Let’s discuss the Windows AutoPilot Step by Step Admin Guide to Provision Windows 10 11 Devices. In this post, I will describe how to provision Windows 10 devices with AutoPilot service, enrol them into Intune, create a deployment profile, import device information into Intune, and set up Windows 10 devices.
HTMD Community recommends going through 12 hours for a self-learning track to learn Intune. More details on Intune Training Course 2023. Windows Autopilot PreProvisioning Backend Process- Deep Dive – Post 4, Windows Autopilot Processes from Device Side – Part 3. Windows Autopilot Behind The Scenes Secrets – Admin Side – Part 2.
- Part 1 ▶ Windows Autopilot FAQ Clarifying the General Misconceptions
- Part 2 ▶ Windows Autopilot from the perspective of IT Admin setup
- Part 3 ▶ Windows Autopilot In-Depth Processes from Device Side
- Part 4 ▶ Windows Autopilot WhiteGlove Provisioning Deep Dive (This Post)
Learn How to Decide Windows Autopilot Profile Types | Intune Architecture. Windows Autopilot Hybrid Azure AD Join Troubleshooting Tips.
Windows AutoPilot service is a collection of technologies to Simplify and automate the Windows Out of Box Experience (OOBE experience). There are three (3) scenarios in Windows AutoPilot. More information on the basics of Windows Autopilot is available in Windows AutoPilot Process End To End Guide.
Video – Windows Autopilot Training
Latest Windows Autopilot Training by Joy Microsoft MVP. This video covers end-to-end Windows Autopilot scenarios, including Background processes, Real World Issues, FIXES, Tips, and Tricks.
- Get to know Windows Autopilot
- Compare and contrast Windows Autopilot with Traditional Windows Provisioning
- Know the benefits of using Windows Autopilot
- Deep dive into how Windows Autopilot works
Introduction
The provision of Windows 10 with AutoPilot is part of modern technology. It seems to me everything is moving into the cloud and automation. Building and managing operating systems is time-consuming. Windows Autopilot is the provisioning service.
With the help of Intune and AutoPilot, you can pre-configure, reset, re-purpose, and recover your devices. You can customize and deploy the setting without re-imaging, which saves you a lot of time.
I would not go into details for describing Windows AutoPilot, as a lot of Microsoft Documentation is available. We also have posts from Anoop, Joy, and Vimal about Windows AutoPilot and MS Intune.
- Please go through with Windows AutoPilot.
Related Post-Beginners Guide Setup Windows Autopilot Deployment, Windows Autopilot FAQ Clarifying the General Misconceptions Part 1, Windows AutoPilot and Microsoft Documentation
While enrolling Windows 10/11 devices to Intune, we must configure some pre-requisites: the following. I would not detail the licensing and other requirements that information you can get from Microsoft documents.
- Configure Device Setting
- Mobility (MDM and MAM)
- Company Branding
- Deployment Profile
- Create Groups
- Creation of Users
Configure Device Setting – Provision Windows 10 11 with Windows AutoPilot Step by Step Admin Guide
To configure the device setting, you have to go to:
- Login to Azure Portal
- Navigate via Azure active directory->Devices->Device Settings
The first option is that users may join devices to Azure AD, which I have selected all, you can choose the desired option also if you want to have some selected users join the machines to Azure, but in my case, I have set all.
The next option is to create an additional local administrator for Windows 10 Azure AD joined devices.
- Here, you can select which users will have local admin rights on devices. By default, global administrators and device owners are granted local admin right on devices.
- After that, configure the other settings and click save.
Mobility (MDM and MAM)
The next step is Mobility (MDM and MAM) configurations:
- Login to Azure Portal
- Navigate to Azure Active Directory
- Open the Mobility (MDM and MAM) blade and click on Microsoft Intune
- Save the settings
Create Azure AD Group for Windows Autopilot
Next, we will create Azure AD group, which will be a dynamic group with rules. You can complete this step either from Intune blade->Groups or Azure AD -> Groups.
NOTE! – Another option is to use Microsoft 365 Device Management portal.
Click on New Group and provide all the information whichever you want.
Configure Dynamic Query
I have selected the membership type as dynamic devices (The same as SCCM where we create query-based collection) and then click on add the Azure Active Directory query. More Details – Windows AutoPilot Profile AAD Dynamic Device Groups (anoopcnair.com).
use the rule as "(device.devicePhysicalIDs -any _ -contains "[ZTDId]")"
Azure AD dynamic group with device physical ID attribute.
- Now you can see in the rule syntax query is added, save the setting, and click on create.
Now the Azure AD group is created. So what will happen with this rule and group?
NOTE! – Once you import a Windows 10 device in Intune, that device will add to this group automatically. And whatever profiles are assigned in this group will be applied to devices.
Create Deployment Profile
The next step I followed was the creation of a deployment profile. This will be used for Windows AutoPilot deployment.
- Go to Intune->Device Enrollment->Windows Enrollment. Right side, you will see the windows autopilot deployment Program.
Click on deployment profiles, then click on Create a profile.
Click on the NEXT button.
Configure Out-Of-Box experience (OOBE) for AutoPilot
We will configure the OOBE settings for Windows AutoPilot devices in this window.
- In Deployment Mode, select the user-driven
- Join Azure AD as Azure AD joined
- Microsoft Software Licence Terms hide
- Privacy Settings hide
- Hide Change account options Hide
- User Account Type standard
- Allow While Glove OOBE No
- Apply Device name Template No
Click Next to continue.
NOTE! – You have a new option to pre-provision the apps and policies to the device so that users don’t have to wait for a long time during the Windows Autopilot enrollment process. More details on this process – Windows Autopilot WhiteGlove Provisioning Backend Process- Deep Dive.
Let’s have a look at the assignment of groups. You can use the Windows AutoPilot Profile AAD Dynamic Device Groups post to create dynamic groups for Autopilot devices.
- In Assignment, click on Select groups to include.
Assignments
Now it’s time to assign the Azure AD device group to the Autopilot profile.
Select the Azure AD group to deploy the Windows Autopilot Profiles.
On the right hand, you can see all the available groups are visible, and you can select which group needs to be assigned for the deployment profile.
- I created Windows AutoPilot and selected that.
NOTE! If you want to exclude any group, you can select otherwise, click on next, review the settings, and click on create.
Enrollment setup Page
On the enrollment setup page, there is a default profile created. Here we are going to create a new profile for Windows Autopilot.
create Enrollment Status Page to track the status of the enrollment of Windows 10 or 11 devices. More details – Intune Enrollment Status Page (ESP) Troubleshooting (anoopcnair.com).
- Save the settings and create the Profile.
NOTE! – Remember, this Profile can be assigned to user groups only. The device group won’t be assigned.
Generate WindowsAutoPilotInfo file
Now we are all set. It’s time to add the existing Windows ten device to Intune.
- Before adding existing devices, we need to run a few power-shell commands on the new greenfield Windows 10 device
- And Import the CSV file in Intune. Next, I am going to log in on the Windows 10 device.
- Open PowerShell with the administrator, and run the following command.
CD\
md AutoPilot
cd AutoPilot
then enter then type the following command
save-script -name get-WindowsAutoPilotInfo -Path C:\AutoPilot\
Now you can see in the directory that one PS file is created with the name of windowsautopilotinfo.
We will get the output file into CSV, which will be used to import it into Intune. run the command .\Get-WindowsAutoPilotInfo.ps1 -outputfile C:\AutoPilot\AutoPilot.csv
You have a CSV file with you which have all the information about the device for windows autopilot. which will have the knowledge of Device Serial Number, Windows Product ID, and Hardware Hash
Import Device into Intune
Now open the Microsoft Store for business and import the CSV file.
NOTE! Might you have a question? Why am I not importing into Intune? The problem I faced was that I couldn’t assign the deployment profile I had created. Why? Maybe, I might need to have some patience 🙂 But it appeared quick within Microsoft Store for Business, and I could assign the Profile without any problem.
- Go to Manage then devices from Microsoft Store for Business portal.
- Import the devices with OEM information generally used by vendors (like Dell, HP, Lenovo).
Also, you can import devices with the help of a CSV file we have just created. Click on add devices, then select the file which you have generated.
Once You select, you will see a window that will ask you to choose the deployment group. I clicked on the NO thanks option.
Select the device from the uploaded list. Microsoft Store for Business is retiring soon. Don’t recommend using MSfB to import/register the devices into Windows Autopilot. Microsoft Store for Business Education Retirement Postponed HTMD Blog (anoopcnair.com).
Once the device is added, click on Profile, then select the deployment profile created. Once the Profile is assigned, go back to the Intune portal and see the status.
- Navigate to Microsoft Intune-> Device enrollment->Windows enrollment->Windows Autopilot Devices
- Here you can see the profile status is assigned. In the initial stage, the class will be set, which takes a few visits,c and the status gets changed to assigned.
- All set, the device is imported, and the deployment profile is assigned. The next step is to login into the Windows 10/11 machine and reset it.
Download Windows Autopilot Deployment Flowchart
Happy Autopiloting 🙂 Bonus tip: Windows 10/11 Autopilot deployment process PDF can be downloaded from the link. You can download the Windows Autopilot Deployment Flowchart prepared by Michael Niehaus.
End-User Experience – Provision of Windows 10 Experience with Windows Autopilot
Once you reset the Windows 10/11 (or a new machine that is autopilot enabled) and restart the device, you will see the following screen indicating your device is ready to join Windows Autopilot.
You need to select the keyboard layout as shown below to continue.
The following screenshot shows that you now have some important setup to do.
The above picture says now you have some important setup to do. Yes, you are going to join Windows Autopilot, excited……
- The next screen will tell about the complete form.
Enter the username and password.
Password used for your corp email access.
If the password is expired, you might get this screen, or if the new password is enabled by the organization to have better security.
The following screen shows the Enrollment Status Page (ESP).
Windows Hello for Business setup is the screen is shown now.
Let you set up the PIN to log in.
This is the configuration of MFA if you have enabled this option as part of Windows Autopilot enrollment. The background and logo, which you can see, are configured during the company branding
Enter the details for Multi-Factor Authentication (MFA).
Now it’s time to log in. ESP is completed and all the apps and policies are installed on the device before user could login.
Now login to the Windows 10 device with the Azure ID and pin you just set. And go to the settings-> accounts-> Access work or school here. You can see your computer is connected to Azure AD.
You can confirm whether the device is managed by Intune by going into Settings page.
When you go to the MS Intune-> Devices, then you can see enrolled devices.
You can see the device is enrolled and shows as compliant as per the compliance policy in Intune.
Newly imported Windows 10 has joined Windows autopilot. Now you can deploy any applications, settings, and configuration. Next part, we will discuss the deployment of applications and software updates.
Anoop, will autopilot works for virtual devices? And is autopilot recommended for large complex environment 1.5lks devices.. how about managing legacy devices with intune win7, 8.0, 8.1 etc any options available.. any thoughts on managing server os with intune
I think all these 150000 devices won’t be migrated to Intune and Windows Autopilot in couple of months. So, you shall think about starting the journey towards Autopilot and Intune management for small set of devices like 100 for 1st year and then continue with the deployments.
Its really good explanation about Auto Pilot implementation .Is any thing on MDATP for windows 10 devices with Servers
Some devices will not be having hardware hash. In that case how can I add the device to intune ?
Thank you very much Sir.
This step by step guide was very helpful for Autopiolting.Its really good explanation.
I run into errors “something went wrong” during ESP page after i get prompted for MFA on the third step of ESP. How can avoid the errors or setup MFA so it will only prompt after the ESP page is completed or during company branding. Thank you