Windows Autopilot

Andrew Bettany MCT, MVP

IT Masterclasses Ltd
[email protected]
Traditional Windows deployment // The old way

OFFICE & APPS

DRIVERS POLICIES

SETTINGS

Build a custom image, Deploy image to a new Time means money, making
gathering everything else computer, overwriting what this an expensive proposition
that’s necessary to deploy was originally on it
Modern Windows deployment // The new way

Un-box and turn on Transform with minimal Device is ready

off-the-shelf Windows PC user interaction for productive use
Device lifecycle management
with Windows Autopilot and
Intune Break fix

Key Benefits:
No more maintenance of images and drivers

No need for IT to touch the devices

Simple process for users and IT

Integration in the device supply chain

Reset device back to a business ready state

Procurement Deployment Business ready Management Retirement

The transformation

OEM-optimized Windows 10
+ Software
+ Settings
+ Updates
+ Features
+ User data
Ready for productive use
Windows Autopilot Three simple steps

deployment Cloud driven

Register devices

Assign an Autopilot profile to

the devices

Ship the device to the user

Administering
Windows Autopilot

Microsoft Store for Business Partner Center

Microsoft Intune / Microsoft 365

Microsoft 365 Business
Device Management
Step 1. Registering devices
 Major OEM status

OEM Device registration Clean images Notes:

Initially customers will register existing devices for

  testing/validation

They will want to know about OEM offerings, to make

Free $30/PC offering
sure they can eventually have the OEM register

 devices for them

Dell: $30/PC offering includes device registration,

(Targeting later CY19) $3 option clean image or custom image loading, and choice of
N, N-1, or N-2 Windows 10 releases

  Lenovo: $5/PC offering removes most apps from the

OS; $8-35/PC offering allows choice of N, N-1, N-2
Free; additional offerings at
$5/device $5/PC and $8-35/PC Windows 10 releases and offers preloading of up to
five Win32 apps

  HP: Pilot program available today, they will e-mail a

spreadsheet to the customer so the customer can
Free Free upload the devices via MSfB
Registering new devices
Supply chain integration

OEMs, distributors, and resellers make the process easy:

• Automatically add new devices to Azure tenant at time of
shipment
• Associate devices to customer’s purchase order for easy device
grouping
• Tag devices with a customer specified label
• Provide an preinstalled image that is ready for configuration*

For a list of those supporting Windows Autopilot supply

chain integration please visit:

https://aka.ms/WindowsAutopilot
Registering existing devices
Automatically for all Intune-managed Windows 10 devices

If you have existing Windows 10 devices:

• Enable new Autopilot profile setting for all targeted devices
• Ensure the Autopilot profile is assigned to a group containing the
existing Windows 10 devices

If your existing Windows 10 devices are not yet Intune-

managed:
• Enable co-management with ConfigMgr via the “Automatic
enrollment into Intune” setting. (See https://docs.microsoft.com/en-
us/sccm/core/clients/manage/co-management-overview#enable-co-management)

• Ensure all new Intune-enrolled Windows 10 devices are part of a

group with an assigned Autopilot profile
Registering existing devices
Manually for existing devices

To register existing devices:

• Use the PowerShell script available at
https://www.powershellgallery.com/packages/Get-
WindowsAutopilotInfo
• Run for each device (requires Windows 10 1703 or higher)
• Upload resulting CSV file via Intune portal
• See https://docs.microsoft.com/en-
us/windows/deployment/windows-autopilot/add-
devices#collecting-the-hardware-id-from-existing-devices-
using-powershell for more information

Great for testing and validation with existing devices and

virtual machines
Registering devices // Summary

OEM API Partner Center Microsoft Intune

Step 2. Assign profile
Creating an Autopilot profile

Configure important details:

• Deployment mode
• Specific settings required for the deployment
mode
• New! BitLocker encryption even for non-admin users
(requires Windows 10 1809)

• Out-of-box experience (OOBE) settings

• New! Hide change account options (requires Windows 10
1809)

• New! Device naming pattern, supporting variable

substitution (requires Windows 10 1809):
• %SERIAL%

• %RAND:x% (where X is the number of digits)

Assigning an Autopilot profile
Automated using groups

If you have existing Windows 10 devices:

• An Azure AD device object is automatically created for each imported
Autopilot device

• Create one or more Azure AD groups

• Assign an Autopilot profile to the Azure AD group

• Intune will automatically assign the profile to all members of the assigned
group

Options for grouping:

• Dynamic group with all Autopilot devices

• Dynamic group based on purchase order ID

• Dynamic group based on device tag (orderID)

• Manual
Creating a group with all Autopilot devices
Creating a group for a device tag (Order ID)
Assigning a profile
Registering devices // Flow
Step 3. Deploy!
Windows Autopilot overview

Device IDs Windows Autopilot Autopilot profile sync Intune

Device sync

Configure
Windows
Autopilot profile

Self-service deploy
IT Admin

Hardware Vendor

Ship

Deliver direct to Employee

Employee unboxes
device, self-deploys
Windows Autopilot // Licensing requirements

One of the following, to provide needed Azure Active Directory (automatic MDM
enrollment and company branding features) and MDM functionality:
• Microsoft 365 Business subscriptions
• Microsoft 365 F1 subscriptions
• Microsoft 365 Academic subscriptions
• Microsoft 365 Enterprise E3 or E5 subscriptions

• Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune
features

• Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
Azure Active Directory
https://docs.microsoft.com/en-us/intune/windows-
enroll#enable-windows-10-automatic-enrollment
https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/customize-branding

Intune:
Windows Autopilot
Enrollment status page

Ensure policies, apps and settings are

complete prior to the end user gaining
access to the desktop
Confirm minimum baseline requirements
Protect data during device set up
Deliver a compliant secure device
Personalize the out of box experience
New! Unlock Windows 10 in S mode (requires Windows 10 1809)

Requirements
Windows 10, version 1803 (with May cumulative update or later)
Azure Active Directory Premium
Microsoft Intune
Scenarios
Windows Autopilot // Deployment Scenarios

AV AILAB LE AV AILAB LE in 18 0 9 AV AILAB LE in 18 0 9 AV AILAB LE in 18 0 9

User-driven mode Self-deploying User-driven mode Windows Autopilot

with Azure AD Join mode with Hybrid Azure for existing devices
AD join
Windows 10 1703 Windows 10 1809 Windows 10 1809 Windows 10 1809
and above and above and above and above

Join device to Azure No need to provide Join device to AD, Windows 7 to

AD, enroll in credentials, enroll in Intune/MDM Windows 10
Intune/MDM automatically joins
Azure AD ConfigMgr task
sequence, followed
by Windows
Autopilot user-driven
mode
User-driven deployment
with Azure AD
Windows Autopilot // User-driven deployment with Azure AD

Prerequisites: Steps:
Windows 10 version 1703 1. Device connected to internet network

Azure Active Directory Premium 2. Register device with Windows Autopilot

Microsoft Intune 3. Assign Intune Autopilot Profile configured for

Azure AD join

4. Boot device
Design notes

Should be done by the end user

User authenticates with Azure AD from the start

Choose between admin and non-admin

Typically for single-user (not shared) devices

User-driven deployment with Azure AD
Self-deploying mode
Windows Autopilot // Self-deploying mode with Azure AD

Prerequisites: Steps:
Windows 10 version 1809 1. Device connected to internet

Azure Active Directory Premium 2. Register device with Windows Autopilot

Microsoft Intune 3. Assign Intune Autopilot Profile configured for

self-deploying mode
Device with TPM 2.0
4. Boot device
How would you use Autopilot to deploy…

Multi app kiosk Shared PC

Digital signage

Single app kiosk VDI clients

Design notes

Technicians usually set up these types of devices

No defined user to auth or set up the device

May not have peripherals (keyboards, mice, etc.)

Typically involve “walk up and use” scenarios

Self-deploying mode (kiosks)
for existing devices
Windows Autopilot // Windows Autopilot for existing devices

Prerequisites: Steps:
Windows 10 version 1809 1. Create task sequence to deploy generic Windows 10
image with needed drivers (wipe-and-load)
Azure Active Directory Premium
2. Migrate data to OneDrive for Business (in advance)
Microsoft Intune
3. Deploy task sequence to existing Windows 7 devices,
System Center Configuration Manager installing Windows 10 and proceeding through Windows
Autopilot user-driven process to join device to Azure AD
OneDrive for Business
January 14, 2020
Windows
Autopilot
Design notes

Upgrading the OS is just part of the problem

Need to migrate user data from Win7 to Win10

Unable to harvest hardware hashes in Win7

Autopilot for existing devices
Roadmap
Windows Autopilot // New in Windows 10 1903!

AV AILAB LE in 19 0 3 AV AILAB LE in 190 3 AV AILAB LE in 19 0 3 AV AILAB LE in 19 0 3

Windows Autopilot ESP enhancements Cortana voiceover disabled Self-updating Autopilot

“White Glove” in OOBE
Windows 10 1903 and above Windows 10 1903 and above Windows 10 1903 and above Windows 10 1903 and above

White glove partners or IT ESP tracks Intune Management Cortana voiceover disabled by Enable new Windows Autopilot
staff can pre-provision Extensions, SCCM and Office default for Pro and above SKUs functionality without updating
Windows 10 PC to be fully installs Windows.
configured and business-
ready for an org or user IT admin can choose what apps
block during ESP through
Intune
White Glove
 Continue in English?
Let’s take an alternate
path though by
pressing a key English
combination

Next

  Would you like to continue in English? 

 Now we can go look for any updates…

  Alright, you’re connected. Now we can go look for any updates… 

Setting up your device for work
This could take a while and your device may need to reboot.

Device preparation Show details

Joined to Hybrid/Azure
AD and enrolled into
Intune
Setting up your device for work
This could take a while and your device may need to reboot.

Device preparation Show details

Device setup Show details

Device-targeted apps
and settings are
processed
Setting up your device for work
This could take a while and your device may need to reboot.

Device preparation Show details

Device setup Show details

Device-targeted apps
and settings are
processed
Setting up your device for work
This could take a while and your device may need to reboot.

Device preparation Show details

Device setup Show details

Device-targeted apps
and settings are
processed
Setting up your device for work
This could take a while and your device may need to reboot.

Device preparation Show details

Device setup Show details

Device-targeted apps
and settings are
processed
Setting up your device for work
This could take a while and your device may need to reboot.

Device preparation Show details

Device setup Show details

Account setup Show details

{optionally} user-
targeted apps can be
processed
Setting up your device for work
This could take a while and your device may need to reboot.

Device preparation Show details

Device setup Show details

Account setup Show details

Setting up your device for work
This could take a while and your device may need to reboot.

Device preparation Show details

Device setup Show details

Account setup Show details

Now the device (with all apps,
updates, and policies applied)
can be shipped to the user…