Traditional Management vs Modern Management – Part 4 – Windows AutoPilot
What is Auto-Pilot
Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. I can really see the appeal we use XMA for our hardware, I deploy our standard image to the desktops before its delivered to the end user but AutoPilot may change that approach.
I was at a WMUG event when Gerry Hampson MVP and Paul Winstanley MVP spoke about AutoPilot, Peter Egerton also explored it on his blog I was intrigued and wanted to try it out (I have linked their blog posts) .
Windows AutoPilot allows you to:
- Automatically join devices to Azure Active Directory (Azure AD)
- Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription)
- Restrict the Administrator account creation
- Create and auto-assign devices to configuration groups based on a device’s profile
- Customize OOBE (some) content specific to the organization
- Devices must be registered to the organization
- Company branding needs to be configured
- Network connectivity to cloud services used by Windows AutoPilot
- Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
- Devices must have access to the internet
- Azure AD Premium P1 or P2
- Users must be allowed to join devices into Azure AD
- Microsoft Intune or other MDM services to manage your devices
Gather AutoPilot Device Data
You will need to register a device to ensure AutoPilot works, the idea behind this is that your supplier(in my case XMA) will populate this information in a CSV file and you can add it to the Windows Store for Business (or directly in Azure). At the moment getting the device serial number and Windows product ID is easy but moving forward I need to get the hardware hash. Below are some examples.
|Device Serial Number||wmic bios get serialnumber|
|Windows Product ID||Get-ItemPropertyValue “hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\” “ProductId”|
|Hardware Hash||$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail'”
$wmi.DeviceHardwareData | Out-File “($env:COMPUTERNAME).txt”
Export Computer AutoPilot Data
.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER -OutputFile .\MyComputer.csv
Append Computer AutoPilot Data
.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER -OutputFile .\MyComputer.csv -Append
Export AutoPilot Data from a SCCM Collection
Get-CMCollectionMember -CollectionName "All Systems" | .\GetWindowsAutoPilotInfo.ps1 -OutputFile .\MyComputers.csv
Export AutoPilot Data from a Active Directory
Get-ADComputer -Filter * | .\GetWindowsAutoPilotInfo.ps1 -OutputFile .\MyComputers.csv
Create AutoPilot Profile
This can now be done in the Azure Portal and the Windows Store for Business
- Go to the Azure Portal.
- Go to Intune – Device Enrollment.
- Select Windows Enrollment – Deployment Profiles.
- Create the new profile (I am showing Azure and Windows Store for Business)
Import AutoPilot Data
Importing the device data must currently be done in Windows Store for Business but soon you will be able to import in Azure, it’s currently in preview.
- Go to Windows Store for Business
- Go to Devices – add device
- Select your .csv file and then select the AutoPilot profile you want to apply.
- Now the device has been imported and a profile has been assigned.
Part of the appeal of AutoPilot is to customize the branding of the sign in page.
- Go to the Azure Portal.
- Go to Azure Active Directory – Company Branding.
- Click Edit and set your branding.
- Once this is done your sign in page and OOBE sign in will be customised.
AutoPilot in Action
So I have deployed a standard Windows 10 1709 ISO in VMware Workstation.
- So in this example im using Windows 10 1709 and I am just building the VM off the ISO.
- So the OOBE is asking for a region.
- Now the keyboard layout.
Now if I have a second keyboard.
- Now we get the sign in page with some basic company branding.
- So once the user signs in I have auto-enrollment enabled in Azure (MDM Auto-Enrollment), once that happens polices and applications will be deployed.
Its worth remembering that Windows AutoPilot is a start, its by no means a finished product but I can see a lot of potential for the future.
- Traditional Management vs Modern Management – Part 1 – Encryption
- Traditional Management vs Modern Management – Part 2 – Office 365
- Traditional Management vs Modern Management – Part 3 – AAD/Auto MDM Enrollment
- Traditional Management vs Modern Management – Part 4 – Windows AutoPilot
- Traditional Management vs Modern Management – Part 5 – Security