Windows Autopilot User-Driven Mode for Azure AD joined

In this article, we will talk of Windows Autopilot user driven-mode in detail.

As you know, the Windows Autopilot is primarily used for provisioning a Windows 10 device from an initial stage to a business-ready stage without involving the IT department.

Microsoft has made this process so simple that even a person who is not a computer genius can get his device in the business-ready stage. Typically, the process becomes even much easier than getting a personal device ready.

Shocking, right?

How difficult it is to unbox the device, switch it on choosing the location and keyboard, connect to a network and sign in.

It cannot get easier than that for an end-user. Later in this post, we will show you some screen captures with respect to the user experience. Now we will focus on an exciting part about how an admin can pull off this gig.

Before diving into the Windows autopilot user-driven mode

If you read the post about Windows Autopilot, you must know already the different components of it. Let’s remember them:

1. Autopilot Deployment Profile: Autopilot profile is the profile which comprises the OOBE instructions to the devices. It defines the pages, nature of the user, and some initial settings in the boot-up phase.

2. Autopilot Dynamic Device Group: This is the device group on which an autopilot profile is deployed. The dynamic query can be used with respect to the device containing a ZTD ID or Order ID or PurchaseOrderID.

3. Import and add a device: The process of uploading the device details which will go through Windows Autopilot provisioning. Done by uploading a CSV file that contains the device’s Serial Number and Hardware ID. It can be done by OEM, Reseller, Partner, CSP, or and admin can fetch the CSV from the old device by using the PowerShell script.

Windows autopilot user-driven mode dive in

Below we’ve specified the main requirements for users.

1. The one who will be using the device must have a legit Intune and Azure AD premium licenses. The reason is simple – they will be joining the device to the Azure Active Directory.
2. The permission to join the device to Azure AD should also be in place.
3. The permissions for “User may join the device to Azure AD” must be configured to all or at least for the selected users. To configure it, go to https://portal.azure.com > Azure Active Directory > Devices > Device Settings > User may join the device to Azure Active Directory

Autopilot Dynamic Device Group

One of the major components in an autopilot scenario is the Autopilot Dynamic Device Group. This is the device group on which an autopilot profile is deployed. Administrators can use an Assigned group typically in a small-sized environment where the devices can be added to the group manually.

A step-by-step guide about creating an Autopilot dynamic device group

In the Microsoft Endpoint Manager admin center choose Groups > New group > In the Group blade

For Group type, choose Security.

Fill in a Group name and Group description

For Membership type, choose either Assigned or Dynamic Device.      

Choose Dynamic device members and paste any of the following codes in the Advanced rule box. Only Autopilot devices are gathered by these rules because they target attributes that are only possessed by Autopilot devices.

Administrators can use dynamic device queries for ZTD ID, Order ID, or Purchase Order ID. The device which is uploaded for autopilot provisioning will automatically fall into these groups.

ZTD ID: (device.devicePhysicalIDs -any (_ -contains “[ZTDId]”))

Order ID: (device.devicePhysicalIds -any _ -eq “[OrderID]:XXXXXXXX”)

PurchaseOrder ID: (device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:XXXXXXXXX”)

Above are just example queries, admins can use other according to requirements.

Create an Autopilot profile

An administrator will create an autopilot profile with deployment mode selected as user-driven and join Azure Ad as Azure AD joined. As we discussed earlier this is the profile that defines the settings and pages appeared during out of the box process.

In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile. Fill in the details and toggle the switches for the profile as per the requirements:

• Under Basic Section use the following:

               Name: User the name you want to give the autopilot profile

               Description: Provide a valid description.

    Convert all targeted devices to Autopilot: Yes/No (We will discuss this option later)

• Out-of-box Experience (OOBE): Here the admin can configure the out of the box experience he wants the end user to go through after signing in.

Deployment Mode: There are two types of deployment modes used.

1. User-Driven when the user is included and is driving the entire process.
2. Self Deploying mode, that makes sense when a device is not associated with any user and there are no user credentials needed to provision the device.

Join to Azure AD as: It defines how exactly we would like the device to join Azure AD. We can either join the device directly to Azure AD or in the scenarios of dependency on Local AD option for Hybrid Azure AD joined can be used.

Microsoft Software License Terms: The administrator can configure if a specific user sees an end-user license agreement screen. If selected to Hide, the end-user will not see the EULA screen. (it requires Windows 10 1709 and later)

Privacy settings: Admin can configure them if the end-user has to see and configure the privacy settings during OOBE.

Hide change account options: Admin can select Hide to restrict the user to prevent the change account options on the company Sign-in page. This option requires company branding to be configured in Azure AD (it requires Windows 10 1809 and later versions).

User account type: This setting specifies the level of the end-user privilege on the device. It can be either a Standard User or a Local Admin.

Allow White Glove OOBE: This is an additional feature provided by Microsoft that allows IT administrators to login to the device without the assigned user. Thus, the admin will be able to finish the OOBE phase, providing a much better experience to the end-user. (require Windows 10 1903 and later)

Language (Region): Can configure the language and region for the device.

Automatically configure keyboard: Based on the language selected earlier the keyboard layout is automatically selected.

Apply device name template: Admin can configure the name of the device enrolled into Intune once.  Names must be 15 characters or less and can have letters, numbers, and hyphens. Use the “%SERIAL% macro” to add a hardware-specific serial number. (require Windows 10 1809 and later)

Scope Tags: Select the scope as per the requirement if created of you can also use the default scope already created.

Assignment: Under assignment choose the device group on which the profile must be applied. Here we will use the Dynamic device group we talked about earlier. Additionally, you can also exclude the group in the same setting.

Review + Create: A final step is to review all the settings and create a profile by clicking on create.

Import and add a device

The device is recognized by a Hardware ID which is uploaded in the form of CSV. To upload the CSV do following steps:

In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program > Import

Under the notification tab you will see the device uploading:

Once the CSV is uploaded successfully, the device is assigned a ZTD ID that later is used as an attribute to make this device part of the dynamic device group.

Thus, we’ve completed the setup for Windows autopilot user driven-mode for Azure AD joined at the administrator side.

Windows autopilot user driven-mode – End-User Experience

Let’s dive into the end-user experience on how exactly the device behaves when the user receives and logs into the device.

The user will have to follow the below steps to get the device in a business-ready state:

1. Select the region

2. Select the keyboard layout that is preferred (if not selected in the profile)

3. Skip or add a secondary keyboard

4. Connect the device to the network

5. Once the device is connected to a network, it will take some time to set things up on the backend. This is the place where the device is connecting with Azure AD with the help of Hardware ID. We will talk about all the backend processes in another blog post.

6. Device recognizes that it belongs to the specific domain. Now you can Log in with your username and password.

7. After a few easy setups, we will go to the Enrollment status page, which will show the status of the resources which are configured on the device.

8. In some scenarios you might be asked to sign in with the username and password again. This is where all the profiles, applications, and deployments start.

9. You will be routed again to the Enrollment Status Page for account setup

Note: The Entire device setup might take around 40-60 mins and require a reboot.

We’re done with setting up Windows autopilot user driven-mode!