Windows Autopilot is Microsoft's modern solution that allows you to customize the Out-Of-Box Experience (OOBE) to your needs. With Autopilot you can ensure that users no longer receive 10 different screens before they are actually logged into the device. The only thing the user has to do is connect to the Wi-Fi and after connecting a custom company login page will appear, where the user has to login with his business credentials. Depending on the Intune configuration the user will be provided with various security policies and applications.
Application | Microsoft endpoint manager (Intune) |
Weblink |
Microsoft Endpoint Manager admin center |
Topic | Windows Autopilot |
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following subscriptions is required:
In this blog, I will describe step by step what you need to do to be able to use Windows Autopilot. Without the proper configuration, you cannot use autopilot. After completing the steps below, your environment is ready for Windows Autopilot
In this blog I will cover the following;
Pre-configurations - Company Branding |
Microsoft Azure - Company Branding |
Pre-configurations - Device Settings | Microsoft Azure - Device Settings |
Pre-configurations - CNAME Validation | Microsoft endpoint Manager - CNAME Validation |
Pre-configurations - Automatic MDM Enrollment | Microsoft endpoint Manager - Automatic MDM enrollment |
Windows Autopilot - Dynamic Security Group | Microsoft Azure - Dynamic Security Group |
Windows Autopilot - Enrollment Status Page | Microsoft endpoint Manager - Enrollment Status Page |
Windows Autopilot - Deployment profiles | Microsoft endpoint Manager - Deployment profiles |
Windows Autopilot - Add an existing Windows 10 device |
Company Branding
Microsoft Azure - Company Branding
Before Windows Autopilot can be used, Company Branding must be configured. The above link redirects directly to the correct location, make sure to login as a global administrator.
Azure Device Settings
Microsoft Azure - Device Settings
To allow users to join devices to Azure it is necessary to adjust the devices settings. Use the link above to go directly to the correct location.
CNAME Validation
Microsoft endpoint Manager - CNAME Validation
To simplify enrollment, it is necessary to create two (DNS) alias (CNAME records). This ensures that the enrollment requests are redirected to the Intune servers.
Automatic MDM Enrollment
Microsoft endpoint Manager - Automatic MDM enrollment
Use MDM auto-enrollment to manage enterprise data on your employees' Windows devices. MDM auto-enrollment will be configured for AAD joined devices and bring your own device scenarios.
Dynamic Security Group
Microsoft Azure - Dynamic Security Group
Before we start creating an Autopilot profile, we are going to create a Dynamic Security Group. This security group will be autmatically assigned all devices added through autopilot.
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))
Enrollment Status Page
Microsoft endpoint Manager - Enrollment Status Page
After the user logs in to the device he will see the enrollment status page. Depending on the selected option, the user will have the possibility to use the device before everything is finished. It is also possible to block the device until certain applications are installed, for example antivirus or the office suite.
Deployment profiles
Microsoft endpoint Manager - Deployment profiles
Now that all the configuration is done, you can start creating an autopilot profile. Here you can indicate which choices a user is allowed to modify before the device can be used. Also important is that you can specify which rights a user has on the device; User or administrator.
PowerShell Add device to Autopilot (CSV)
Follow these steps to add an existing Windows 10 device to Autopilot
Once your new device is installed and you are at the screen where you can select the language, press Shift + F10. If you have never used Autopilot -Online, you will be asked to give permission to use Intune PowerShell; this must be done by a user with domain admin rights.
PowerShell
New-Item -Type Directory -Path
"C:\HWID"
(Only needed if you want to do a CSV import)Set-Location
-Path "C:\HWID"
(Only needed if you want to do a CSV import)Set-ExecutionPolicy
-Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1
-OutputFile AutoPilotHWID.csv
PowerShell Add Device to Autopilot (Online)
Follow these steps to add an existing Windows 10 device to Autopilot.
Once your new device is installed and you are at the screen where you can select the language, press Shift + F10. If you have never used Autopilot -Online, you will be asked to give permission to use Intune PowerShell; this must be done by a user with domain admin rights.
PowerShell
Set-ExecutionPolicy
-Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -AssignedUser "User UPN Name" -AssignedComputerName "Fixed device name" -Online
PowerShell Add Device to Autopilot (Intune PowerShell)
Follow these steps to add an existing Windows 10 device to Autopilot.
Once your new device is installed and you are at the screen where you can select the language, press Shift + F10. If you have never used Autopilot -Online, you will be asked to give permission to use Intune PowerShell; this must be done by a user with domain admin rights.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.