Manage Windows AutoPilot via Microsoft Intune

This week I’m going through the required steps for configuring Windows AutoPilot. I know that a lot has been written already about this subject, but I have the feeling that this subject needs a place on my blog. Also, the attentive reader might have noticed that I’m specifically using Microsoft Intune in the title of my blog, for the first time in over a year. That’s with a reason. This post is focused on configuring Windows AutoPilot via Microsoft Intune and will show that, at this moment, the Microsoft Store for Business is also required to complete the Microsoft Intune configuration.

In this post I’ll provide a short introduction about Windows AutoPilot, followed by walking through the required configurations. I’ll end this post by quickly looking at the result, from the end-user perspective and from the administrator perspective.

Introduction

Before looking at the configuration, let’s start with a short introduction about Windows AutoPilot. The Windows AutoPilot deployment program simplifies device provisioning. With Microsoft Intune and Windows AutoPilot, it’s possible to give new devices to end-users without the need to build, maintain, and apply custom operating system images to the devices. Windows AutoPilot covers the provisioning of the devices and Microsoft Intune makes it possible to manage policies, profiles, apps, etc. on the devices after they are enrolled. Once devices are registered for Windows AutoPilot, the following OOBE customization options are available for Windows 10, starting with version 1703:

  • Skip the Work or Home usage selection page (default behavior);
  • Skip Cortana, OneDrive and OEM registration setup pages (default behavior);
  • Skip privacy settings page (optional configuration);
  • Skip EULA page (optional configuration, staring with Windows 10, version 1709);
  • Add sign-in experience with company or school brand (optional configuration);
  • Prevent the account used to set-up the device from getting local administrator permissions (optional configuration).

Configuration

Now let’s have a look at the required configurations to create the full Windows AutoPilot experience. That includes looking at the prerequisites, adding devices and adding a company branding. To get this full experience, simply walk through the six steps below.

Prerequisites

Before walking through the required configuration steps, make sure that the following prerequisites are in-place. Everything else will be covered in this post.

  • Devices have to be pre-installed with Windows 10, version 1703 or later;
  • Devices must have access to the Internet;
  • Azure AD Premium subscription;
  • Automatic enrollment is enabled.

Step 1: Get device information

The first step is to get the device information, as the devices must be registered to the organization. At this moment, it’s still required to acquire the device serial number, the Windows product ID and the hardware ID of the devices and to register the devices. Microsoft is actively working with various hardware vendors to enable them to provide the required information to organizations, or upload it on their behalf. To capture the required information, use the Get-WindowsAutoPilotInfo PowerShell script, by performing steps similar to the following four steps.

1 Open Windows PowerShell as an Administrator;
2 Run Save-Script -Name Get-WindowsAutoPilotInfo -Path C:\Windows\Temp to inspect the PowerShell script ;
3 Run Install-Script -Name Get-WindowsAutoPilotInfo to install the PowerShell script;
4 Run Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\Windows\Temp\MyComputer.csv to get the required device information;
WA_DeviceInformation

Step 2: Add devices

The second step is to add the gathered device information. This cannot be achieved by using Microsoft Intune, at this moment, but can be achieved by using the Microsoft Store for Business or by using the Partner Center. To use the Microsoft Store for Business, perform the following three steps.

1 Open the Microsoft Store for Business and navigate to Manage > Devices;
2 Click Add devices and browse to the just created CSV file;
3 WA_MSfB_AddOn the Add devices to an AutoPilot deployment group, select No, thanks as I want to use Microsoft Intune for assigning a deployment profile.
WA_MSfB_Devices

Step 3: Synchronize devices

The third step is to synchronize the added device information into Microsoft Intune. That will enable me to use Microsoft Intune for assigning a deployment profile to those devices. To synchronize the devices into Microsoft Intune, perform the following three steps.

1 Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment;
2 On the Devices enrollment – Windows enrollment blade, click Devices below Windows AutoPilot devices (Preview) to open the Windows AutoPilot devices (Preview) blade;
3 On the Windows AutoPilot devices (Preview) blade, click Sync to synchronize the devices to Microsoft Intune.
WA_MSIntune_Devices

Step 4: Create deployment profile

The fourth steps is to create a deployment profile in Microsoft Intune. The deployment profiles are used to configure the AutoPilot devices. To create a deployment profile in Microsoft Intune, perform the following four steps.

1 Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment;
2 On the Devices enrollment – Windows enrollment blade, click Deployment Profiles below Windows AutoPilot devices (Preview) to open the Windows AutoPilot deployment profiles (Preview) blade;
3 On the Windows AutoPilot deployment profiles (Preview) blade, click Create profile to open the Create profile blade;
4a

WA_MSIntune_CPOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a valid description;
  • Join to Azure AD as: Select Azure AD joined;
  • Out-of-box experience (OOBE): (See step 4b).
4b

WA_MSIntune_OOBEOn the Out-of-box experience (OOBE) blade, provide the following information and click Save;

  • Privacy Settings: Select Hide to hide the Privacy Settings page during the OOBE;
  • End user license agreement (EULA): Select Hide to hide the EULA page during the OOBE;
  • User account type: Select Standard to make the user a standard user on the device.

Note: The last setting does not apply to global administrators or company administrators. These users cannot be standard users as they have access to all administrative features in Azure AD.

WA_MSIntune_WADP

Step 5: Assign deployment profile

The fifth step is to assign the just created deployment profile to the just synchronized devices in Microsoft Intune. This can be achieved by performing the following four steps.

1 Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment;
2 On the Devices enrollment – Windows enrollment blade, click Devices below Windows AutoPilot devices (Preview) to open the Windows AutoPilot devices (Preview) blade;
3 On the Windows AutoPilot devices (Preview) blade, select the just imported device and click Assign profile to open the Assign profile blade.
4 WA_MSIntune_APOn the Assign profile blade, select the just created deployment profile and click Assign;
WA_MSIntune_APS

Step 6: Add company branding

The sixth step is the finishing touch, by making the company branding appear during the OOBE. This cannot be achieved by using Microsoft Intune, at this moment, but can be achieved by using the Azure AD. To configure the company branding, perform the following steps.

1 Open the Azure portal and navigate to Azure Active Directory > Company branding;
2 On the Company branding blade, click Configure to open the Configure company branding blade;
3

WA_CustomBrandingOn the Configure company branding blade, provide the following information and click Create.

  • Sign-in page background image: Specify a background image that meets the specified format;
  • Banner logo: Specify a banner logo that meets the specified format;
  • User name hint: Provide a user name hint;
  • Sign-in page text: Provide a sign-in page text;
  • Sign-in page background color: Provide a background color that will be used for slow connections;
  • Square logo image: Specify a square logo image that meets the specified format;
  • Square logo image, dark theme: Specify a square logo image that meets the specified format;
  • Show option to maintain signed in: Select Yes.

Note: I’ve only configured a couple of items that will clearly show that the Windows AutoPilot deployment is part of my company.

Result

Now let’s end this post by looking at the result of the configurations. Let’s start by looking at the end-user experience. Yes, I can show the remaining screens during the OOBE, but I thought that was not that exciting. Instead, I’ve got the main enrollment screen that includes the company branding. 

WA_MSIntune_Experience

WA_MSIntune_EnrolledFrom an administrator perspective, the most interesting place, to look for the end result, is the Azure portal. When navigating Intune > Device enrollment > Windows Enrollment > Devices, the overview of devices won’t show any difference. However, the administrator can filter on Enrolled devices to get a list of devices that are successfully enrolled via the Windows AutoPilot deployment. Also, when selecting a device, it provides a list of interesting information. The most important one of that is the Enrollment State. As shown on the right, this will be set to Enrolled after the device is successfully enrolled via the Windows AutoPilot deployment.

More information

Fore more information about Windows AutoPilot, in combination with Microsoft Intune and the different configuration options, please refer to:

26 thoughts on “Manage Windows AutoPilot via Microsoft Intune”

  1. Hi Peter,
    Nice to know (maybe update for this blog), you can also change the ‘Name’ branding like yours PRCLOUD_PVDW!
    This doesnt come from the company branding. Instead, you can set that value in the “Name” field of the Azure AD tenant properties @ Azure Active Directory > Properties > Name

    Reply
  2. Thanks for this. What would be the best way to enforce the Intune Bitlocker Policy in this scenario since the user will have no ‘Admin’ privileges?

    Reply
  3. Hi I was wondering if you could shed on light on this- Our MS Intune setup- Is a cloud environment managing windows 10 devices and application via MS Intune without on premises AD or SCCM. OKTA is the SSO method used, which requires an agent install as a web browser plug- in on any browser.
    The issue we have is applications deployed from Intune to user device do not seem to install automatically when a user without admin rights logs on to enrol a device.
    The only way around is to install the application by an elevated admin account to do basic installs such as a web plug-ins on a browser which do not require local admin rights to install

    Microsoft confirmed BitLocker requires elevated permissions to install. However, it is not the only application requiring elevation in our current environment.
    What we would like to know is if there is a way to deploy applications from Intune without elevated credentials on a device when users connect to enrol as we are using the OOBE method of enrolment. Is Intune incapable of doing this form a cloud only solution- if not how do we implement this.

    Thanks,

    Reply
    • Hi Johathan,
      Everything that runs in user-context requires the user to have the required privileges. However, if you look at the PowerShell functionality, that requires the installation of the Intune Management Extension (automatically), that allows you to choose between running in SYSTEM-context and user-context. I do have to say that I haven’t tested this yet in combination with a less privileged user. Worth some testing.
      Regards, Peter

      Reply
  4. It looks like Microsoft has changed the way it does assignment of the devices to the AutoPilot deployment profile.

    The Deployment profile now can be assigned to a (dynamic) group which contains the devices. The assign button doesn’t show anymore. But it appears that as soon as the CVS is uploaded the device will be shown in the device list (https://portal.azure.com/#blade/Microsoft_Intune_Devices/DeviceEntryBlade/aADDevices) and can be added to a group which is assigned to the AutoPilot profile.

    https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group

    Reply
  5. So is there yet something like the Apple DEP programme where you can buy them already assigned to your org?
    It seems like the only way is to go to each machine,complete Windows install, run the script, collate all of the outputs and rebuild the machines with the machine IDs. That would be a pretty daft way of going about it.

    It’s frustrating that MS always brings out a new feature to much fanfare, only to find that it’s just half-arsed.

    Reply
  6. Hi Peter,

    is there any possibilities for “standard” user account type to be granted “local admin rights” after the deployment?

    Thanks

    Hoschie

    Reply
    • if you don’t specify if the user is an administrator or not, then it is a Standard user. In recent updates as of 3/2021, you can specifically choose administrator OR it is left at standard user.

      Reply
  7. Hi All,

    What exactly is a standard user?
    What rights and privileges will a standard used get compared to an administrator?

    Reply
  8. Hi,

    Can I set on Intune any policy to user log in only in one computer on company, if they try to log on other computer, they will blocked?

    regards,

    Reply
  9. Hello. I would like to know what can i use when a user leaves the company and i want to reasign the same pc to another user. Can i use Autopilot User Driven mode or this mode is only for new devices that are coming directly from the OEM? Should i use Autopilot reset? I need that the new user can choose the language and agree EULA.

    Does Autopilot Reset offer any option customization for the new user or it just rolls back the computer to previous state.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.