Windows Autopilot

Microsoft
Version 2306
Services
Module Overview

Lesson 1: Introducing Windows

AutoPilot
Lesson 2: Autopilot Deployment
Lesson 3: Autopilot Scenarios
Lesson 1: Introducing Autopilot
• Traditional deployments
• Transition to the modern deployment way
Traditional Windows deployment // The
old way

OFFICE & APPS

DRIVERS POLICIES

SETTINGS

Build a custom image, Deploy image to a new Time means money,

gathering everything computer, overwriting making this an expensive
else that’s necessary to what was originally on it proposition
deploy
Modern Windows deployment // The
new way

Un-box and turn on Transform with minimal Device is ready

off-the-shelf Windows PC user interaction for productive use
Windows Autopilot overview

Device IDs Windows Autopilot Autopilot profile sync

Intune
Device sync

Configure
Windows
Autopilot
profile

Self-service
deploy
IT Admin

Hardware
Vendor
Ship

Deliver direct to Employee

Employee
unboxes device,
Device lifecycle management with
Windows Autopilot and Intune
Key Benefits: Break fix
• No more maintenance of images
and drivers
• No need for IT to touch the devices
• Simple process for users and IT
• Integration in the device supply
chain
• Reset device back to a business
ready state

Procuremen Deploymen Business Managemen Retirement

t t ready t
Transform device deployment with
Windows Autopilot
Trusted by IT, loved by end-users

Deliver a secure, productive

Be productive from the start with a
experience without ever touching the
personalized out of box experience
device

Deliver a secure, productive

Be productive from the start with a
experience without ever touching the
personalized out of box experience
device
Lesson 2: Autopilot Implementation
• One-time preparation
• Deployment steps
• Autopilot Process
Windows Autopilot // One-time preparation
tasks
Azure Active Directory
 Configure automatic MDM enrollment.
 Configure company branding.
 Enable Windows Subscription Activation if desired.
 Ensure users can join devices to Azure AD (for user-driven mode)

Intune:
 Enable the enrollment status page
 Ensure users can enroll devices in Intune
 Assign licenses to users
 (Optional) Set up enrollment restrictions so only Autopilot-registered devices can enroll

See
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requi
Windows Autopilot // Licensing requirements
One of the following, to provide needed Azure Active Directory (automatic
MDM enrollment and company branding features) and MDM functionality:

• Microsoft 365 Business subscriptions

• Microsoft 365 F1 subscriptions
• Microsoft 365 Academic subscriptions
• Microsoft 365 Enterprise E3 or E5 subscriptions

• Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and
Intune features

• Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM
service)

See
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-auto
pilot-requirements-licensing
for more information
Three simple steps

Register devices

Assign a profile

Deploy
Three simple steps (I)
• Register through OEM, Distributor or
Reseller
• Have devices registered automatically
Register devices • Request clean images, choice of Windows 10/11 version at
the same time (if available)
• Specify group tag to help segment devices by purpose
• Devices are automatically tagged with the purchase order
ID
Assign a profile
• Register devices yourself via Intune for
testing and evaluation using
Get-WindowsAutopilotInfo PowerShell
script
Deploy
• Register (harvest) existing Intune-
managed devices automatically
Three simple steps (II)

• Use Intune:
Register devices • Select profile scenario (user-driven, self-deploying)
• Define AADJoin Type (AAD Join, Hybrid Join)
• Configure needed settings
• Assign to an Azure AD group so Intune will automatically
assign to all devices in the group
Assign a profile • Use a dynamic Azure AD group to
automate this step
• Consider static Azure AD group for exceptions

Deploy
Three simple steps (III)

• Boot up each device

Register devices
• Connect to network (Wi-Fi, Ethernet)
• Enter credentials (if required)

Assign a profile

Deploy
Manufacturer and reseller support

https://www.microsoft.com/en-us/
microsoft-365/windows/windows-
autopilot
Windows Autopilot // Commonly-available OEM
services
Commonly-available OEM services
• Device registration
• Clean images
• Choice of versions
• Options for customization (e.g. adding apps)
• Pre-provisioned deployment offerings

Ask your OEM, distributor or reseller what

capabilities
they offer and what costs are involved.
Registering existing devices manually
To register existing devices:
• Use the PowerShell script available at
https://www.powershellgallery.com/packages/Get-Windo
wsAutoPilotInfo

• Run for each device (requires Windows 10 1703 or

higher)
->new option to upload directly to Intune
• Upload resulting (modified) CSV file via Intune portal
• Alternatively use CSV from MDM Diagnosticstool
• See
https://docs.microsoft.com/en-us/windows/deployment/
windows-autopilot/add-devices#collecting-the-hardware
-id-from-existing-devices-using-powershell
for more information
Get Device Hardware ID via PowerShell
Registering existing devices
automatically
If you have existing Windows 10/11 devices:
• Enable new Autopilot profile setting for all
targeted devices
• Ensure the Autopilot profile is assigned to a
group containing the existing Windows 10/11
devices

If your existing Windows 10/11 devices are

not yet Intune-managed:
• Enable co-management with ConfigMgr via
the “Automatic enrollment into Intune”
setting. (See
https://docs.microsoft.com/en-us/sccm/core/clients/manage
/co-management-overview#enable-co-management
)

• Ensure all new Intune-enrolled Windows 10 /11

Registering devices // Flow
Autopilot Intune
Device syncs Intune assigns
service from Autopilot Autopilot profile
deployment based on group
service to Intune assignment
Manually or every 12 Automatically,
hours asynchronously
Add device to
Autopilot
deployment
service
Azure AD
Azure AD object Azure AD
created for dynamic group
device membership
updated

Attributes automatically Automatically,

set: asynchronously
• ZTDId
• OrderID (device tag)
• PurchaseOrderID
Registering devices // Summary

OEM API Partner Center Microsoft Intune

• Devices registered with: • Devices registered with: • Automatic registration of existing

• Manufacturer, model, • Manufacturer, model, serial devices
serial number number • Devices registered with:
• Serial number, Windows • Serial number, Windows • Serial number, hardware
product ID product ID hash
• Customer authentication • Serial number, hardware hash • Portal or Intune Graph API
required • Customer authentication required: • Microsoft Store for Business
• API (only) • Partner Center delegation (no device registration is planned to
AAD rights required) be discontinued
• Portal or Partner Center API
Lesson 3: Autopilot Scenarios
• Deployment Scenarios
• Decision Tree
• Deployment profile
• Enrollment Status Page
Windows Autopilot // Deployment Scenarios

User-driven User-driven Windows Self-deploying Windows Autopilot Reset

mode with mode with Autopilot Pre- mode Autopilot for
Azure AD Join Hybrid Azure provisioned (preview) existing
AD join deployment devices
Join device to Join device to AD, Pre-provisioned No need to provide Scenarios: Redeploy a device
Azure AD, enroll in enroll in deployment credentials, in a business-
Intune/MDM Intune/MDM partners or IT staff automatically joins Windows 7/8.1 to ready state.
can pre-provision Azure AD Windows 10/11
Windows 10/11 PC
to be fully ConfigMgr task
configured and sequence, followed
business-ready for by Windows
an org or user Autopilot user-
driven mode
Creating an Autopilot profile
• Configuration
options:
• Deployment mode
• Azure AD mode
• Out-of-box experience
(OOBE) settings
• Account type
• Language and
Keyboard
• Device naming pattern
• %SERIAL%
• %RAND:x% (where X is the
number of digits)
Enable the Enrollment Status Page
Options
• ESP
Configuration
• Set time limitation
• Error handling and
user Information
• Show OOBE to first
/ every new user
• Block device until
all or selected
apps and
configuration
profiles are
installed
 Only available in OS

User Assignment / Friendly Name with Quality Update

09 2022

Use portal or CSV file to assign a

user
Assigning an Autopilot profile
• Automated using groups
• An Azure AD device object is
automatically created for each
imported Autopilot device
• Create Azure AD groups and assign
an Autopilot profile to the group
• Intune will automatically assign the
profile to all members of the
assigned group

• Options for grouping

• Dynamic group with all Autopilot
devices
• Dynamic group based on purchase AAD sample queries:
order ID
(device.devicePhysicalIDs -any (_ -contains
• Dynamic group based on device tag "[ZTDId]"))
(orderID)
• Manual (device.devicePhysicalIds -any (_ -eq
"[OrderID]:123456"))
Demo |

Creating an Autopilot profile

Assigning the Autopilot profile

Enabling the Enrollment Status Page

Windows Autopilot
User-driven deployment
with Azure AD
Windows Autopilot
User-Driven Hybrid Azure AD join
Windows Autopilot // User-Driven deployment with
Hybrid AAD

Windows Autopilot
Intune
Offline Domain Join Connector Deployment Service

DC

Complete Join over corp net MDM Autopilot Hardware

Receive ODJ
enrollment profile ID

Receive GPOs over corp

net

IT Admin Employee
unboxes device,
self-deploys
Windows Autopilot // User-Driven deployment with
Hybrid AAD

Skip AD
connectivity check
allows to proceed
Intune policies
(Certificates, VPN
Profile) to be
applied – which
then allow
connection to the
domain controller.
Windows Autopilot
Self-deploying mode
(preview)
Windows Autopilot // Task sequence integration
Target a configuration task
sequence to your
provisioning computers
collection

ConfigMgr client installs and

immediately runs the
specified task sequence

Download on demand from

CMG supported for task
sequences starting 1910

Call PROVISIONTS:<ID>
from ccmsetup command
line

Use with nested task

sequence to have a
consistent new device state
Autopilot to Co-management
• Configuration
Manager
• Directs the
workload authority
in an orchestrated
manner between
Configuration
Manager and Intune
• Device will wait for
Configuration
Manager if ESP is
active
Windows Autopilot
Pre-provisioned deployment
Windows Autopilot // Pre-provisioned deployment

Device apps,
Windows image User settings,
settings, policies;
and drivers policies
User apps

OEM OEM, Partner, End User

(minutes) or IT (minutes)
(minutes to hours)

Optimized for:
Network speed (caching)
Multitasking
At the Woodgrove warehouse, devices are
processed…
Windows Autopilot |
Remote Actions: Wipe, Retire,
Reset, Fresh Start
Windows Autopilot Reset Scenarios
• Local Autopilot Reset • Remote Autopilot Reset
• Configure CSP • Trigger in Intune portal
• Trigger reset with CTRL-WIN-R
• Sign-in with admin credentials
Windows Autopilot Reset
• Requires WinRE configured and enabled
• Removes personal files, apps, and settings
• Removes primary user
• Next logged on user will become the primary user
• Preserve Azure Active Directory join and MDM
enrollment, so the device is still managed
• Reapplies device original settings
• Maintains its identity in AAD, keyboard, language, Wi-Fi connection
details, Provisioning packages
• Takes 20-30 minutes to complete on typical
hardware
Fresh Start
• Unenrolls device from Intune,
retains Azure AD device state
• Retains Intune and Azure AD join
state when checkbox is selected
• Removes user accounts
• Removes user data
• Removes MDM policies
• Removes settings
• Removes Win32 apps
(also OEM apps)
• Retains Windows Store apps
• Updates to the latest
version of Windows.
Wipe
• Removes Intune enrollment
• Retains Intune and AAD
join state if checkbox is
selected
• Removes user accounts
• Removes user data
• Removes MDM policies
• Removes non-default settings
• Removes user-installed apps “Protected wipe” tries to wipe until
it is successful. A power off will not
• Retains OEM-installed apps circumvent the wipe
• Resets the operating system -> this may be a risk leaving the
to its default state and settings device unable to boot
Retire
• Only for BYOD devices (Azure AD registered)
• Removes Intune enrollment
• Removes company data only within apps installed through Intune
• Removes MDM policies
• Wi-Fi and VPN profiles are removed
• Removes Intune provisioned E-Mail and EFS enabled emails and
attachments
• Retains user personal data
Rename existing device
Works for:
• AAD joined
Corporate-owned
devices
• AAD joined
Corporate-owned co-
managed devices

• User will be notified

about the rename
Define Computername / Group Tag
• Device names and group
tags can be changed
• Group Tag change may
change the assignment to
deployment profiles if group
tag is used for dynamic
groups.
• Device name overrides
naming policy
Change Primary User
• Primary user
• Is defined during device
enrollment
• Used in Company Portal to
display all devices for a given
user
• Also used by the
administrator to lookup the
user
• Since 2006 release supported
for hybrid AAD joined device
• AAD object is also changed
Autopilot Diagnostics
• Display additional
detailed
troubleshooting
information
• Enable/Disable by ESP

Ctrl + Shift + D
Autopilot Deployment Report
• Analyze deployment details
• Devices > Device Onboarding > Enrollment > Autopilot deployments
Autopilot Troubleshooting
• Several Policy Conflicts can rise issues during
deployment
• The AppLocker CSP is not supported in the Enrollment Status Page
• The out-of-box experience (OOBE) or user desktop autologon
• Device Lock for Kiosk scenarios
• Policies which require a reboot:
• Windows Security Baseline / Administrator elevation prompt behavior
• Windows Security Baseline / Require admin approval mode for administrators
• Windows Security Baseline / Enable virtualization-based security
• Microsoft Sign-in Assistant service (wlidsvc) is required by Windows
Autopilot to obtain the Windows Autopilot profile
• AutoAdminLogon set to disabled - breaks Windows Autopilot pre-
provisioning
• Local Policies around Interactive logon
MDM Diagnostic Tool

Built-in tool to
output MDM
diagnostic
information. Using
“–area” switch to
focus on Autopilot
Autopilot devices in Azure AD

Windows Autopilot devices have limited management options in Azure AD. It

needs to be managed from the Intune admin interface.
Lab:
Windows
Autopilot
© 2023 Microsoft Corporation. All rights reserved.