This is a step by step guide to configure Windows Autopilot configuration. I will be going through each steps to configure the autopilot from scratch and make it up and running to deploy Operating System using MEM utilizing Intune.

What is Windows Autopilot

We must need to understand what is Windows Autopilot.

Windows Autopilot is not just a single technology but a combination of various technologies altogether to pre configure the device. Windows Autopilot can be used to deploy Windows PC along with all required applications on it which can be fully controlled via MDM authority such as Intune.

With usage of Autopilot, we can fully control the device such as reset, repurpose and recovering the device.

Benefit of Windows Autopilot is that it is a cloud based technology which doesn’t require any on-premises infrastructure (though it can be integrated with it using Hybrid scenario).

With AutoPilot configured, OEM manufacturer can directly deliver the device to user. Once switched on, users just need to provide credentials and OOBE phase will apply the configurations and applications will be installed and will make device fully ready as per the Corporate requirement. The device will be fully enrolled and can be managed further with Intune.

Following are the benefits which we can while utilising Autopilot:

1. Devices can be directly shipped to the users from OEM manufacturer or reseller, they just need the internet connection to configure OOBE phase of Operating system, rest everything will be taken care automatically with configuring / installing the applications and settings.
2. Users can reset the device in case they phase some issues. Resetting the device will apply new OS and all pre-configured configuration and applications back to the device as if it was supposed to be applied to new device.
3. Devices can be fully managed by IT organization once the autopilot configuration is completed. This can be managed through:
   • Microsoft Intune
   • WUfB (Windows Update for Business)
   • SCCM / MECM
   • Other tools
4. OOBE provides custom interface and branding which helps user understand that this device is specifically meant for their organisation.
5. Autopilot provisioning allows Change of Windows version such as changing from Windows Professional to Windows Enterprise.

Pre-requisites for Windows Autopilot

1. Supported OS

Windows 10 & Windows 11 are the supported Operating System. Following editions are supported:

• Windows 10 / 11 Pro
• Windows 10 / 11 Pro Education
• Windows 10 /11 Pro for Workstations
• Windows 10 /11 Enterprise
• Windows 10 / 11 Education

Whitelist URL’s for Autopilot

Following URL’s needs to be whitelisted when Proxy is used in your environment. Devices once going through autopilot configuration phase, contacts the Windows Autopilot Deployment service.

https://ztd.dds.microsoft.com
https://cs.dds.microsoft.com
https://login.live.com

License Requirement for Windows Autopilot

For Windows Autopilot to work, we need to have a valid Intune license which is covered under following license:

• Microsoft 365 Business Premium subscription
• Microsoft 365 F1 or F3 subscription
• Microsoft 365 Academic A1, A3, or A5 subscription
• Microsoft 365 Enterprise E3 or E5 subscription, which include all Windows client, Microsoft 365, and EMS features (Azure AD and Intune).
• Enterprise Mobility + Security E3 or E5 subscription, which include all needed Azure AD and Intune features.
• Intune for Education subscription, which include all needed Azure AD and Intune features.
• Microsoft Entra ID Premium P1 or P2 and Microsoft Intune subscription (or an alternative MDM service).

Check the link for Type of Intune licenses

Configuration Requirement

Following are the high level configuration which we will be doing:

1. Create Intune account / Azure tenant with appropriate Intune license assigned.
2. Create users and assign Intune license
3. Configure Device settings – to allow users to join Microsoft Entra
4. Enable Windows Enrollment
5. Configure company branding
6. Update Enrollment status page
7. Create Deployment Profiles
8. Upload hardware hash value to Intune portal
9. Create Group and add autopilot device under it
10. Target Deployment profile to Autopilot group

Setup Windows Autopilot

Create Intune account / Azure Tenant with Intune license assigned

Intune uses Azure as Identity management. When you create account, you will automatically get Azure Active Directory configured. You may create Create Enterprise Mobility + Security E5 Trial, which will provide you 90 days of trial with 25 license. Follow the link for complete guide for creating and setup Microsoft Intune Account. This is a free trial account which provides additional benefits such as Azure AD Premium access and creation of Dynamic groups.

Create users and assign Intune license

Login to Azure portal and navigate to Azure Active Directory > Users.

Create new user, make sure to specify the Usage Location or else will not be able to assign license to the user and will be represented with error:

TestUser@manishbangiatraining2.onmicrosoft.com is not licensed to use Intune.

Once user is created, navigate back to All users and select the newly created user. In left pane select Licenses and click on Assignments.

Select the available license, I selected “Enterprise Mobility + Security E5” and selected all default license options, click on Save.

License is now assigned to the user which can be used for autopilot.

Configure Device settings – Allowing users to join Microsoft Entra (previously known as Azure AD join)

For devices to get enrolled in Intune, they need to join Microsoft Entra. Hence, we need to give access to who can join Microsoft Entra.

Navigate to Azure Active Directory > Devices > Device Settings

Select Users may join devices to Microsoft Entra as “All”. To narrow down the scope to limited users, we could have used “Selected” option as well.

Enable Windows Enrollment

Login to Intune Admin Center (this is a portal specifically built for Intune related activities) and navigate to Devices > Enroll Devices > Automatic Enrollment

Under Automatic Enrollment¸ Change the MDM user scope to All, you also have option to select “Some” so that only specific groups can be used which can have access to enroll the device.

For the sake of demonstration purpose, I am going with “All” and providing access to all users to Enroll the device, click on Save.

For this demonstration, our focus is on Autopilot and configuring policies for devices. Hence, I am not going to make any changes for MAM user scope.

Configure company branding

Under Azure Active Directory, scroll down and click Company Branding and click on Configure

This company branding setting allows specific settings which applies look and feel of your organizations logo and background when users go through OOBE phase and provide the credentials. This gives them confirmation that they are logging onto correct Azure AD Tenant by seeing the visuals.

• Edit Company branding and specify:
• Sign-in page background image
• Banner logo
• Username hint
• Sign-in page text
• Square logo image

Make sure to specify the images based upon the recommended file size and image size.

Update Enrollment status page

Under Intune Admin Center, navigate to Devices > Enroll Devices and click on Enrollment Status Page

You will be able to see default enrollment page which is targeted to all users and devices, select it and go to its properties. Select:

• Show app and profile configuration progress : Yes
• Show an error when installation takes longer than specified number of minutes: 60
• Show custom message when time limit or error occurs: Yes
• you can provide custom message here:
• Setup could not be completed. Please try again or contact your support person for help.
• Turn on log collection and diagnostics page for end users: Yes
• Only show page to devices provisioned by out-of-box experience (OOBE): Yes
• Block device use until all apps and profiles are installed: Yes
• Allow users to reset device if installation error occurs: Yes
• Allow users to use device if installation error occurs: Yes
• Block device use until these required apps are installed if they are assigned to the user/device: All

Click on Review + Save. What we just did is to apply app and profile configuration to be shown during OOBE Operating system configuration phase to be visible along with other settings specified.

Create Deployment Profiles

Navigate back to Devices > Enroll Devices and click on Deployment Profiles under section “Windows Autopilot Deployment Program”

We will now customize the Windows Autopilot provisioning experience by creating a profile which will later be targeted to the device.

Under Windows Autopilot Deployment Program, click Create Profile and select Windows PC (another option available is HoloLens – will not be focusing on this).l not be focusing on this).

Under Create Profile page, provide name as AzureAD. Select “Convert all targeted devices to autopilot” as “Yes”, this is a very good option which converts the targeted devices to autopilot devices as deployment profiles by default doesn’t allow you to target to the devices which are not autopilot devices, hence this conversion will really help you to start using autopilot configuration for existing devices.

Under Out-of-box experience (OOBE) setting, we are going to specify various rules which will apply during autopilot phase such as:

• Deployment mode: User-Driven

We have option to select Self-Deploying which is in preview. User-Driven option gives users to go through OOBE phase and they can drive deployment.

• Join To Microsoft Entra ID as Microsoft Entra joined

There is another option available ie. “Microsoft Entra hybrid joined”, this option is required if you have on-premises infrastructure with Active Directory. In this case, device needs to join Active Directory + Azure Active Directory, hence called Hybrid. This kind of setting requires additional efforts as Domain join requires line of sight access. If you are outside of network, you need to have some kind of Always on VPN solution along with certificates to be configured using NDES / app proxy or with 3^rd party configuration. This whole process is much more complex as compared to “Microsoft Entra joined”

• Microsoft Software License Terms: Hide
• Privacy settings: Hide
• Hide change account options: Hide

This is a very useful option as this hides any kind of access for the user to configure by clicking on Change account. What I mean to say here is, device will stick to corporate profile and will never allow user to configure the device using their own Microsoft credentials to make it personal device

• User account type: Standard

Another option is “Administrator”, hence “Standard” is the best practice for the users.

• Allow pre-provisioned deployment: No

Pre-provisioned deployment which was previously known as white glove, allows it admin to reduce the time for getting the application installed during OOBE phase by intervening the process by pressing windows keys 5 times. They can then install the apps /configurations and later on can be handed over to user with minimal interface of configuration.

• Language (Region): Operating system default
• Automatically configure keyboard: Yes
• Apply device name template: Yes

Enter a name:MBT-%RAND:9%

Microsoft allows 2 kinds of naming convention. One is serialnumber based ie. %serialnumber%. Another is %RAND:Number%. We can use combination of dynamic and static values such as:

MB%SerialNumber%
MB%RAND:9%

Upload hardware hash to Intune portal

Why we need to upload hardware hash ?

The reason is, every device has unique hardware hash. Once this hardware hash is uploaded to intune, it is made available as autopilot device. Hence, you can target the previously created autopilot deployment profiles to it.

In real world scenario, we won’t be performing this task. OEM Manufacture / reseller will be taking care of uploading the hardware hash on your behalf once you authorize them and place order for hardware.

For demonstration purpose, lets do it manually.

Login to windows 10 / windows 11 device and run following powershell command:

New-Item -Type Directory -Path “c:\HardwareHash”
Set-Location -Path “c:\HardwareHash”
$env:Path +=”;c:\Program Files\WindowsPowerShell\Scripts”
Set-ExecutionPolicy -ExecutionPolicy Bypass -Force
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo -OutputFile HardwareHashDevice.csv

This hardware hash file consists of Device Serial Number,Windows Product ID,Hardware Hash and can be checked using notepad.

Import autopilot device using Powershell, check it for more details

Navigate back to MEM Admin center and go to Devices > Enroll Devices, under Windows Autopilot Deployment program select Devices.

Click on Import and select the csv file we created. If file is properly formatted you will see “Rows formatted correctly”, click on Import.

Allow it few minutes to get the hardware hash uploaded to portal.

Once done, you will see device serial number listed below on the Windows AutoPilot Devices page.

Check the box against the device and assign it to existing user which already has Intune license assigned.

User is assigned to the Autopilot device.

Create Group and add autopilot device under it

We need to create a group and the existing autopilot device under it. This group will be used to target the deployment profile.

Navigate to Groups and create new Group with Group type as “Security”. Group name as “AutoPilot”. Under Members, add the newly created autopilot device.

Target Deployment profile to Autopilot group

Our Deployment profile was created previously. Now we are ready with a test group also. Let’s target the deployment profile. Navigate to  Devices > Enroll Devices > Deployment Profiles

Select AzureAD profile, click on Properties  and edit the Assignments to target it to the group.

Select the group “Autopilot”, click on Review + Save.

Navigate back to Windows Autopilot Devices, wait for some time. Profile Status will go through the phase:

• Not Assigned
• Updating
• Assigned

This is our last step. Don’t perform autopilot activity on device yet until you see “Assigned”. It should take couple minutes only. But sometimes I see behaviour that profile doesn’t get assigned for couple of hours and Microsoft documentation says that it may take upto 48 hours.

Reset the PC

We are ready with Autopilot configuration. Now it is the time for real action.

Let’s reset the existing PC, once it restarts it will go through Autopilot phase.

Click on start menu and settings, search for Reset this PC and click on Get Started

Choose the option Remove everything.

Under How to reinstall windows, click on Local reinstall which will be fast as compared to selecting the option “cloud download”.

Verify the message and click on Reset.

This might take a while depending upon hdd vs ssd and applications installed. This process will take back your system in original state equivalent to buying a device from market and setting up the initial configuration (which is called OOBE)

Initiate AutoPilot configuration after resetting the device

Once the device is reset, it will take you to OOBE page presented with region selection screen, select the one and click Next.

In next page, select the keyboard layout and click Yes.

You may add another keyboard layout or else click Skip.

This is the page which you can see below which is directly coming through custom branding which helps user to identify their corporate name / company and can confirm they are joining to the right network. Provide the username and click Next.

Provide the credentials and click Next.

As security defaults are turned on for new Tenants, it will ask you to setup MFA, click on Set it up now

You need to have Microsoft authenticator app downloaded on your phone (playstore for android or App store for iPhone / iPad), click Next once downloaded.

You need to configure Microsoft authenticator on your phone by adding the account type “Work or school”.

Scan the QR code seen on the screen which will immediately register the user, it wil ask you to approve the request as well click. Click on Approve.

Once approved, you can see Notification approved message, click Next.

You are done with setting up MFA, click Done.

You will be going through phase “Setting up your device” which consists of 3 sections and multiple subsections under it:

• Device preparation
  • Securing your hardware
  • Joining your organization’s network
  • Registering your device for mobile management
  • Preparing your device for mobile management
• Device setup
  • Security policies
  • Certificates
  • Network connections
  • Apps
• Account setup

Allow some time to complete these steps. Device will ask you to login once Device preparation and Device setup is done.

Once login session is completed, it will again continue to setup – but this time Account setup.

Once done, you will be able to login to Windows 10 device.

Open cmd prompt and verify hostname.

We can see, we got the desired naming convention based upon what we setup while creating Deployment Profiles.

On Endpoint Manager portal also, we can see the device details which is now Azure AD Join and fully managed by Intune.

Device status can be check through Azure Portal > Azure Active Directory > Devices as well.

Conclusion

In this post I showed you step by step guide on how to start with creating Intune account. Specifying basic settings along with creation of user and assigning license to it and also did Custom branding configuration.

All configuration we see here was related to Azure AD Join. This is the recommended configuration as “Hybrid Azure AD Join” comes with so many other pre-requisites which requires Line of sight connection with your on-premises domain controller.

Important Links

https://docs.microsoft.com/en-us/mem/intune/fundamentals/

https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune

https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-device-management