Setup a Windows Autopilot test lab

Many companies today have a cloud-first strategy and are trying to move more and more on prem infrastructure to the cloud. This also includes the device management. With Covid 19, remote working was the new normal and many companies are facing the challenge of how to manage devices secure and comfortable in the home office.

With Intune, Microsoft has a very powerful solution to manage devices via the internet.  In my blogs I would like to give insights into cloud device management and discuss current topics.

In this blog post I will start with a basic topic, it’s about how to set up Windows Autopilot Device from scratch. I explain how you can set up a test environment to gain experience with Windows 10 Autopilot or to test different things.

What is Windows Autopilot?

With Windows 1809 Windows Autopliot was introduced. It is a technology based on Microsoft Intune to easily deploy and reset Windows 10 devices. Autopliot offers an experiance that an user is also knows from the home use. Since only the language, keyboard and network connection need to be configured, devices can be deployed directly on a user’s desktop.

Windows Autopilot receives all settings, customizations and applications during the enrollment from Intune, this means the image creation from the traditional environment is no longer necessary. This offers the possible to make changes more dynamically without creating a new image. The whole process works with a Windows vanilla image.

In the last few years , we have observed how the service from Microsoft has been continuously developed and improved. More information about Windows Autopilot can be found here: Overview of Windows Autopilot | Microsoft Docs

What are the requirements for Autopilot?

The most important thing to set up devices via Windows autopilot is an internet connection.
Additionally you need a M365 tenant. How you can set up a free dev tenant is described very well by Joymalya Basu Roy in the following blog post (Want to Learn Intune? Get an M365 Dev Tenant – MDM Tech Space (joymalya.com)).

The Dev Tenant contains 25 M365 E5 licenses which includes the Intune and Windows license. If you are working in another tenant, make sure that one of the following licenses is available:

  • Microsoft 365 Business Premium subscription
  • Microsoft 365 F1 or F3 subscription
  • Microsoft 365 Academic A1, A3, or A5 subscription
  • Microsoft 365 Enterprise E3 or E5 subscription, which include all Windows 10, Microsoft 365, and EM+S features (Azure AD and Intune).
  • Enterprise Mobility + Security E3 or E5 subscription, which include all needed Azure AD and Intune features.
  • Intune for Education subscription, which include all needed Azure AD and Intune features.
  • Azure Active Directory Premium P1 or P2 and Microsoft Intune subscription (or an alternative MDM service).

A virtual machine or an hardware workplace with one of the following Windows 10 versions is also required:

  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows 10 Pro for Workstations
  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Enterprise 2019 LTSC
  • Windows 10 IOT Enterprise
  • Windows 10 IOT Enterprise 2019 LTSC

Let’s get started

If you meet the above requirements, you can log in to the Microsoft Endpoint Manager Admin Center

First of all you need to enable the Intune auto-enrollment for all users. To do this, select in the MEM (Microsoft Endpoint Manager) portal, Devices > Enroll devices > Automatics Enrollment and select All for “MDM user scope” and “MAM user scope” and click save.

Add Company Branding

To customize the enrollment experience, we add a branding.
To do this, you have to open the Azure portal and open the Azure Active Directory. For this we have 2 possibilities. One is via the sortcut on the start page or via the search bar.

  • Select Company branding and Configure
  • Configure the Compnay branding as you like and save the settings

Create dynamic device group

Before we create the deployment profile we need to create a device group in which the associated devices will be grouped. Therefore you open the MEM portal.

  • Select Groups from the left menu bar
  • Click New group
  • Select Security as Group type, enter an group name and select Dynamic Device as Membership type
  • Click on Add dynamic query
  • Click Edit and enter the following filter
    • The OrderID can be freely defined (in my example: “AutoPilotTest1”).
(device.devicePhysicalIds -any _ -eq "[OrderID]:AutoPilotTest1")
  • Click Create

Now the group is created in which the autopilot objects comes. More about the autopilot objects later.
Now we need a second group were we can assign policies and applications.

For this we create a new group but this time as type Assigned. Then we add the previously created group with the autopilot objects via No members selected.

Last but not least, we need a third group where the users come in so we can attach the licenses. This group is called All Users and is a dynamic group.

We specify the following as filters:

(user.surname -ne " 0")
  • To add a license go to Licenses > Assignments
  • Select the Microsoft 365 E5 Developer license and click Save.

Note: with this license we can test and license quite a lot of services. The Windows license is not included in the Developer license but this is not a big deal as it is only a test lab.

 Create deployment profile

Now we create a new Windows Autopilot Deployment profile.

  •  Select in the MEM Portal, Devices > Provisioning Profiles > Create Profiles > Windows PC
  • Enter a name
  • The OOBE (out-of-the-box experience) settings can be left at the default values.

If you want to set a custom hostename you can do this with the marked setting. For this you can use the variables %SERIAL% or %RAND:x% (x = number of characters)

  • Click next.
  • Click Add groups and select the dynamic group we created in the earlier step.
  • Click Select and Next.
  • Click Create

Now we have created the enrollment profile and can continue with the next step.

Enrollment Status Page

When deploying a Modern Workplace, we see the so-called Enrollment Status Page (ESP). This shows the progress of the deployment. We want to configure this page now.

  • Select Devices > Enroll devices > Enrollment Status Page in the MEM portal.

By default there is already an entry. Now we want to configure it according to our needs

  • Click on All users and all devices
  • Click on Edit next to the Settings heading
  • Select Yes for “Show app and profile configuration progress“.
  • Select No for “Show custom message when time limit error occurs” or insert a custom message for a time out
  • Select Yes for “Allow users to reset device if installation error occurs“.

We want to give the user the possibility that if an error occurs during enrollment, he can reset the device to start the process from the beginning.

  • Click Review + safe > Safe

Voilà the deployment profile is created and the enrollment status page is configured. Can we now start with the setup of a device?
No, unfortunately, one last step is still missing. We have to register the test device in our tenant first.
Usually the registration of a device with Windows Autopilot is performed by the OEM, reseller, or distributor. They get the right to register these devices on the tenant of the ordering company.
By uploading the device hash, the device is married to the company and is assigned the defined enrollment profile by a group tag.

Register the device

Since we are testing with a VM or hardware that was not ordered as an autopilot device, we have to register it ourselves. How to do this I will explain now.
First you have to set up a VM or a test machine with a current Windows 10 image (as newer as better).

  • Start the machine and type “Shift + F10” on the keyboard.
  • Type into the CMD window PowerShell
  • Type in the following commands:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo

Confirm all queries with [Y] Yes or [A] Yes to all

  • Type the following command and Authenticate with an Intune Admin account:
Get-WindowsAutoPilotInfo.ps1 -GroupTag AutoPilotTest1 -online
  • Accept the required rights.

Now we can check in Intune if the hash is there and if the group tag is set

To do this, navigate in the MEM portal to Devices > Enroll devices > Devices

There it is. We can find the device and also see that the Group Tag has been set and through the dynamic group membership, the Enrollment Profile has also been set.

I hope I could give you an overview with this blog how to configure Windows Autopilot in Intune. In one of my next blog I will explain how to enroll a device and what happens during the enrollment.

Stay healthy, Cheers
Jannik

2 thoughts on “Setup a Windows Autopilot test lab

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s