Intune: User Based Windows Enrollment Part 2

One of the most successful and widely used methods to enroll a Windows device for enterprises is Windows autopilot.  When Windows Autopilot was launched back in April 2018, this was the only method where a user can log in enroll a device as corporate-owned as a standard user. All other enrollment methods required the user to be a Local Admin device.

As the name calls for itself it enrolls the device in an autopilot mode, no pilot required for setup and configuration.

Autopilot was introduced as a modern world OS imaging system. An integral part of modern workplace management which cutting down the time of Windows 10 out-of-the-box provisioning from days to minutes.

With features like autopilot reset and white-glove it becomes way easier to reuse the same device and get it into the system without any waste of time.

A point to remember is that Autopilot is a service that only kicks in during the out of the box setup phase of the device, which means that if a user has to onboard the device into autopilot be that be an old device or a new one, it has to go through the OOBE phase.

Why Autopilot

Provisioning a device using autopilot typically saves a lot of time, efforts of local IT, and costs associated with device management. The device basically gets into Azure AD over the cloud and with autoenrollment capability, the device slides in Intune and the management becomes as smooth as it can be. This gives the power to ship a brand-new boxed device directly to the user. The user gets to see the feel of firsthand fresh rubber. All the provisioning, management, deployment, and setup part comes during the first boot process. On the other hand in OS imaging days, where when a new device was made ready to slip into the system it needs to go through multiple hands of IT folks for custom OS installation and setup. It never remains a new fresh device. Autopilot does not use a custom OS image instead it opts for an innovative approach of customizing the base image getting the device to business-ready state.

Prerequisites for Autopilot

  • Azure Active Directory Premium subscription
  • Intune Subscription
  • Windows Automatic enrollment
  • Supported version for Windows 10 Semi-Annual Channel.
  • Supported Windows SKU is Win 10 Pro, Pro EDU, Enterprise, Education, Enterprise 2019 LTSC and Pro for Workstations.

There are four different categories for Windows Autopilot:

  • User Driven Mode
  • Self-Deploying Mode
  • White Glove
  • Autopilot for Existing device

We will talk about each one of them in detail but first, let us understand the components that are involved in an Autopilot provisioning system.

  1. Autopilot Deployment Profile
  2. Autopilot Dynamic Device Group
  3. Import and add a device
  1. Autopilot Deployment profile: Autopilot profile is the profile which comprises the OOBE instructions to the devices. It defines the pages, nature of the user and some initial settings in the boot up phase.

To create an autopilot profile:

In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile. Fill in the details and toggle the switches for the profile as per the requirements.

The above picture shows the settings available to configure in an autopilot profile.

  1. Autopilot Dynamic Device Group: One of the major components in an autopilot scenario. This is the device group on which an autopilot profile is deployed. Admins can use a Assigned group typically in a small sized environment where the devices can be added to the group manually.

To create an Autopilot dynamic device group:

In the Microsoft Endpoint Manager admin center

choose Groups > New group > In the Group blade

For Group type, choose Security.

Type a Group name and Group description.

For Membership type, choose either Assigned or Dynamic Device.           

Choose Dynamic device members and type any of the following code in the Advanced rule box. Only Autopilot devices are gathered by these rules because they target attributes that are only possessed by Autopilot devices.

Admins can use dynamic device queries for ZTD ID, Order ID, or Purchase Order ID. The device uploaded for autopilot provisioning will automatically fall into these groups.

ZTD ID :(device.devicePhysicalIDs -any (_ -contains “[ZTDId]”))

Order ID:(device.devicePhysicalIds -any _ -eq “[OrderID]:XXXXXXXX”)

PurchaseOrder ID:

(device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:XXXXXXXXX”) Above are just example queries, admins can use multiple others with respect to their knowledge and requirements.

  1. Import and add a device: Device is recognized on Azure by its Hardware ID also known as hardware hash. This information is uploaded to Azure in the form of CSV. This is used for existing device which are  to be provisioned using Autopilot. To get the CSV of device admins can use a PowerShell command:

md c:\\HWID

Set-Location c:\\HWID

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted

Install-Script -Name Get-WindowsAutoPilotInfo

Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv

Additionally, an OEM can also upload the CSV of the purchased devices to your portal, where the Purchase order ID query is used.

Just like OEM a partner, reseller or CSP vendor can also upload the same CSV from the partner portal.

Additionally, there are couple more portals where this CSV can be uploaded, M365 business portal, Microsoft store for business but Microsoft recommends using Intune blade for full functionality.

In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program > Import.

This was an overview and some terminologies associated with Windows Autopilot. In the coming blog we shall talk about How do we enroll a device using a User Driven Autopilot Scenario.

Goodbye until then!!

About the Author Ritesh Jangir

Author is Bachelor of Technology in Electronics & Communication graduate in 2013 and have made the career establishment precisely in the field of Cloud IT infrastructure. Got associated with the Microsoft technologies right from the bottom of the ladder as Help desk operator. Working for Microsoft support with Convergys gave an end to end insight on Microsoft Intune and SAAS based technologies. Further worked for multiple clients to migrate their device management strategies from on-prem to cloud mostly Intune and AirWatch (VMware Workspace ONE). Worked with HCL and now with ITC infotech as Intune consultant for planning and implementation of device management for one of the biggest Beer manufacturing company globally.

follow me on: