active Directory – ‘Mobility (MDM and MAM)’

Now we need to create an AzureAD group that we can assign our Autopilot profile to and to make our test workstation a member of the group. To do this we navigate to Azure Active Directory – Groups and click on New Group

We can then name the group as shown below, including making our test machine a member of the group (remember at this stage we are still having to manage the workstation by serial number).

Note – Its important to highlight that for the purpose of this demo we are only adding a single device to the group, but we could make this a dynamic group that automatically contains all devices

We now have everything we need configured in Azure AD and are ready to configure Intune

Configuring Intune

Now we need to create a new Autopilot profile within Intune. To do this navigate to Intune – Device Enrollment – Windows Enrollment – Deployment Profiles and Select Create Profile

We then give the profile a name

Configure the options we want our devices to display to the end-user

Define your desired tags

Finally, we need to deploy the profile. Choose which groups we want to include (or exclude). In the example below, we will select the group we have created specifically for this purpose

This then completes the Intune configuration and we are ready to test out new Autopilot experience.

Autopilot Experience

Now change back to the test workstation. It should now be displaying at the region selection screen. This is the start of the user experience as they would see it if Autopilot was enabled for them.

First the standard Windows 10 setup prompts. Select the Region

Select the keyboard layout

Add any additional keyboards layouts

Now for the different experience with Autopilot. The user will then be prompted to enter their username (remember they should utilise the format username@companyname.com). Please note that the device already knows that it is managed by our Organisation.

And then their password

After the user profile creation process has completed and we arrive at the user’s desktop we can then see in Settings > Accounts that the device is registered to the correct AzureAD tenant.

Also, we can see in Intune that the device is registered and compliant with policies

So that concludes our demonstration of Autopilot. The user was only prompted for the standard Windows 10 setup questions along with their Username and Password and they now have a fully AzureAD and Intune registered workstation ready for management.