- Pulseway 9.2: Remote monitoring with workflow automation - Thu, May 18 2023
- ENow Active Directory Monitoring & Reporting - Tue, May 16 2023
- Auditing and restricting NTLM authentication using Group Policy - Thu, May 11 2023
Windows Autopilot supports user-driven mode, which allows end users to unbox a PC, power it on, choose a language, connect to their home or remote network, enter sign-in information, and then have the PC automatically perform the rest of the provisioning process. This automated portion of the configuration includes the following:
- Joining your organization
- Enrolling the device in Microsoft InTune
- Configuring the PC based on the settings and installations defined at the organizational level
It supports two scenarios for configuration that include joining:
- Azure Active Directory
- Hybrid Azure Active Directory
To simulate an end user that receives a Windows 10 desktop and unboxes it, we will use a Windows 10 VM instead of an unboxed PC.
OEM manufacturers will automatically capture the device IDs on each device in the factory. Using the PowerShell script below, we simulate the OEM vendor and capture the hardware ID of the virtual machine.
The steps of the script are as follows:
md c:\HWID Set-Location c:\HWID Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force Install-Script -Name Get-WindowsAutopilotInfo -Force $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
Get WindowsAutoPilotInfo using PowerShell
The steps above create a CSV file that can be imported into Autopilot to test its functionality. Browse to and select your CSV file for Autopilot.
Import devices into Windows Autopilot
The new Autopilot device is successfully added.
Device successfully imported into Windows Autopilot
Add a new group for Autopilot scoping
Most likely, you will want to scope your Autopilot deployments to a specific group. You can easily do that by creating a new Azure Active Directory group. Below, the membership type is assigned. In production environments, you can also benefit from dynamic groups that can automatically define group memberships.
Create an Azure Active Directory group for Windows Autopilot
For group membership, add the device type imported earlier. After finding the device type, click the Select button.
Add the new imported device to your Azure Active Directory Autopilot group
The new device type is now a member of the Azure Active Directory group.
Configuring company branding
It is recommended to configure your company branding, which helps customize the look and feel of the Autopilot process so it's familiar to the end user provisioning the PC. Additionally, it helps to quickly know if the Autopilot process is targeting the device correctly. To customize the company branding, navigate to your Azure Active Directory blade, and choose Company branding. Below, a banner logo and "sign-in page text" are defined.
Add company branding for Autopilot
Configure mobility
Next, we want to configure mobility (MDM and MAM) policies. In your Azure Active Directory blade, choose Mobility (MDM and MAM). Here, we set both to All.
Configure MDM user scope and MAM user scope
Assigning applications to the Windows Autopilot profile
Next, using Microsoft Endpoint Manager, you can assign Windows apps to the Windows Autopilot profile. This feature is a great way to quickly get the applications provisioned that are needed by the end-users. Office apps are one of the primary applications required by users for business productivity. In the Endpoint Manager, choose Apps > Windows > Add to add Microsoft 365 apps for Windows 10.
Adding a new app assignment to the Windows Autopilot deployment
Under the Microsoft 365 Apps properties for Windows 10, after adding it to the available apps, choose Properties > Assignments > Edit.
View the properties of the assigned application and edit assignments
Add the same group you used to scope your Autopilot deployment. Click Review + save.
Assign the group added earlier to the Windows Autopilot deployment profile
Create a Windows Autopilot deployment profile
We now have some basic requirements for Autopilot in place. Now, we need to define the Autopilot deployment profile. In Microsoft Endpoint Manager, click Devices > Enroll devices > Deployment profiles.
Begin creating an Autopilot deployment profile
Choose Create profile > Windows PC.
Creating a new profile
It launches the Create profile wizard. Select a name for the profile.
Name the new Autopilot profile
On the out-of-box experience screen, choose the deployment mode, Azure AD join type, and other settings to customize the experience. In the user-driven approach, devices are associated with the user deploying the device, and user credentials are required for deployment. Click Next when the settings are configured to align with your organization's needs.
Configure the out of box experience using Autopilot
On the Assignments screen, choose the group to which you want to assign the deployment profile. Here, we choose the group containing the imported device type.
Assign the new Autopilot deployment profile
Review and create the new Autopilot deployment profile.
Review and create the new deployment profile
The new deployment profile is created successfully.
New deployment profile for Autopilot is created successfully
If you go back to the Windows Autopilot devices screen, you'll notice the Profile status displays "Not assigned." If this is the case, click the Sync button.
The device shows Not assigned at first
After syncing, the Profile status displays Assigned.
After syncing the Windows enrollment it shows as assigned
Running Windows Autopilot on a Windows 10 PC
Now that Autopilot and other components are configured, we can test the Autopilot functionality on the Windows 10 PC. During the out-of-the-box experience, I select the Set up for an organization option.
Setup for an organization
Next, enter the organization account to be used for configuring the Windows 10 PC.
Sign in with the organization account for Windows Autopilot
Note that after entering the organization account, the custom branding message is displayed below. Seeing this is a good sign that Autopilot is working. After entering your password, you will see the normal screens to follow to configure Windows Hello and set up your PIN code for accessing the machine.
Enter the password and the custom branding message is displayed
Once signed in, we see Microsoft 365 apps start to download. The full download and installation process for Microsoft 365 does not keep the sign-in process from completing, so the end user can get to the desktop. Instead, they see the downloading icons for the applications until they are fully provisioned.
Microsoft 365 apps are being downloaded as part of the Autopilot provisioning process
The Microsoft 365 apps are fully downloaded and installed without any intervention from the end user or an IT administrator.
Subscribe to 4sysops newsletter!
Microsoft 365 apps are eventually downloaded and installed using Autopilot
Setting up a Windows 10 PC using Autopilot allows organizations to fully leverage the power of the cloud to deploy desktops to end users. Autopilot enables organizations to have a new Windows 10 PC shipped to the end user and have the desktop fully provisioned once they log in with their organization account. As shown, with just a bit of configuration, large numbers of end user PCs can be successfully onboarded into the environment and fully managed.
