Provisioning Windows 10 devices with Autopilot (User-Driven Azure AD Joined Scenario Step by Step Guide)

Windows Autopilot is a Microsoft cloud based deployment and its a collection of technologies used to set up and pre-configure new windows 10 devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover existing Windows 10 devices that are enrolled in Intune.

Its simplifies lifecycle of a device as this moves administrators away from the efforts of creating, deploying and managing custom images for various scenarios like wipe-reload, refresh etc. Once a device enters Windows Autopilot lifecycle, the device can be repurposed or assigned to other user with very little efforts from administrators.

Autopilot configured devices can be shipped to the users directly by OEMs, user just has to power on the device -> connect to WiFi ->  Enter Azure AD credentials to initiate Autopilot deployment. Rest all configuration tasks are automated. Autopilot devices are deployed and managed with speed and ease of cloud MDM solution like Intune.

In this article I will describe the step by step process to implement Windows Autopilot and provision Windows 10 devices with User-driven Azure AD joined scenario.

Windows Autopilot Requirements

  • Supported version of Windows 10
  • Licensing requirements like Microsoft Intune Subscription and Azure Active Directory Premium Subscription
  • Device must have the internet access
  • Intune configuration requirements like Configure device settings, Configure Azure Active Directory automatic enrollment, Configure Azure Active Directory custom branding (to add company logo), Create dynamic group, Device registration and Deployment profile configuration.

Autopilot Configuration Steps

Configure Device settings

  • Sign in to Azure Portal and Navigate to Azure Active Directory > Devices > Device Setting
  • Under Users may join devices to Azure AD select All and then Save. If you wish to not enable this for all, click selected -> add users or groups.

Configure Azure Active Directory automatic enrollment (MDM User Scope)

  • Sign into Azure Portal -> Azure Active Directory -> Mobility (MDM and MAM) -> Select Microsoft Intune
  • Now configure MDM user scope to All MDM user scope -> Click Save. If you do not need to enable this for all click Some -> select Groups. This setting specifies which user’s devices are to be managed by Intune.

Configure Custom branding (Optional)

Branding is configured from Azure Active Directory -> Company Branding -> Configure required feilds as per below and save

Create Dynamic Group for Windows Autopilot Devices

One of the prerequisites for Autopilot experience is to create a Dynamic group for grouping of Windows Autopilot devices.

To Create go to Intune Portal->Groups or Azure AD -> Groups and Click on New Group and provide all the information

Add the dynamic membership rules as (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) and save.

Import Windows 10 device for Autopilot in Intune portal

Device registration is performed by the OEM, reseller, or distributor. We can also register device to Autopilot service by collecting hardware ID and uploading them manually either via Microsoft Store for Business or Endpoint Manager admin center. Following are the steps to manually extract Hardware IDs from devices and Register the same to Windows Autopilot:

Launch PowerShell as administrator and run following script
Set-Location c:\\HardWareID Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv

Below are the steps to Upload Hardware IDs to Windows Autopilot deployment Service
Sign into Intune Portal -> Navigate to Devices -> Windows -> Windows Enrollment -> click Devices

Click Import -> Browse for csv file containing hardware ID -> click and Import

Import is successful and Device has been added

Select device and click Assign user to Assign user for the autopilot device

Type the device name (Host name which you want to assign)

Autopilot device has been updated successfully.

Enrollment Status Page Configuration (Optional)

The Enrollment Status Page (ESP) displays provisioning progress after a new device is enrolled, as well as when new users sign into the device. This enables IT administrators to optionally prevent (block) access to the device until it has been fully provisioned, while at the same time giving users information about the tasks remaining in the provisioning process.

Though this is an optional step because a default ESP exists but its configured to not show configuration progress during the enrollment. It is recommended to configure existing one to show progress or create new one to provide a better user experience. Here I am using the default profile.

Create Windows Autopilot deployment profile

Deployment profiles are used to customize deployment behavior during out-of-box experience (OOBE) phase of Autopilot devices. We can have multiple deployment profiles with different settings targeted to different device groups. 

Deployment profile can be created via Intune as well as Microsoft Store for Business portal. Deployment profiles created using Endpoint Manager admin center gets synced with Microsoft Store for Business.

To create a deployment profile:

Sign into Microsoft Endpoint Manager admin center. Navigate to Devices -> Windows -> Windows enrollment -> Select Deployment Profiles

Click Create Profile

Type the deployment profile name and description

The option to convert all targeted devices to Autopilot can automatically convert managed devices by Intune

Configure Out-Of-Box experience (OOBE) for Autopilot

In Assignment click on Select groups to include Autopilot devices Group

Autopilot devices group has been included

Review the setting and click Create

Windows Autopilot deployment profile has been created successfully. Also we can see profile status is assigned.

Windows Autopilot deployment Experience

All the required configuration is in place, device is imported and deployment profile is assigned, next step how end user experience is going to be when user powers on the device.

I am using windows 10 virtual machine, we need to reset before provisioning (settings-> Recovery-> Reset this PC). Once we reset the windows 10 and restart the device.

We will get a personal welcome message as below, User need to enters the password -> clicks Next

I have enabled two way authentication, type the authentication code

All assigned policies, configuration and apps are installed we can access the desktop.

Device is joined to Azure AD

Device reflected successfully in Azure portal

Device reflected as Azure AD joined in Intune portal successfully.

Thank You for reading this post!

Refer this link for more details:- https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot#:~:text=Windows%20Autopilot%20is%20a%20collection,them%20ready%20for%20productive%20use.&text=Using%20cloud%2Dbased%20services%2C%20Windows,%2C%20managing%2C%20and%20retiring%20devices.

I hope this post has given you an understanding of Provisioning Windows 10 devices with Autopilot.

Published by Tamilkovan

My name is Tamil Kovan and I work as a Technical Lead at PCCW Solutions. This is my blog where I will share tips and stuff for my own on System Center related topics.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: