This week I’m going through the required steps for configuring Windows AutoPilot. I know that a lot has been written already about this subject, but I have the feeling that this subject needs a place on my blog. Also, the attentive reader might have noticed that I’m specifically using Microsoft Intune in the title of my blog, for the first time in over a year. That’s with a reason. This post is focused on configuring Windows AutoPilot via Microsoft Intune and will show that, at this moment, the Microsoft Store for Business is also required to complete the Microsoft Intune configuration.
In this post I’ll provide a short introduction about Windows AutoPilot, followed by walking through the required configurations. I’ll end this post by quickly looking at the result, from the end-user perspective and from the administrator perspective.
Introduction
Before looking at the configuration, let’s start with a short introduction about Windows AutoPilot. The Windows AutoPilot deployment program simplifies device provisioning. With Microsoft Intune and Windows AutoPilot, it’s possible to give new devices to end-users without the need to build, maintain, and apply custom operating system images to the devices. Windows AutoPilot covers the provisioning of the devices and Microsoft Intune makes it possible to manage policies, profiles, apps, etc. on the devices after they are enrolled. Once devices are registered for Windows AutoPilot, the following OOBE customization options are available for Windows 10, starting with version 1703:
- Skip the Work or Home usage selection page (default behavior);
- Skip Cortana, OneDrive and OEM registration setup pages (default behavior);
- Skip privacy settings page (optional configuration);
- Skip EULA page (optional configuration, staring with Windows 10, version 1709);
- Add sign-in experience with company or school brand (optional configuration);
- Prevent the account used to set-up the device from getting local administrator permissions (optional configuration).
Configuration
Now let’s have a look at the required configurations to create the full Windows AutoPilot experience. That includes looking at the prerequisites, adding devices and adding a company branding. To get this full experience, simply walk through the six steps below.
Prerequisites
Before walking through the required configuration steps, make sure that the following prerequisites are in-place. Everything else will be covered in this post.
- Devices have to be pre-installed with Windows 10, version 1703 or later;
- Devices must have access to the Internet;
- Azure AD Premium subscription;
- Automatic enrollment is enabled.
Step 1: Get device information
The first step is to get the device information, as the devices must be registered to the organization. At this moment, it’s still required to acquire the device serial number, the Windows product ID and the hardware ID of the devices and to register the devices. Microsoft is actively working with various hardware vendors to enable them to provide the required information to organizations, or upload it on their behalf. To capture the required information, use the Get-WindowsAutoPilotInfo PowerShell script, by performing steps similar to the following four steps.
| 1 | Open Windows PowerShell as an Administrator; |
| 2 | Run Save-Script -Name Get-WindowsAutoPilotInfo -Path C:\Windows\Temp to inspect the PowerShell script ; |
| 3 | Run Install-Script -Name Get-WindowsAutoPilotInfo to install the PowerShell script; |
| 4 | Run Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\Windows\Temp\MyComputer.csv to get the required device information; |
| — |  |
Step 2: Add devices
The second step is to add the gathered device information. This cannot be achieved by using Microsoft Intune, at this moment, but can be achieved by using the Microsoft Store for Business or by using the Partner Center. To use the Microsoft Store for Business, perform the following three steps.
| 1 | Open the Microsoft Store for Business and navigate to Manage > Devices; |
| 2 | Click Add devices and browse to the just created CSV file; |
| 3 |  On the Add devices to an AutoPilot deployment group, select No, thanks as I want to use Microsoft Intune for assigning a deployment profile. |
| — |  |
Step 3: Synchronize devices
The third step is to synchronize the added device information into Microsoft Intune. That will enable me to use Microsoft Intune for assigning a deployment profile to those devices. To synchronize the devices into Microsoft Intune, perform the following three steps.
| 1 | Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment; |
| 2 | On the Devices enrollment – Windows enrollment blade, click Devices below Windows AutoPilot devices (Preview) to open the Windows AutoPilot devices (Preview) blade; |
| 3 | On the Windows AutoPilot devices (Preview) blade, click Sync to synchronize the devices to Microsoft Intune. |
| — |  |
Step 4: Create deployment profile
The fourth steps is to create a deployment profile in Microsoft Intune. The deployment profiles are used to configure the AutoPilot devices. To create a deployment profile in Microsoft Intune, perform the following four steps.
| 1 | Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment; |
| 2 | On the Devices enrollment – Windows enrollment blade, click Deployment Profiles below Windows AutoPilot devices (Preview) to open the Windows AutoPilot deployment profiles (Preview) blade; |
| 3 | On the Windows AutoPilot deployment profiles (Preview) blade, click Create profile to open the Create profile blade; |
| 4a |
|
| 4b |
Note: The last setting does not apply to global administrators or company administrators. These users cannot be standard users as they have access to all administrative features in Azure AD. |
| — |
|
Step 5: Assign deployment profile
The fifth step is to assign the just created deployment profile to the just synchronized devices in Microsoft Intune. This can be achieved by performing the following four steps.
| 1 | Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment; |
| 2 | On the Devices enrollment – Windows enrollment blade, click Devices below Windows AutoPilot devices (Preview) to open the Windows AutoPilot devices (Preview) blade; |
| 3 | On the Windows AutoPilot devices (Preview) blade, select the just imported device and click Assign profile to open the Assign profile blade. |
| 4 |  On the Assign profile blade, select the just created deployment profile and click Assign; |
| — |  |
Step 6: Add company branding
The sixth step is the finishing touch, by making the company branding appear during the OOBE. This cannot be achieved by using Microsoft Intune, at this moment, but can be achieved by using the Azure AD. To configure the company branding, perform the following steps.
| 1 | Open the Azure portal and navigate to Azure Active Directory > Company branding; |
| 2 | On the Company branding blade, click Configure to open the Configure company branding blade; |
| 3 |
Note: I’ve only configured a couple of items that will clearly show that the Windows AutoPilot deployment is part of my company. |
Result
Now let’s end this post by looking at the result of the configurations. Let’s start by looking at the end-user experience. Yes, I can show the remaining screens during the OOBE, but I thought that was not that exciting. Instead, I’ve got the main enrollment screen that includes the company branding.
 From an administrator perspective, the most interesting place, to look for the end result, is the Azure portal. When navigating Intune > Device enrollment > Windows Enrollment > Devices, the overview of devices won’t show any difference. However, the administrator can filter on Enrolled devices to get a list of devices that are successfully enrolled via the Windows AutoPilot deployment. Also, when selecting a device, it provides a list of interesting information. The most important one of that is the Enrollment State. As shown on the right, this will be set to Enrolled after the device is successfully enrolled via the Windows AutoPilot deployment. |
More information
Fore more information about Windows AutoPilot, in combination with Microsoft Intune and the different configuration options, please refer to:
- Overview of Windows AutoPilot: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot
- Manage Windows device deployment with Windows AutoPilot Deployment: https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices
- Enroll Windows devices using Windows AutoPilot Deployment Program: https://docs.microsoft.com/en-us/intune/enrollment-autopilot
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hi Peter,
Nice to know (maybe update for this blog), you can also change the ‘Name’ branding like yours PRCLOUD_PVDW!
This doesnt come from the company branding. Instead, you can set that value in the “Name” field of the Azure AD tenant properties @ Azure Active Directory > Properties > Name
Hi RKast,
Correct. The name is coming from the tenant properties. I might add a note to this post later, with that information. Thank you.
Regards, Peter
Interesting thanks for this. Where do you setup if the user is a local admin or not?
Hi David,
That’s the setting “User account type” in the deployment profile.
Regards, Peter
Thanks for this. What would be the best way to enforce the Intune Bitlocker Policy in this scenario since the user will have no ‘Admin’ privileges?
Hi Steve,
That is a good question, as that scenario is not complete. In the mean time you can do something as explained in this post by Pieter Wigleven. Working with scheduled tasks.
Regards, Peter
Hi I was wondering if you could shed on light on this- Our MS Intune setup- Is a cloud environment managing windows 10 devices and application via MS Intune without on premises AD or SCCM. OKTA is the SSO method used, which requires an agent install as a web browser plug- in on any browser.
The issue we have is applications deployed from Intune to user device do not seem to install automatically when a user without admin rights logs on to enrol a device.
The only way around is to install the application by an elevated admin account to do basic installs such as a web plug-ins on a browser which do not require local admin rights to install
Microsoft confirmed BitLocker requires elevated permissions to install. However, it is not the only application requiring elevation in our current environment.
What we would like to know is if there is a way to deploy applications from Intune without elevated credentials on a device when users connect to enrol as we are using the OOBE method of enrolment. Is Intune incapable of doing this form a cloud only solution- if not how do we implement this.
Thanks,
Hi Johathan,
Everything that runs in user-context requires the user to have the required privileges. However, if you look at the PowerShell functionality, that requires the installation of the Intune Management Extension (automatically), that allows you to choose between running in SYSTEM-context and user-context. I do have to say that I haven’t tested this yet in combination with a less privileged user. Worth some testing.
Regards, Peter
Is there any way to upload and apply profile via powershell \ Graph?
Hi Nigel,
I haven’t seen it in the docs yet.
Regards, Peter
Hey!
I have a problem, that the Assign Profile is outgrayed? Ive created a Profile, thats for sure. But still outgrayed.. Any Suggestions?
Hi Pontus,
I just tested this and see no problems. Make sure you select the device and check the box at the start of the row and it should enable the Assign Profile option.
Regards, Peter
Hey, Solved it, it was the check box 🙂
Thanks!
It looks like Microsoft has changed the way it does assignment of the devices to the AutoPilot deployment profile.
The Deployment profile now can be assigned to a (dynamic) group which contains the devices. The assign button doesn’t show anymore. But it appears that as soon as the CVS is uploaded the device will be shown in the device list (https://portal.azure.com/#blade/Microsoft_Intune_Devices/DeviceEntryBlade/aADDevices) and can be added to a group which is assigned to the AutoPilot profile.
https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group
Hi John,
That’s correct. The recent updates to Intune added support for using groups (and more).
Regards, Peter
So is there yet something like the Apple DEP programme where you can buy them already assigned to your org?
It seems like the only way is to go to each machine,complete Windows install, run the script, collate all of the outputs and rebuild the machines with the machine IDs. That would be a pretty daft way of going about it.
It’s frustrating that MS always brings out a new feature to much fanfare, only to find that it’s just half-arsed.
Hi Fergus,
Multiple hardware vendors already support Windows AutoPilot. The best is to contact your reseller and see what the possibilities are.
Regards, Peter
Hi Peter,
is there any possibilities for “standard” user account type to be granted “local admin rights” after the deployment?
Thanks
Hoschie
Hi Hoschie,
Not sure what you’re exactly looking for. You can configure the AutoPilot profile to make the user an administrator.
Regards, Peter
if you don’t specify if the user is an administrator or not, then it is a Standard user. In recent updates as of 3/2021, you can specifically choose administrator OR it is left at standard user.
Hi All,
What exactly is a standard user?
What rights and privileges will a standard used get compared to an administrator?
Hi Rajesh,
Not sure what you’re looking for.. It will be a normal user on the device..
Regards, Peter
Hi,
Can I set on Intune any policy to user log in only in one computer on company, if they try to log on other computer, they will blocked?
regards,
Hi Danilo,
Not really..
Regards, Peter
Hello. I would like to know what can i use when a user leaves the company and i want to reasign the same pc to another user. Can i use Autopilot User Driven mode or this mode is only for new devices that are coming directly from the OEM? Should i use Autopilot reset? I need that the new user can choose the language and agree EULA.
Does Autopilot Reset offer any option customization for the new user or it just rolls back the computer to previous state.
Hi Alan,
It all depends on the state that you want the device to return to. For some more information, see als: https://petervanderwoude.nl/post/factory-reset-fresh-start-autopilot-reset-so-many-options/
Regards, Peter