Automagically convert Intune managed devices to AutoPilot

by

Tweet-AutoPilotThis week a short blog post about my tweet of a bit more than a week ago. In that tweet I mentioned a new easy method to automagically convert Intune managed devices to AutoPilot. That method makes some scenarios a whole lot easier. Like for example what I did in this post to get the AutoPilot device information of Intune managed devices. That type of custom scripting is not needed anymore!

As I got many reactions to that tweet, mainly related to the location of that configuration, I thought it would be good to make a short post describing the configuration option and the expected behavior. In this post I’ll provide the steps to make this configuration and I’ll describe the expected behavior. There is no real end-user or administrator experience to show for this configuration. So, no section related to that. I’ll do explain the the expected behavior in the introduction.

Introduction

Let’s start with a short introduction about the mentioned configuration option. That configuration option is the Convert all targeted devices to AutoPilot setting. By default an AutoPilot deployment profile is only applied to already existing AutoPilot devices and doesn’t apply to non-AutoPilot devices. Configuring the Convert all targeted devices to AutoPilot setting to Yes will automagically convert all devices in the assigned group to AutoPilot. This is a one-time conversion that also works for co-managed devices. That also means that removing the AutoPilot profile will not remove the converted devices from AutoPilot. After conversion the devices can only be removed by using the Windows AutoPilot devices view. Keep in mind that it can take up to 48 hours for the conversion to be completed.

Configuration

Now let’s continue by having a look at the actual configuration. And in this case only the specific Convert all targeted devices to AutoPilot setting. The following four steps walk through the steps to get to the specific setting and are not meant to create a complete the Windows AutoPilot deployment profiles.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, select Deployment Profiles in the Windows AutoPilot Deployment Program section to open the Windows AutoPilot deployment profiles blade;
3 On Windows AutoPilot deployment profiles blade, either select Create profile or select [existing deployment profile] > Properties to open the Create profile blade or the [existing deployment profile] – Properties  blade;
4 On the Create profile blade or the [existing deployment profile] – Properties  blade, the setting Convert all targeted devices to AutoPilot must be switched to Yes (below is an example of the the [existing deployment profile] – Properties  blade, the Create profile blade looks similar) ;
MSIS-AutoPilot-Target

Note: There’s not a real easy method to see which devices are converted to AutoPilot. Those devices will show as any other imported device, without enrollment state. However, as the configuration is done via an AutoPilot deployment profile, the device is immediately assigned to a profile. Again, without creating any fancy configurations, like query based dynamic device groups.

More information

For more information about enrolling Windows devices by using Windows AutoPilot, please refer to the documentation named Enroll Windows devices by using the Windows Autopilot.

17 thoughts on “Automagically convert Intune managed devices to AutoPilot”

  1. Hi Peter,
    Technically this means that Intune has the Device Serial Number, Windows Product ID and Hardware Hash if a device is enrolled normally by a user ? So it will do a harvest for Autopilot of the devices targeted by the convert option ?

    Let’s say if we bulk enroll 200 devices with a DEM account and we assign the Autopilot profile with convert targeted devices, will it do an Autopilot Reset, Fresh Start or an Wipe and will the DEM account association be removed ?

  3. Hi Rkast,
    This configuration doesn’t do anything to existing devices directly. It only makes sure that the devices are added to AutoPilot and on the next reset of the device the AutoPilot deployment profile will be applied.
    Regards, Peter

  5. Hi Peter,
    Ok good to know. Thank you very much for your answer!
    What kind of reset does the device need if we initiate one from intune (Fresh Start, full wipe) or does it need factory reset ?

  8. Is it possible to Automatically convert legacy Intune managed devices(Intune Client Installed Device) to AutoPilot.

  10. Hi Peter,

    In the opening statement you write “In that tweet I mentioned a new easy method to automagically convert Intune managed devices to AutoPilot.

    Must the device be Intune manage? I’ve looked on docs, and can’t find any information that points to that the device needs to be Intune managed, neither doesn’t say what kind ‘koin type’ that is needed.
    I’ve asked MS about this, but still haven’t gotten any answers.

    Do you know if this should work with hybrid joined,azure ad joined and/or azure d registered devices?

    Regards,

  12. Hi,

    I’m working on W10 Intune MDM last month for my Company and followed lot of your post …among other interesting blog 😉

    First challenge was to achieve AADj with MFA with Intune Enrolement (conformity/config/…). It’s now called mode 4 OOBE –> https://msdnshared.blob.core.windows.net/media/2018/08/EnrolmentScenario5.png

    Second challenge was to remove user local admin rights manually (with power shell send by Intune). I did it but find Autopilot mode to have this automatically !

    But that means to have autopilot informations from hardware provider (CSV or AAD Tenant connection)…or to retrieve it manually on each computer…very painful for foreign BU without local IT :-/

    In the next week , I’m challenged to deploy the concept on Australian BU… and I still do not know if I will have autopilot informations (with new computer order or if have to re-use existing computer).

    So I think to find a trick which is a mix of my old OOBE mode (with admin removed) and this new magially option.
    I create a dynamic groupe that include all Intune Managed (identify by name prefix part of the generated hostname durecing enrolement&configuration process) but without [ZTDId].
    (device.displayName -startsWith “commonprefix”) -and -not (device.devicePhysicalIDs -any _ -contains “[ZTDId]”)
    After that I can apply a new autopilot profile with conversion option to this group

    If My distant user do a OOBE AADj/Intune (without autopilot), after 48h, device will be Converted and should have ZTDId flag. that will automatically transfer device to my standard Production Autopilot group and profile 😉

    And after next reset this should work as an Autopilot-native W10.

    Time for tests now…

  14. Hi Peter,

    I have follow microsoft documentation regarding autopilot – carrying out a standard AAD Join – the devices get the profile the user can log in, bitlocker and windows hello profile gets deployed to the device but:-

    1. I don’t see the device under the devices under All Devices in InTune? But if I find the user that logged on to the device, I can see the device listed under the user device with bitlocker info. So I can’t do a wipe/reset?

    2. None of the apps that I deployed to the device works? even office?

    Any ideas? please?

  16. Hello Peter,

    We experience that existing Intune devices, with the function “convert all targeted devices to autopilot”, are not visible in AutoPilot.

    The devices are registered manually in Intune, with the addition of a Work / School account and are also visible on Intune devices.

    Do you have any advice?

    Regards, Wouter

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.