MSEndpointMgr

Traditional Management vs Modern Management – Part 4 – Windows AutoPilot

What is Auto-Pilot

Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. I can really see the appeal we use XMA for our hardware, I deploy our standard image to the desktops before its delivered to the end user but AutoPilot may change that approach.

I was at a WMUG event when Gerry Hampson MVP and Paul Winstanley MVP spoke about AutoPilot, Peter Egerton also explored it on his blog I was intrigued and wanted to try it out (I have linked their blog posts) .

Windows AutoPilot allows you to:

  • Automatically join devices to Azure Active Directory (Azure AD)
  • Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription)
  • Restrict the Administrator account creation
  • Create and auto-assign devices to configuration groups based on a device’s profile
  • Customize OOBE (some) content specific to the organization

Prerequisites

Gather AutoPilot Device Data

You will need to register a device to ensure AutoPilot works, the idea behind this is that your supplier(in my case XMA) will populate this information in a CSV file and you can add it to the Windows Store for Business (or directly in Azure). At the moment getting the device serial number and Windows product ID is easy but moving forward I need to get the hardware hash. Below are some examples.

Manually
Device Serial Numberwmic bios get serialnumber
Windows Product IDGet-ItemPropertyValue “hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\” “ProductId”
Hardware Hash$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail'”
$wmi.DeviceHardwareData | Out-File “($env:COMPUTERNAME).txt”
Semi-Automation

Michael Niehaus has created a great Powershell script to semi automate this process. You can get it here Get-WindowsAutoPilotInfo, here are some examples

Export Computer AutoPilot Data

.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER -OutputFile .\MyComputer.csv

Append Computer AutoPilot Data

.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER -OutputFile .\MyComputer.csv -Append

Export AutoPilot Data from a SCCM Collection

Get-CMCollectionMember -CollectionName "All Systems" | .\GetWindowsAutoPilotInfo.ps1 -OutputFile .\MyComputers.csv

Export AutoPilot Data from a Active Directory

Get-ADComputer -Filter * | .\GetWindowsAutoPilotInfo.ps1 -OutputFile .\MyComputers.csv

Create AutoPilot Profile

This can now be done in the Azure Portal and the Windows Store for Business

  1. Go to the Azure Portal.
  2. Go to Intune – Device Enrollment.
  3. Select Windows Enrollment – Deployment Profiles.

  4. Create the new profile (I am showing Azure and Windows Store for Business)

Import AutoPilot Data

Importing the device data must currently be done in Windows Store for Business but soon you will be able to import in Azure, it’s currently in preview.

Please not the preferred way to do this now is through Azure not Windows Store for Business

  1. Go to Windows Store for Business
  2. Go to Devices – add device

  3. Select your .csv file and then select the AutoPilot profile you want to apply.

  4. Now the device has been imported and a profile has been assigned.

Company Branding

Part of the appeal of AutoPilot is to customize the branding of the sign in page.

  1. Go to the Azure Portal.
  2. Go to Azure Active Directory – Company Branding.

  3. Click Edit and set your branding. 

  4. Once this is done your sign in page and OOBE sign in will be customised.

AutoPilot in Action

So I have deployed a standard Windows 10 1709 ISO in VMware Workstation.

  1. So in this example im using Windows 10 1709 and I am just building the VM off the ISO.
  2. So the OOBE is asking for a region.
  3. Now the keyboard layout.

  4.  Now if I have a second keyboard.

  5. Now we get the sign in page with some basic company branding. 

  6. So once the user signs in I have auto-enrollment enabled in Azure (MDM Auto-Enrollment), once that happens polices and applications will be deployed.

    Its worth remembering that Windows AutoPilot is a start, its by no means a finished product but I can see a lot of potential for the future.

     

    Series Links

    1. Traditional Management vs Modern Management – Part 1  – Encryption
    2. Traditional Management vs Modern Management – Part 2 – Office 365
    3. Traditional Management vs Modern Management – Part 3 – AAD/Auto MDM Enrollment
    4. Traditional Management vs Modern Management – Part 4 – Windows AutoPilot
    5. Traditional Management vs Modern Management – Part 5 – Security

Terence Beggs

An Irish man living in London, after completing a BSc in Computer Science in 2005 he started working in the IT Industry. Currently Senior Systems Officer at London Metropolitan University managing Azure and several thousand endpoints across several campuses in London. Technology focuses include SCCM, MDT, Azure, Office 365, Active Directory, Group Policy, Application Packaging, PowerShell, Virtualization and Automation.

10 comments

  • Very nicely done, but may I suggest that you rewrite to use the Intune portal to upload Autopilot CSV files and create the Autopilot Profiles rather than the Microsoft Store for Business please. It is the preferred methodology. Thank you!

    • I have added a note to push people to use Azure portal not Windows Store for Business

  • Hi – Excellent write up on autopilot.

    Just one Question – How to reset autopilot system after obtaining Device ID, Product ID & Hardware Hash?

    I was able to get above information during OOBE stage by pressing Shift+F10 and executed Powershell command. Then, I powered off autopilot system – uploaded csv file at MSfB and successfully completed autopilot deployment within Azure & MDM.

    Thanks

    Ram

    • Sorry for the late reply, enjoying a well needed rest. Can you explain what you mean, do you mean remove the system or change the hardware hash.

      Thanks

  • First of all, great post. A full tutorial on how to configure autopilot and branding is great.

    But I’m curious how autopilot should be used, because I don’t see it as a replacement for my corporate laptop which I can now enroll out of the box instead of a corporate factory image. I mean the laptop is still full of bloated crap-ware upon purchase, and companies want to know exactly what’s on it, or install their application suite onto it.

    The only thing’s I’m seeing autopilot does is: joining azuread automatically, branding a logo in the join azuread screen and hide the traditional OOBE/Privacy and EULA screen. Lastly you can decide of the user is admin or not. That is nowhere near a traditional deployment. I’m really searching for a proper use case here. I can’t find one other than remote workers or internet facing workers logging in for the first time on a new device.

    • Hello Rens

      My vendor will put on a vanilla OS or my corporate image if i need them too but i completely agree with your statement on the bloatware crap that OEMs put on laptops.
      It is very hard to see this as a replacement for ConfiMgr/GPO/AD. If you have Windows Devices managed in Azure AD using Intune you will not have the control as you would with your on premise environment but with a focus on a more agile workforce i can see how this could be handy(in the future).
      I feel like AutoPilot is the start, if Microsoft really work on this and understand the concerns that SysAdmins have, then it will be the future. If they dont it will be just a technology that gets replaced by something else.

      Lets see what happens

  • Is it fair to say this is quite lacking compared to current GPO’s, MDT, ConfigMgr approaches and is more for a BYOD model only at this time?

    • Its more that fair to say that, Intune is not a replacement for ConfigMgr. CSP’s are certainly not a replacement for GPO’s, things are moving in the right direction.

Sponsors