Offline Windows Autopilot deployment profile

This week is all about Windows Autopilot. More specifically, about offline Windows Autopilot deployment profiles. The use case for an offline Windows Autopilot deployment profile is simple, a migration from Windows 7 to Windows 10 for existing devices. It enables organizations to reimage devices for one last time and provide those devices with an offline Windows Autopilot deployment profile. That will make sure that those devices will contact the Windows Autopilot deployment service, without first being registered. In this post I’ll look at getting the offline Windows Autopilot deployment profile, followed by a look at the explanation of the attributes in the offline Windows Autopilot deployment profile. I’ll end this post by looking at the usage of the offline Windows Autopilot deployment profile and a method to group the devices that are deployed via an offline Windows Autopilot deployment profile.

How to get the offline deployment profile

Let’s start by having a look at how to get the offline Windows Autopilot deployment profile. The following five steps walk through the process of downloading the required PowerShell cmdlets, connecting to the correct services and saving the Windows Autopilot deployment profile as a JSON-file.

1 Open a Windows PowerShell command box, as an administrator, on an Internet connected device
2 Install the Azure AD module by using Install-Module AzureAD -Force
3 Install the Windows Autopilot module by using Install-Module WindowsAutopilotIntune -Force
4a Connect to the Intune service by using Connect-AutopilotIntune
4b Provide the user principle name of a user with enough administrative rights and provide the password in the Sign in to your account window
5

Export the Windows Autopilot deployment profile (Get-AutoPilotProfile), convert the deployment profile to JSON-fornat (ConvertTo-AutoPilotConfigurationJSON) and save the output as AutoPilotConfigurationFile.json (Out-File) by using Get-AutoPilotProfile | ConvertTo-AutoPilotConfigurationJSON | Out-File -FilePath $env:userprofile\desktop\AutoPilotConfigurationFile.json -Encoding ASCII

Note: When there are multiple deployment profiles configured in the tenant, there should be an additional filter being used to only export a specific deployment profile.

OWADP-JSON

Explanation of the attributes in the offline deployment profile

The JSON-file contains a few different attributes and it’s good to understand the usage of those attributes. The following table contains the different attributes and a short explanation.

Attribute Explanation
CloudAssignedTenantId This GUID is a required attribute and specifies the GUID of the Azure AD tenant that should be used.
CloudAssignedDeviceName This string is an optional attribute and specifies the naming pattern for devices that should be used.
CloudAssignedForcedEnrollment

This number is a required attribute and specifies if the device should require AAD Join and MDM enrollment. This can be one of the following values:

  • 0 = not required,
  • 1 = required.
Version This number is an optional attribute and specifies the version that identifies the format of the JSON file. For Windows 10, version 1809, the version must be 2049.
Comment_File This string is an optional attribute and specifies a comment that by default contains the name of the profile.
CloudAssignedAadServerData This encoded JSON string is a required attribute and specifies the branding configuration (this requires Azure AD branding to be enabled) that should be used.
CloudAssignedOobeConfig

This number is a required attribute and specifies a bitmap that shows which Autopilot settings should be configured. This can include the following values:

  • SkipCortanaOptIn = 1,
  • OobeUserNotLocalAdmin = 2,
  • SkipExpressSettings = 4,
  • SkipOemRegistration = 8,
  • SkipEula = 16
CloudAssignedDomainJoinMethod This number is a required attribute and specifies the domain join method that should be used. Both hybrid AAD join and AAD join should be set to 0.
ZtdCorrelationId This GUID is a required attribute and specifies a unique GUID that will be provided to Intune as part of the registration process. This GUID can be used to group the devices in a dynamic Azure AD security group.
CloudAssignedTenantDomain This string is a required attribute and specifies the name of the Azure AD tenant that should be used.

How to use the offline deployment profile

The offline Windows Autopilot deployment profile can be used on Windows 10, version 1809, or later. The only other requirements are that the file is named AutoPilotConfigurationFile.json and that the file is available in C:\Windows\Provisioning\Autopilot\. Below are a few example processes that can be used to prepare a device with an offline Windows Autopilot deployment profile.

1 Manual copy the file to the required location and SYSPREP the device,
2 Use a USB-stick to install Windows and in the same process copy the file to the required location and SYSPREP the device.
3 Use MDT to install Windows and in the same process copy the file to the required location and SYSPREP the device.
4 Use Configuration Manager to install Windows and in the same process copy the file to the required location and SYSPREP the device.
5 Use a third-party product to install Windows and in the same process copy the file to the required location and SYSPREP the device.

How to group devices based on the offline deployment profile

The last thing that is good to mention, is that it’s also possible to group devices based on the fact that it was deployment via an offline Windows Autopilot deployment profile. Devices that are enrolled by using an offline Windows Autopilot deployment profile, will have the Azure AD device attribute enrollmentProfileName set to “OfflineAutopilotprofile-<ZtdCorrelationId>”. The ZtdCorrelationId is available in the offline Windows Autopilot deployment profile as shown and mentioned above. That would make a dynamic query for an Azure AD device group like this: (device.enrollmentProfileName -eq “OfflineAutopilotprofile-7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC”).

More information

For more information regarding offline Windows Autopilot profiles, please refer this article about Windows Autopilot for existing devices.

16 thoughts on “Offline Windows Autopilot deployment profile”

  1. Hi Peter,

    Were you successful in creating the dynamic device group with enrollmentProfileName set to “OfflineAutopilotprofile-” ? Is there a PS or Graph command to see what the device enrollmentProfileName is?

    Reply
  2. Hi Peter, I have the same issue with the dynamic group. No devices are added during the autopilot process. This is my query:
    (device.enrollmentProfileName -eq “OfflineAutopilotprofile-7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC”)

    Any idea how long this takes? Any default values, etc?

    Cheers,
    Al

    Reply
  3. I’ve not been able to get this to work.
    Triple checked the ID.
    Device shows in Deployment Profile -> Assigned Devices
    Dynamic group rule = (device.enrollmentProfileName -eq “OfflineAutopilotProfile-e87061c5-e445-4fd1-b231-e6300bb01614”)
    Even after a week devices don’t show yet.

    Reply
    • Hi John. Did you ever get this working? Came across your comment after a recent need for me to do this. Group is populated with the device from “OfflineAutopilotProfile-xxxx”, and assigned to the deployment profile. But device won’t appear in Autopilot. Have checked all requirements, and it ‘should’ work.

      Reply
  4. This no longer works. This was super helpful but we can’t get it to work becuase the powershell modules have changed. Can you help us by updating it?

    Reply
  5. im getting below error when trying to export the autopilot profile. the account im using to connect MSGraph is global administrator

    Get-MgOrganization : The term ‘Get-MgOrganization’ is not recognized as the name of a cmdlet, function, script file,
    or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
    try again.
    At C:\Program Files\WindowsPowerShell\Modules\WindowsAutoPilotIntune\5.6\WindowsAutoPilotIntune.psm1:586 char:25
    + $script:TenantOrg = Get-MgOrganization
    + ~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-MgOrganization:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Get-MgDomain : The term ‘Get-MgDomain’ is not recognized as the name of a cmdlet, function, script file, or operable
    program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At C:\Program Files\WindowsPowerShell\Modules\WindowsAutoPilotIntune\5.6\WindowsAutoPilotIntune.psm1:587 char:26
    + $script:allDomains = Get-MgDomain -All
    + ~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-MgDomain:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Get-AutoPilotProfile : Microsoft.Graph.PowerShell.AuthenticationException: Authentication needed. Please call
    Connect-MgGraph.
    at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
    At line:1 char:1
    + Get-AutoPilotProfile | ConvertTo-AutoPilotConfigurationJSON | Out-Fil …
    + ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AutopilotProfile

    Reply
  6. Hi Peter,
    Thanks a lot for all of your articles and sorry for my bad English 🙁

    I hava a question about json fil who is available in C:\Windows\Provisioning\Autopilot\

    Just after Autopilot the file is present in the folder.
    But after a few minutes the file is automaticaly delete.

    Do you know whitch mecasnim delete the file?
    I would like to keep the file to monitor computers prepare with USB Key and prepare with autopilot classic process.

    Thanks a lot from France 😉

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.