A look at Windows AutoPilot

Introduction

Windows 10 AutoPilot is a recently released collection of technologies from Microsoft that provides a simple process to setup and configure new devices, requiring minimal to no infrastructure. The premise is that this greatly reduces the required effort from IT admins usually spent on building and customising images. And from the user’s perspective, it only takes a few simple operations to make their device ready to use. This feature allows IT admins to:

• Automatically join devices to Azure Active Directory (Azure AD)
• Auto-enroll devices into MDM services, such as Microsoft Intune
• Restrict the Administrator account creation
• Create and auto-assign devices to configuration groups based on a device’s profile
• Customize OOBE content specific to the organization

To be clear, some of the above concepts aren’t new, for example auto-join devices to Azure or auto-enrol devices in Intune, however, the above points are a ‘collection’ of technologies which together provide a new method/experience for provisioning devices.

For more information, start at Overview of Windows AutoPilot.

For this blog post, we will go through the required steps to set up a simple deployment of Windows Autopilot and observe the user experience and behaviour (in a cloud-driven deployment scenario). Additionally, for this scenario, we will configure the Windows device to enrol in Intune, configure the device via an Intune configuration profile and automatically install Office Pro Plus.

Prerequisites

As detailed on the overview of AutoPilot page mentioned earlier, the prerequisites for Autopilot are:

1. Devices must be registered to the organization
2. Devices have to be pre-installed with Windows 10, version 1703 or later
3. Devices must have access to the internet
4. Azure AD Premium P1 or P2 subscription (or EM+S subscription that also includes Intune, which is what I will use)
5. Microsoft Intune or other MDM services to manage your devices (we will use Intune).

Expanding on the above, other prerequisites and my lab environment setup to facilitate this activity are:

• Create a VM with Windows 10 version 1703 or later to fulfil point 1. and 2 . above
• Trial EM+S E3 or E5 subscription to fulfil point 4. and 5. above
• Trial/Demo Office 365 and Intune tenant (setup for automatic Windows enrolment) to fulfil point 5. above
• Global administrator logon for above tenant
• Optionally, trial Office 365 license.

Setup Windows 10 device and register to organisation

Below are the steps I used to setup for this activity. There are alternate ways to do most of the following steps, but in the interest of brevity I will stick with what I did.

• Install a test client machine on Hyper-V, with required minimum Windows 10 version.
• Download the Get-WindowsAutoPilotInfo 1.0 script from the Powershell Gallery, and use it to get the required information (e.g. hardware ID) for the above device to register it in your organisation. The script will create a CSV file to use in the next step.
  NOTE: Microsoft states it is actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf, so running the powershell script will not be required and the process becomes more streamlined.
• Once you have the above info, Sysprep your device and power off for now.
  TIP: I took a snapshot of the VM at this point so I could revert back to it to run through the provisioning process as many times as I wanted.
• Following the instructions on Manage Windows device deployment with Windows AutoPilot Deployment, log into the Microsoft Store for Business (with your tenant’s Global Admin account) to upload your device information gathered from running the Powershell script and then configure an AutoPilot profile. Below are screenshots of doing this.

Upload the CSV file under the Devices tab.

Create an AutoPilot deployment profile.

Assign the AutoPilot deployment profile to the machine.

Set up Intune tenant

Intune must be set up as your MDM authority.

Ensure Windows device enrolment is enabled (it is by default).

In order for your devices to be auto-enrolled into MDM management in Intune, MDM auto-enrolment needs to be configured in Azure AD. To do that with Intune, please see Enrol Windows devices for Microsoft Intune.

Restrict MDM enrolment to specific users if you want to (I scoped to group shown below).

Check that DNS is correct for device enrolment.

I also configured Windows Hello as shown below.

Setup Intune device configuration and Office install policies

You can set up a device configuration profile for Windows 10 in your Intune tenant as shown below. Remember to assign to a group containing your users.

You can create an Office Pro Plus deployment for Windows 10 as shown below. Remember to assign to a group containing your users.

User experience

With all the prerequisites set up, you can now power up your virtual machine to simulate the OOBE for the user. Below are the screen grabs from my lab, based on the above configuration.

In my lab, the VM connected to the Internet automatically. In real world scenario you may have to select a wireless network and enter passphrase for example.

It will also search for updates and apply them if any, as below screen grab indicates.

Note that instead of the default Microsoft Windows sign in screen, you will have your organisation’s customisations.

At this point enter the email address (identity) of a user in your tenant’s (Azure) AD.

Because I configured Windows Hello, I am prompted to set it up.

My lab user was configured for MFA, so I had to approve a second factor authentication request.

In the device settings, we can see that it is connected to Azure AD.

And in Intune in the Azure portal, we can see and manage the device.

My Intune Windows 10 device configuration policy simply added a desktop background image and default Edge browser home page to demonstrate that the policy is being applied.

And in between 10-15 minutes, Office 365 Pro Plus was installed.

Observations

Playing around with this in my lab, I noticed that I could log on to the device (from OOBE) with an account from another organisation, and with the exception of the AutoPilot configuration, provided the other tenant had all the prerequisites set up Intune and Azure AD, the device was joined to that tenant’s Intune and could be managed from there. The only difference was the AutoPilot features weren’t configured because the other tenant did not have this set up. So it appears that registering a device in Store for Business (at least) for a specific organisation doesn’t restrict enrolment for that device to that organisation only!

Microsoft says it is working to add additional options to further personalize and streamline the setup experience in future releases, and I think addressing the above behaviour should be high on the list. Also, for a higher level of control over the provisioning process, provisioning packages can be created with Windows Configuration Designer, see Create a provisioning package for Windows 10.

To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for Microsoft Store for Business or Partner Centre.

Overall the I think Autopilot is a pretty cool concept and am looking forward to future feature enhancements.