In this article, we will talk of Windows Autopilot user driven-mode in detail.
As you know, the Windows Autopilot is primarily used for provisioning a Windows 10 device from an initial stage to a business-ready stage without involving the IT department.
Microsoft has made this process so simple that even a person who is not a computer genius can get his device in the business-ready stage. Typically, the process becomes even much easier than getting a personal device ready.
How difficult it is to unbox the device, switch it on choosing the location and keyboard, connect to a network and sign in.
It cannot get easier than that for an end-user. Later in this post, we will show you some screen captures with respect to the user experience. Now we will focus on an exciting part about how an admin can pull off this gig.
If you read the post about Windows Autopilot, you must know already the different components of it. Let’s remember them:
2. Autopilot Dynamic Device Group: This is the device group on which an autopilot profile is deployed. The dynamic query can be used with respect to the device containing a ZTD ID or Order ID or PurchaseOrderID.
3. Import and add a device: The process of uploading the device details which will go through Windows Autopilot provisioning. Done by uploading a CSV file that contains the device’s Serial Number and Hardware ID. It can be done by OEM, Reseller, Partner, CSP, or and admin can fetch the CSV from the old device by using the PowerShell script.
Below we’ve specified the main requirements for users.
One of the major components in an autopilot scenario is the Autopilot Dynamic Device Group. This is the device group on which an autopilot profile is deployed. Administrators can use an Assigned group typically in a small-sized environment where the devices can be added to the group manually.
A step-by-step guide about creating an Autopilot dynamic device group
In the Microsoft Endpoint Manager admin center choose Groups > New group > In the Group blade
For Group type, choose Security.
Fill in a Group name and Group description
For Membership type, choose either Assigned or Dynamic Device.
Choose Dynamic device members and paste any of the following codes in the Advanced rule box. Only Autopilot devices are gathered by these rules because they target attributes that are only possessed by Autopilot devices.
Administrators can use dynamic device queries for ZTD ID, Order ID, or Purchase Order ID. The device which is uploaded for autopilot provisioning will automatically fall into these groups.
ZTD ID: (device.devicePhysicalIDs -any (_ -contains “[ZTDId]”))
Order ID: (device.devicePhysicalIds -any _ -eq “[OrderID]:XXXXXXXX”)
PurchaseOrder ID: (device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:XXXXXXXXX”)
Above are just example queries, admins can use other according to requirements.
An administrator will create an autopilot profile with deployment mode selected as user-driven and join Azure Ad as Azure AD joined. As we discussed earlier this is the profile that defines the settings and pages appeared during out of the box process.
In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile. Fill in the details and toggle the switches for the profile as per the requirements:
Name: User the name you want to give the autopilot profile
Description: Provide a valid description.
Convert all targeted devices to Autopilot: Yes/No (We will discuss this option later)
Deployment Mode: There are two types of deployment modes used.
Join to Azure AD as: It defines how exactly we would like the device to join Azure AD. We can either join the device directly to Azure AD or in the scenarios of dependency on Local AD option for Hybrid Azure AD joined can be used.
Microsoft Software License Terms: The administrator can configure if a specific user sees an end-user license agreement screen. If selected to Hide, the end-user will not see the EULA screen. (it requires Windows 10 1709 and later)
Privacy settings: Admin can configure them if the end-user has to see and configure the privacy settings during OOBE.
Hide change account options: Admin can select Hide to restrict the user to prevent the change account options on the company Sign-in page. This option requires company branding to be configured in Azure AD (it requires Windows 10 1809 and later versions).
User account type: This setting specifies the level of the end-user privilege on the device. It can be either a Standard User or a Local Admin.
Allow White Glove OOBE: This is an additional feature provided by Microsoft that allows IT administrators to login to the device without the assigned user. Thus, the admin will be able to finish the OOBE phase, providing a much better experience to the end-user. (require Windows 10 1903 and later)
Language (Region): Can configure the language and region for the device.
Automatically configure keyboard: Based on the language selected earlier the keyboard layout is automatically selected.
Apply device name template: Admin can configure the name of the device enrolled into Intune once. Names must be 15 characters or less and can have letters, numbers, and hyphens. Use the “%SERIAL% macro” to add a hardware-specific serial number. (require Windows 10 1809 and later)
Scope Tags: Select the scope as per the requirement if created of you can also use the default scope already created.
Assignment: Under assignment choose the device group on which the profile must be applied. Here we will use the Dynamic device group we talked about earlier. Additionally, you can also exclude the group in the same setting.
Review + Create: A final step is to review all the settings and create a profile by clicking on create.
The device is recognized by a Hardware ID which is uploaded in the form of CSV. To upload the CSV do following steps:
In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program > Import
Under the notification tab you will see the device uploading:
Once the CSV is uploaded successfully, the device is assigned a ZTD ID that later is used as an attribute to make this device part of the dynamic device group.
Thus, we’ve completed the setup for Windows autopilot user driven-mode for Azure AD joined at the administrator side.
Let’s dive into the end-user experience on how exactly the device behaves when the user receives and logs into the device.
The user will have to follow the below steps to get the device in a business-ready state:
2. Select the keyboard layout that is preferred (if not selected in the profile)
3. Skip or add a secondary keyboard
4. Connect the device to the network
5. Once the device is connected to a network, it will take some time to set things up on the backend. This is the place where the device is connecting with Azure AD with the help of Hardware ID. We will talk about all the backend processes in another blog post.
6. Device recognizes that it belongs to the specific domain. Now you can Log in with your username and password.
7. After a few easy setups, we will go to the Enrollment status page, which will show the status of the resources which are configured on the device.
8. In some scenarios you might be asked to sign in with the username and password again. This is where all the profiles, applications, and deployments start.
9. You will be routed again to the Enrollment Status Page for account setup
Note: The Entire device setup might take around 40-60 mins and require a reboot.
We’re done with setting up Windows autopilot user driven-mode!
Author is Bachelor of Technology in Electronics & Communication graduate in 2013 and have made the career establishment precisely in the field of Cloud IT infrastructure. Got associated with the Microsoft technologies right from the bottom of the ladder as Help desk operator. Working for Microsoft support with Convergys gave an end to end insight on Microsoft Intune and SAAS based technologies. Further worked for multiple clients to migrate their device management strategies from on-prem to cloud mostly Intune and AirWatch (VMware Workspace ONE). Worked with HCL and now with ITC infotech as Intune consultant for planning and implementation of device management for one of the biggest Beer manufacturing company globally.