In this post we are going to take a look at Windows Autopilot Deployment.
What is Windows Autopilot
If you are an IT technician or Infrastructure engineer you will probably be familiar with Deploying Windows on scale to large numbers of machines on the fly. Most will be familiar with SCCM (System Centre Configuration Manager) or now known as MECM (Microsoft Endpoint Configuration Manager) to deploy customized windows images and applications to corporate machines.
With the birth of cloud brings new possibilities, Windows Autopilot can be used to deploy and customize corporate machines without the need for on-premise infrastructure. We can also use Intune mobile device manager (MDM) to configure these devices in terms of how updates work, what apps are pushed down to which devices or users, remote wipe machines, reset machines and push corporate compliance policies down to make sure our corporate data is protected in a zero trust bring your own device (BYOD) world.
Below are a number of scenarios that are suited to Windows Autopilot Features:
Windows 10/11 (Pro/Enterprise/Education)
Correct Microsoft 365 Licensing (see below)
To enroll machines in Autopilot we have to get the hardware ID of the device and the upload this into endpoint manager a dedicated cloud portal for autopilot and Intune configuration
We have to run a powershell script to pull the information out as a CSV which we can upload into endpoint. You can do individual machines or import in bulk.
I have created a VM in Hyper-V, made sure it can talk to the Internet, we will get the Hardware ID from this machine and import into Intune.
The following powershell script will be required, run this with elevated privileges:
md c:\HWID Set-Location c:\HWID Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force Install-Script -Name Get-WindowsAutopilotInfo -Force $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
The result of this script is a new directory called HWID with a CSV file that contains our Hardware ID
Log into endpoint.microsoft.com
navigate to Devices > Enroll Devices > Devices
On the Devices screen we will select Import and select our CSV file to upload:
This may take a while to sync, but when finished you should see the device added to your list, because we don't have a deployment profile created yet and assigned the status will show as updating/unassigned.
Creating a Windows Autopilot Deployment Profile
Next we will create a deployment profile, this is where we create the autopilot settings for the "out of box Experience" (OOBE). You can pre-configure the settings so users don't have to click through and setup the machine.
Navigate to: Devices > Enroll Devices > Deployment Profiles
From here we will select the "Create New" and select Windows.
Below are the basic settings page, name your profile then click next:
You will be asked to create the OOBE settings on the next page. The following settings are enough to get started. If your not sure what a setting does hover over the i icon for explanation:
The next page we can control how we assign the profile out. I have created a dynamic Group in Azure called "Auto_AutoPilot" that automatically adds Autopilot devices to itself based on a dynamic Query, if you plan to assign most of your devices to the same group automatically this is a good idea to save you having to add all your devices manually.
See below for the Dynamic Group and the Query:
I want to apply this Deployment Profile to devices in the "Auto_AutoPilot" Dynamic Group:
Final screen you can review all your settings and create.
If we head back to the devices screen under "Enroll Devices" you should now see the status has changed to assigned (this can take some time to sync)
For this example I'm not going to deploy any further configuration settings/compliance policies or apps. I will cover these separately in future posts.
We are ready to reset our Virtual Machine and test Autopilot Deployment
In our test VM Navigate to:
Settings app > Updates and security > Recovery > Reset > Remove Everything > Local Install > Reset
On reinstall of Windows you should be greeted by autopilot page and if you have setup company branding you will be greeted by your companys logo, terms of service etc.
Log into the machine using your company account or what ever user account you have setup in you Azure AD Lab, the machine will then start to provision and run through pre-build tasks, This will include applying any configuration/compliance policies and any apps that may be set as part of the Autopilot process. Remember here we haven't pre-provisioned any settings so the process should be quick.
Once completed you will be asked to log into the machine and it will be ready to use.
This is a basic overview of setting up Windows Autopilot but it goes a lot deeper, you can define machine settings you want to be applied to your machine builds, you can deploy applications during builds, You can state how machines are updated and you can monitor your machines for corporate compliance, if machines don't meet requirements of your network they won't be able to access certain apps or data.
I Will cover all of the above in future posts. Watch this Space!