How to Setup Windows Autopilot : Configure laptops when drinking your coffee

aymeneljaziri
3 juil.
10 min de lecture

I - What is Windows Autopilot ?

Windows Autopilot is a Microsoft cloud-based service that streamlines the deployment of new Windows 10 and 11 devices within your organization. It essentially automates the setup process, saving IT time and resources.

There are no Infrastructure requirements for using Autopilot as it’s a Cloud-based service offering that is a part of Microsoft Intune.

II - Windows Autopilot benefits

Here's a breakdown of its key benefits :

Zero-touch deployment: With Autopilot pre-configuration, new devices can be shipped directly to end-users and automatically configured upon connecting to the internet, eliminating the need for manual setup by IT staff.
Reduced IT workload: Autopilot automates repetitive tasks like applying device settings, installing apps, and enrolling them in mobile device management (MDM). This frees up IT to focus on other priorities.
Improved security: Autopilot ensures devices are configured with your organization's security policies from the get-go, reducing the risk of security breaches.
Simplified device management: Once configured by Autopilot, devices are automatically enrolled in MDM, allowing for ongoing management and updates.

In essence, Windows Autopilot offers a smoother, faster, and more secure way to get new devices into the hands of your employees and ready for work.

III - Windows Autopilot Setup Process Overview

In the days before Autopilot, IT admins had to maintain various versions of custom Windows images for deploying on organization workstations. However, creating custom Windows images and maintaining drivers for every device model is not required with Windows Autopilot.

Windows Autopilot utilizes an OEM-optimized version of Windows 10/11, usually pre-installed. Instead of reimaging the device, you can leverage the existing Windows installation to make it ‘business-ready.

Below is a high-level Autopilot Process diagram illustrating the Windows Deployment Lifecycle using Autopilot.

Purchase : Customer / Organization Purchases the Laptop.
Device Vendor, OEM, or Reseller then ships the laptop.
Fulfill and Deliver : Laptop shipment to the end user
Deploy : The end User turns on the laptop and logs in using organization credentials.
Ready for Business : Using Self-Service, Out-of-Box Experience (OOBE) laptops, join Entra ID and enroll in Intune. Additionally, apps, device configuration policies, and targeted applications are installed on the device via Intune.
Steady State Usage : The laptop is operational and getting updates from Intune.
End of Life : Laptop is retired and End of Life.

You can Reset the Laptop at any time from the Business ready state, similar to resetting the laptop to its factory default settings. [Break-fix scenario]

IV - Windows Autopilot Requirements

1 - OS Requirements

To leverage Windows Autopilot and unlock its features, ensure you run a supported version of the Windows client. Refer to the list below for the compatible versions :

2 - Licensing Requirements

In addition to the supported Windows Client operating system requirement discussed in the previous section, ensuring compliance with the necessary licensing requirements to utilize this service is essential. Autopilot capability also necessitates an MDM service, such as Microsoft Intune.

Windows Autopilot requires one of the following subscriptions :

Microsoft 365 Business Premium subscription
Microsoft 365 F1 or F3 subscription
Microsoft 365 Academic A1, A3, or A5 subscription
Microsoft 365 Enterprise E3 or E5 subscription includes all Windows clients, Microsoft 365, and EMS features (Microsoft Entra ID and Intune).
Enterprise Mobility + Security E3 or E5 subscription includes all needed Microsoft Entra ID and Intune features.
Intune for Education subscription includes all needed Microsoft Entra ID and Intune features.
Microsoft Entra ID P1 or P2 and Microsoft Intune subscription (or an alternative MDM service).

V - Steps to Setup Windows Autopilot

I will demonstrate the setup of Autopilot from scratch. If you have already configured any of the settings mentioned in the steps, you can skip it and proceed to the next one. I will use a virtual machine called "Windows 11x64" to showcase the Autopilot process.

Let’s check the steps:

1 – Assign License to Users

The first step is to ensure users have been assigned an Intune license. You can assign any of the licenses listed in the previous section, Windows Autopilot Licensing Requirements.

This is my licence :

2 – Allow Users to Join Devices to Entra ID

If you want the devices enrolled in Intune, they must join Entra ID. Select All to ensure all users can join devices to Entra ID.

Alternatively, you can choose the Selected option and use existing Entra security groups containing users who can join devices to Entra ID.

Sign in to the Entra admin center.
Go to Devices > All devices > Device settings.
Set Users may join devices to Microsoft Entra to All.

3 – Enable Automatic Enrollment

After a device joins Entra ID and has Automatic Enrollment enabled, the device will also enroll in Intune. To configure Automatic Enrollment, set the MDM user scope to All and the Windows Information Protection (WIP) user scope to None.

Please note that you can also select MDM user scope as Some and use Entra security groups to target a specific list of users who can join devices to Entra ID and enroll their device in Intune.

follow these steps to begin configuration :

Connect to Microsoft Intune :https://intune.microsoft.com/#home
Select "Devices" then "Windows"
Select "Windows Enrollement" then "Automatic Enrollement"
Set "MDM user scope" to All, and "Windows Information Protection (WIP) user scope" to None.

4 – Configure Company Branding

Company branding settings enable you to customize the out-of-box experience (OOBE) for users. You can showcase your company logo and adjust colors to match your organization’s theme. This also ensures that the end user enrolling in the device is connected to the correct organization.

Sign in to the Entra admin center : https://entra.microsoft.com/#home
Navigate to User experiences > Company branding : https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/CompanyBrandingOverview.ReactView
Edit the Default sign-in configuration and review all the tabs to configure the user experience according to your requirements.

Complete the "Sign-in Form" and select "Review + save"

5 – Setup Enrollment Status Page (ESP)

The enrollment status page appears during the initial device setup and the first user sign-in. If enabled, users can view the configuration progress of assigned apps and profiles targeted to their devices.

Most configuration options are self-explanatory; you can use the default configuration options or modify them as per your requirements. Below are the steps to Enable and configure the Enrollment status page (ESP).

Sign in to the Intune admin center.
Go to Devices > Windows > Windows enrollment > Enrollment Status Page.
Click the “All users and all devices” link and go to Properties.

We are going ahead with the default ESP configuration below:

Show app and profile configuration progress – Yes
Show an error when installation takes longer than specified number of minutes – 60
Show custom message when time limit or error occurs – Yes
Turn on log collection and diagnostics page for end users – Yes
Only show page to devices provisioned by out-of-box experience (OOBE) – Yes
Block device use until all apps and profiles are installed – Yes
Allow users to reset device if installation error occurs – No
Allow users to use device if installation error occurs – No
Block device use until required apps are installed if they are assigned to the user/device – All

6 – Create an Autopilot Devices Group

Create an Entra Dynamic Security group for Autopilot devices. This group is necessary to automatically assign an Autopilot Deployment Profile to devices joined to Entra ID using the Autopilot process.

Follow the steps below to create a new Entra Dynamic Security group for Autopilot. You can also use the Intune admin center to create an Entra dynamic security group.

Sign in to the Entra admin center.
Click on Groups > All groups > New group.
Group type: Security
Group name: Provide a group Name, for Example "Windows Autopilot Devices"
Group Description: Provide a group description.
Microsoft Entra roles can be assigned to the group: No
Membership type: Dynamic Device

Under Dynamic device members, click on Add dynamic query. Under the Configure Rules tab, you will find a Rule syntax box. Use the Edit button on the right-hand side and add the your custom query.

In my case, every Device name that starts with : "GIT0" + 3 Numbers (GIT0123 , GIT0254 , GIT0789...etc)

(device.displayName -match "GIT0[0-9][0-9][0-9]")

we will see in the next section how to Auto Rename device directly from Intune.

Add the Rule and click on the OK button, then Click on Save to save the rule.

Finally, click Create to create this Entra dynamic security group for devices.

7 – Create an Autopilot Deployment Profile

The next step is to create an Autopilot deployment profile, which will customize the Out-of-Box Experience (OOBE) and deployment mode for end users. You can create up to 350 deployment profiles in a single Intune tenant.

To create an Autopilot deployment profile, follow the below steps:

Sign in to the Intune admin center.
Navigate to Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile > Windows PC.

Basics Tab

Provide a Name and Description of the Autopilot deployment profile. For Example:

Name: GlobalIT Autopilot deployment profile
Description: Provide a useful description of this profile.
Convert all targeted devices to Autopilot: No

Out-of-box experience (OOBE) Tab

Configure Out-of-box Experience (OOBE) for Autopilot devices.

Deployment Mode : User-Driven

User-Driven : Devices are associated with the user enrolling the device and user credentials are required to provision the device

Self-Deploying : Devices are not associated with the user enrolling the device and user credentials are not required to provision the device.

Join to Microsoft Entra ID as : Microsoft Entra joined

You also have an option for Microsoft Entra Hybrid Joined. Select it if you have On-prem Active Directory-joined Windows devices.

Microsoft Software License Terms : Hide
Privacy settings : Hide
Hide change account options : Hide

This is useful and prevents users from changing account options from corporate to personal accounts, e.g., a Microsoft account. You must configure company branding in Microsoft Entra ID to hide these options.

User account type : Standard

if you want the new deployed account to be of the standard type by default.

Allow pre-provisioned deployment : No.
Language (Region) : English United State

You can configure the specific language settings here or leave them as the Operating system default.

Automatically configure keyboard : Yes

If you have configured the Language (Region) setting, you can skip this option by selecting Yes.

Apply device name template : This setting requires the device’s Microsoft Entra join type status. You can rename the device during autopilot based on the template you provide. The device name must be 15 characters or less. For example : GIT0%RAND:3% , This will create devices with names like GIT0123, or GIT0587... etc.

I'm gonna go with self-deployment mode, all settings will bes selected automatically and this will be like 0 tuch configuration.

Assignments Tab

Assign this Autopilot deployment group to the Entra Dynamic Security Group we created in Step 6.
Click on Add groups and select the group to add, then clic on "Next"

Review the Autopilot deployment profile summary and click on Create to create the profile.

Now, it's time to pass to action, we will start Windows Autopilot setup.

VI - Start Windows Autopilot Setup

1 - Upload Device Hash to Intune

Before Formating or Reseting Device, we need to upload device HASH to Microsoft Intune Portal, this step makes device Known by Microsoft Intune (Device HASH is based on Motherboard Serial Number).

We can get Device Hash through two methods :

A - Export Device HASH using Local CSV File

To get Hash you can simply execute this powershell script (This script will export Device HASH to CSV file in C:\Temp)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-ExecutionPolicy RemoteSigned -Force
Install-Script -Name Get-WindowsAutopilotInfo  -Confirm:$false -Force
if(!(test-path("C:\Temp"))) { mkdir "C:\Temp" }
Get-WindowsAutopilotInfo -OutputFile "C:\Temp\Autopilot-$(Get-Random -Minimum 1 -Maximum 1000).csv"

Here is CSV file :

Then Go to :

Microsoft Intune Admin Center
Select Devices then Enrollment
In Windows Section Select "Devices"

Click "Import"
Select CSV file
Click "Import"

Here is new device HASH suucessfully added.

B - Export Device HASH Online

Start PowerShell command line as administrator and execute this code to install Get-WindowsAutopilotInfo Script :

Set-ExecutionPolicy Bypass
install-script Get-WindowsAutopilotInfo

Next step is to register the new device directly on intune (No need to export CSV file through USB device or Shred folder).

Get-WindowsAutopilotInfo  -Online

after authentication process you will see this window , Select Accept (this consent is to allow script adding device HASH directy in Intune).

As you can see here : 1 device successfully added

2 - Reset Windows Device

there are two ways to do the rest :

First way : from Windows control panel select "Update & Security"

select "Recovery" then clic on "Get started" buton to start PC reset.

Select the option Remove everything.

Select the Local reinstall option, which is faster than the Cloud download option.

Click on Next.

Click on the Reset button to initiate the reset process for this device. Please note that this process will remove all applications and is equivalent to factory resetting the device to a clean state.

2 - Autopilot in Action after Device Reset

This screen typically appears during the initial setup of a Windows device being prepared for integration into a work or school network, ensuring proper configuration and security measures are in place.

In our Autopilot Deployment profile, we configured it not to show the Privacy terms and Microsoft Software License agreement , therefore, those screens will be hidden. You may notice the company branding, such as the logo and color theme, during the setup process if you have configured it from the Entra admin center.

If you want to check your Microsoft Intune join, go to :

Intune -> Devices -> Windows :

https://intune.microsoft.com/?ref=AdminCenter#view/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/~/windowsDevices

As you can see, a new machine named GIT0100 has been added as joined to Intune.

Conclusion

In conclusion, this guide has covered in detail the steps required to set up Autopilot. However, setting up Autopilot is only the beginning of optimizing your IT environment. There are many other aspects of Microsoft Intune worth exploring.

For example, the "configuration profiles" in Intune offer a wealth of possibilities for managing and securing your devices. They enable you to configure specific settings on your devices, such as Wi-Fi, VPN, messaging settings and so on. What's more, they can be used to enforce security and compliance policies.

We encourage you to continue your exploration with other Intune technical guides. Each guide will help you deepen your knowledge and further improve your IT environment.

Stay tuned for more technical guides to come! 😉

Thanks