- Manage Windows security and optimization features with Microsoft’s free PC Manager - Mon, Jan 23 2023
- IIS and Exchange Server security with Windows Extended Protection (WEP) - Wed, Jan 18 2023
- Remove an old Windows certificate authority - Mon, Jan 16 2023
Windows Autopilot supports user-driven mode, which allows end users to unbox a PC, power it on, choose a language, connect to their home or remote network, enter sign-in information, and then have the PC automatically perform the rest of the provisioning process. This automated portion of the configuration includes the following:
- Joining your organization
- Enrolling the device in Microsoft InTune
- Configuring the PC based on the settings and installations defined at the organizational level
It supports two scenarios for configuration that include joining:
- Azure Active Directory
- Hybrid Azure Active Directory
To simulate an end user that receives a Windows 10 desktop and unboxes it, we will use a Windows 10 VM instead of an unboxed PC.
OEM manufacturers will automatically capture the device IDs on each device in the factory. Using the PowerShell script below, we simulate the OEM vendor and capture the hardware ID of the virtual machine.
The steps of the script are as follows:
md c:\HWID Set-Location c:\HWID Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force Install-Script -Name Get-WindowsAutopilotInfo -Force $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
The steps above create a CSV file that can be imported into Autopilot to test its functionality. Browse to and select your CSV file for Autopilot.
The new Autopilot device is successfully added.
Add a new group for Autopilot scoping
Most likely, you will want to scope your Autopilot deployments to a specific group. You can easily do that by creating a new Azure Active Directory group. Below, the membership type is assigned. In production environments, you can also benefit from dynamic groups that can automatically define group memberships.
For group membership, add the device type imported earlier. After finding the device type, click the Select button.
The new device type is now a member of the Azure Active Directory group.
Configuring company branding
It is recommended to configure your company branding, which helps customize the look and feel of the Autopilot process so it's familiar to the end user provisioning the PC. Additionally, it helps to quickly know if the Autopilot process is targeting the device correctly. To customize the company branding, navigate to your Azure Active Directory blade, and choose Company branding. Below, a banner logo and "sign-in page text" are defined.
Next, we want to configure mobility (MDM and MAM) policies. In your Azure Active Directory blade, choose Mobility (MDM and MAM). Here, we set both to All.
Assigning applications to the Windows Autopilot profile
Next, using Microsoft Endpoint Manager, you can assign Windows apps to the Windows Autopilot profile. This feature is a great way to quickly get the applications provisioned that are needed by the end-users. Office apps are one of the primary applications required by users for business productivity. In the Endpoint Manager, choose Apps > Windows > Add to add Microsoft 365 apps for Windows 10.
Under the Microsoft 365 Apps properties for Windows 10, after adding it to the available apps, choose Properties > Assignments > Edit.
Add the same group you used to scope your Autopilot deployment. Click Review + save.
Create a Windows Autopilot deployment profile
We now have some basic requirements for Autopilot in place. Now, we need to define the Autopilot deployment profile. In Microsoft Endpoint Manager, click Devices > Enroll devices > Deployment profiles.
Choose Create profile > Windows PC.
It launches the Create profile wizard. Select a name for the profile.
On the out-of-box experience screen, choose the deployment mode, Azure AD join type, and other settings to customize the experience. In the user-driven approach, devices are associated with the user deploying the device, and user credentials are required for deployment. Click Next when the settings are configured to align with your organization's needs.
On the Assignments screen, choose the group to which you want to assign the deployment profile. Here, we choose the group containing the imported device type.
Review and create the new Autopilot deployment profile.
The new deployment profile is created successfully.
If you go back to the Windows Autopilot devices screen, you'll notice the Profile status displays "Not assigned." If this is the case, click the Sync button.
After syncing, the Profile status displays Assigned.
Running Windows Autopilot on a Windows 10 PC
Now that Autopilot and other components are configured, we can test the Autopilot functionality on the Windows 10 PC. During the out-of-the-box experience, I select the Set up for an organization option.
Next, enter the organization account to be used for configuring the Windows 10 PC.
Note that after entering the organization account, the custom branding message is displayed below. Seeing this is a good sign that Autopilot is working. After entering your password, you will see the normal screens to follow to configure Windows Hello and set up your PIN code for accessing the machine.
Once signed in, we see Microsoft 365 apps start to download. The full download and installation process for Microsoft 365 does not keep the sign-in process from completing, so the end user can get to the desktop. Instead, they see the downloading icons for the applications until they are fully provisioned.
The Microsoft 365 apps are fully downloaded and installed without any intervention from the end user or an IT administrator.
Subscribe to 4sysops newsletter!
Setting up a Windows 10 PC using Autopilot allows organizations to fully leverage the power of the cloud to deploy desktops to end users. Autopilot enables organizations to have a new Windows 10 PC shipped to the end user and have the desktop fully provisioned once they log in with their organization account. As shown, with just a bit of configuration, large numbers of end user PCs can be successfully onboarded into the environment and fully managed.