Windows Autopilot – A step-by-step overview

Windows Autopilot is one of the most awaited additions to Microsoft next-gen device management strategy. As per the familiarity is concerned Microsoft had revolutionized the mode in which we deploy operating system images let it be MDT (Microsoft Deployment Toolkit) or SCCM OSD. With the introduction of Windows 10 a couple of years ago Microsoft has been streamlining the OS deployment and making it more and more consumer-centric like using Provisioning Packages

With Windows AutoPilot, IT professionals can customize the Out of Box Experience (OOBE) for Windows 10 PCs and enable end users to take a brand-new Windows 10 device and—with just a few clicks—having a fully-configured device ready for business use. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Most importantly, users can go through the process independently, without making any decisions and without needing to involve IT.

How Windows Autopilot works :

There are some important prerequisites and enterprise should fulfill before implementing Autopilot

  • Devices must be pre-installed with Windows 10, version 1703 or later
  • The enterprise should have Azure AD Premium P1 or P2 licenses
  • Microsoft Intune or other MDM services to manage your devices (No support yet available from SCCM or SCCM/Intune hybrid)
  • Devices must have access to the internet
  • Devices must be registered to the organization which can be done multiple methods
  • Making Windows Autopilot work if an internet proxy is used enterprise-wide

Going further granular on a step by step process from start to end

Exporting the Hardware ID

This is a step which still at works from a vendor (HP, Dell, Lenovo etc.) perspective. In general, the Hardware ID contains some unique hardware information like device serial number, Windows Product ID, hardware hash contained in CSV file. From early 2018 most of the hardware vendors will directly provide these device-specific CSV files and upload to the tenant on behalf of them. Not much information is yet available on it.

To prove the solution and test whether it works I have exported the hardware ids from VMs. Many MVPs have done quite a good amount of work of automating the export of the hardware ID by using PowerShell.  We have to make sure the VM is connected to the internet so that it can pull the required PowerShell script for generating the CSV file.

  1. Open the PowerShell console in administrator mode in the VM. Check for the required execution policy.
  2. Execute the script: Install-Script -Name Get-WindowsAutoPilotInfo
  3. Accept the warning about the path environment variable change. Allow the NuGet provider to be installed.
  4. Allow scripts to be run from “PSGallery” from the internet. As it is community supported repository you may notice it points it as an “Untrusted repository”. Accept the access by typing “Y”.
  5.  You now notice the script will be available at C:\Program Files\WindowsPowerShell\Scripts

  6.  Execute the script: .\Get-WindowsAutoPilotInfo.ps1 -ComputerName <ComputerName> -OutputFile .\ComputerName.csv

  7. You will notice a CSV file would have been got created  C:\Program Files\WindowsPowerShell\Scripts

  8. This is the CSV file which contains the required hardware information to be used in the below to import the computer information to the tenant directory. Copy it to local drive out of the VM
  9. Reset the VM or reload a vanilla Windows 10 OS into it so that it can simulate an out of box device directly from the vendor on which later we will implement Autopilot. You cannot use the VM in the current state as an Autopilot testing machine as it has already run the mini-setup and has user-related information. I preferred reloading the OS as it is faster for me.
Importing Hardware ID to the AAD Tenant

As I am writing this blog there are currently two modes by which you can import the computer information (CSV File) into your tenant directory i.e. by Microsoft Store for Business and Microsoft Partner Center. Till now there is no option to insert the computer data directly into Intune but there is a sync option by which we can sync the computer information from either from Microsoft Store for Business and Microsoft Partner Center.

I used Microsoft Store for Business for importing hardware id information, below are the steps involved:

  1. Login to Microsoft Store for Business using your tenant credentials
  2. Select “Manage”

  3. Select “Devices”

  4. Select ” Add Device” and provide the path from where the exported CSV file with the hardware ID can be loaded.

  5. Once the information is injected it will populate the details into the console as shown in the below screenshot.
Creating AutoPilot profile and assignment

You can create an AutoPilot profile with the help of all the three methodologies :

  • Option 1 – Using Microsoft Store for Business under “Manage”, go to “Devices”.
  • Click “AutoPilot Deployment”. You will notice in the drop-down, option to create a new profile.

  • Give a name to the profile and choose the required settings you want to incorporate into the policy and click “Create”

  • Select the devices on which you want to apply the policy and apply the created policy

  • All the machine will be then updated with the policy information

  • Option 2: Using Intune console in Azure Portal
  • In the Intune blade select “Device Enrolment”

  • Then select “Windows Enrolment” and in the subsequent blade select “Deployment Profiles”

  • You now get a “Create profile” option in the top-left corner of the page. Click on it.

  • Give a name to the profile. Select Join type as “Azure AD” and click on OOBE configurations

  • Select the options you need to incorporate into the profile and click “Save”

  • Then Click “Create”

  • Once the profile go back to device enrolment blade and select “Devices”

  • As informed above import of the hardware ID is still not available in intune portal. You will notice an option called “Sync” in the top left corner of the blade. Click on it.

  • This process will sync Intune to the MSTB portal database and intune will be able to fetch the all the hardware information which was added.

  • Now select the devices and “click on “Assign profile”

  • After a short while, you will notice assigned status on the select hardware

  • Now the devices are autopilot ready. Next step is the start the devices after connecting them to internet
Devices are switched on for the first time
  • It will show the below screens once the device starts from out of box for selecting the regional preferences

  • Now it will try to connect to the network (I used a wired connection, that why it is able to autodetect the connectivity. If it has to communicate to WIFI then you have to choose the appropriate wifi profile before you moving forward

     

  • Once the device is able to connect to internet the autopilot policy will kick in and in the next screen you will notice it will prompt to provide Azure AD credentials kicks you have to log in as an AAD domain user

  • Then you will pass through layers of authentications to get the access to the device

Windows AutoPilot with a Proxy

In real time in an enterprise environment, you will not find an automatic internet connection. Mostly you have to go through a company standard internet proxy. As you noticed from above steps, Microsoft Autopilot does not give you the option to do these changes yet (Microsoft must be working on it for sure) before the machine can be able to sync with the AutoPilot policy and join to the AAD.

But hold on guys with so many great minds around there it is impossible that someone already would not have thought it out.

Cheers to our very own “Windows Noobs” Mr. Niall Brady @windowsnoob has it ready for you all. Please check this post on his blog How can I use Windows AutoPilot with a Proxy?

To summarise, a lot of work is still to be done but Microsoft AutoPilot has definitely set up the foundation for more big changes coming in future modern deployment methodology.