This week is all about Windows Autopilot. More specifically, about offline Windows Autopilot deployment profiles. The use case for an offline Windows Autopilot deployment profile is simple, a migration from Windows 7 to Windows 10 for existing devices. It enables organizations to reimage devices for one last time and provide those devices with an offline Windows Autopilot deployment profile. That will make sure that those devices will contact the Windows Autopilot deployment service, without first being registered. In this post I’ll look at getting the offline Windows Autopilot deployment profile, followed by a look at the explanation of the attributes in the offline Windows Autopilot deployment profile. I’ll end this post by looking at the usage of the offline Windows Autopilot deployment profile and a method to group the devices that are deployed via an offline Windows Autopilot deployment profile.
How to get the offline deployment profile
Let’s start by having a look at how to get the offline Windows Autopilot deployment profile. The following five steps walk through the process of downloading the required PowerShell cmdlets, connecting to the correct services and saving the Windows Autopilot deployment profile as a JSON-file.
| 1 | Open a Windows PowerShell command box, as an administrator, on an Internet connected device |
| 2 | Install the Azure AD module by using Install-Module AzureAD -Force |
| 3 | Install the Windows Autopilot module by using Install-Module WindowsAutopilotIntune -Force |
| 4a | Connect to the Intune service by using Connect-AutopilotIntune |
| 4b | Provide the user principle name of a user with enough administrative rights and provide the password in the Sign in to your account window |
| 5 |
Export the Windows Autopilot deployment profile (Get-AutoPilotProfile), convert the deployment profile to JSON-fornat (ConvertTo-AutoPilotConfigurationJSON) and save the output as AutoPilotConfigurationFile.json (Out-File) by using Get-AutoPilotProfile | ConvertTo-AutoPilotConfigurationJSON | Out-File -FilePath $env:userprofile\desktop\AutoPilotConfigurationFile.json -Encoding ASCII Note: When there are multiple deployment profiles configured in the tenant, there should be an additional filter being used to only export a specific deployment profile. |
| — |  |
Explanation of the attributes in the offline deployment profile
The JSON-file contains a few different attributes and it’s good to understand the usage of those attributes. The following table contains the different attributes and a short explanation.
| Attribute | Explanation |
| CloudAssignedTenantId | This GUID is a required attribute and specifies the GUID of the Azure AD tenant that should be used. |
| CloudAssignedDeviceName | This string is an optional attribute and specifies the naming pattern for devices that should be used. |
| CloudAssignedForcedEnrollment |
This number is a required attribute and specifies if the device should require AAD Join and MDM enrollment. This can be one of the following values:
|
| Version | This number is an optional attribute and specifies the version that identifies the format of the JSON file. For Windows 10, version 1809, the version must be 2049. |
| Comment_File | This string is an optional attribute and specifies a comment that by default contains the name of the profile. |
| CloudAssignedAadServerData | This encoded JSON string is a required attribute and specifies the branding configuration (this requires Azure AD branding to be enabled) that should be used. |
| CloudAssignedOobeConfig |
This number is a required attribute and specifies a bitmap that shows which Autopilot settings should be configured. This can include the following values:
|
| CloudAssignedDomainJoinMethod | This number is a required attribute and specifies the domain join method that should be used. Both hybrid AAD join and AAD join should be set to 0. |
| ZtdCorrelationId | This GUID is a required attribute and specifies a unique GUID that will be provided to Intune as part of the registration process. This GUID can be used to group the devices in a dynamic Azure AD security group. |
| CloudAssignedTenantDomain | This string is a required attribute and specifies the name of the Azure AD tenant that should be used. |
How to use the offline deployment profile
The offline Windows Autopilot deployment profile can be used on Windows 10, version 1809, or later. The only other requirements are that the file is named AutoPilotConfigurationFile.json and that the file is available in C:\Windows\Provisioning\Autopilot\. Below are a few example processes that can be used to prepare a device with an offline Windows Autopilot deployment profile.
| 1 | Manual copy the file to the required location and SYSPREP the device, |
| 2 | Use a USB-stick to install Windows and in the same process copy the file to the required location and SYSPREP the device. |
| 3 | Use MDT to install Windows and in the same process copy the file to the required location and SYSPREP the device. |
| 4 | Use Configuration Manager to install Windows and in the same process copy the file to the required location and SYSPREP the device. |
| 5 | Use a third-party product to install Windows and in the same process copy the file to the required location and SYSPREP the device. |
How to group devices based on the offline deployment profile
The last thing that is good to mention, is that it’s also possible to group devices based on the fact that it was deployment via an offline Windows Autopilot deployment profile. Devices that are enrolled by using an offline Windows Autopilot deployment profile, will have the Azure AD device attribute enrollmentProfileName set to “OfflineAutopilotprofile-<ZtdCorrelationId>”. The ZtdCorrelationId is available in the offline Windows Autopilot deployment profile as shown and mentioned above. That would make a dynamic query for an Azure AD device group like this: (device.enrollmentProfileName -eq “OfflineAutopilotprofile-7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC”).
More information
For more information regarding offline Windows Autopilot profiles, please refer this article about Windows Autopilot for existing devices.
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Hi Peter,
Were you successful in creating the dynamic device group with enrollmentProfileName set to “OfflineAutopilotprofile-” ? Is there a PS or Graph command to see what the device enrollmentProfileName is?
Hi Kapila,“. The ZtdCorrelationId is coming from the Autopilot profile.
Yes, I’ve successfully created a dynamic device group by using “OfflineAutopilotprofile-
Regards, Peter
Hi Peter, I have the same issue with the dynamic group. No devices are added during the autopilot process. This is my query:
(device.enrollmentProfileName -eq “OfflineAutopilotprofile-7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC”)
Any idea how long this takes? Any default values, etc?
Cheers,
Al
Hi Alain,
Did you triple-check the ID to see if your profile uses the same?
Also, for some more information regarding that ID see also this post by Michael: https://blogs.technet.microsoft.com/mniehaus/2018/12/17/revisiting-windows-autopilot-for-existing-devices/
Regards, Peter
I’ve not been able to get this to work.
Triple checked the ID.
Device shows in Deployment Profile -> Assigned Devices
Dynamic group rule = (device.enrollmentProfileName -eq “OfflineAutopilotProfile-e87061c5-e445-4fd1-b231-e6300bb01614”)
Even after a week devices don’t show yet.
Hi John,
Did you look at the post of Michael, that I referred to, for some more details?
Regards, Peter
Hi John. Did you ever get this working? Came across your comment after a recent need for me to do this. Group is populated with the device from “OfflineAutopilotProfile-xxxx”, and assigned to the deployment profile. But device won’t appear in Autopilot. Have checked all requirements, and it ‘should’ work.
Its appeared. It just needs more time than a usual Autopilot upload, and that is documented.
Thank you for sharing your experiences, Chris!
Regards, Peter
This no longer works. This was super helpful but we can’t get it to work becuase the powershell modules have changed. Can you help us by updating it?
Thank you for letting me know. I’ll put it on my todo.
Regards, Peter
im getting below error when trying to export the autopilot profile. the account im using to connect MSGraph is global administrator
Get-MgOrganization : The term ‘Get-MgOrganization’ is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At C:\Program Files\WindowsPowerShell\Modules\WindowsAutoPilotIntune\5.6\WindowsAutoPilotIntune.psm1:586 char:25
+ $script:TenantOrg = Get-MgOrganization
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MgOrganization:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-MgDomain : The term ‘Get-MgDomain’ is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Program Files\WindowsPowerShell\Modules\WindowsAutoPilotIntune\5.6\WindowsAutoPilotIntune.psm1:587 char:26
+ $script:allDomains = Get-MgDomain -All
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-MgDomain:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-AutoPilotProfile : Microsoft.Graph.PowerShell.AuthenticationException: Authentication needed. Please call
Connect-MgGraph.
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
At line:1 char:1
+ Get-AutoPilotProfile | ConvertTo-AutoPilotConfigurationJSON | Out-Fil …
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-AutopilotProfile
Hi Ram,
That sounds like missing modules.
Regards, Peter
Hi Peter,
Thanks a lot for all of your articles and sorry for my bad English 🙁
I hava a question about json fil who is available in C:\Windows\Provisioning\Autopilot\
Just after Autopilot the file is present in the folder.
But after a few minutes the file is automaticaly delete.
Do you know whitch mecasnim delete the file?
I would like to keep the file to monitor computers prepare with USB Key and prepare with autopilot classic process.
Thanks a lot from France 😉
Hi Guillaume,
That’s an automatic mechanism. I think the best method would be to find something else to monitor.
Regards, Peter
Interesting security flaw with offline join.
https://powerstacks.com/how-to-bypass-intune-device-platform-enrollment-restrictions-on-windows/
Peter, I haven’t discovered a way to disable this feature. Have you?
Since we don’t use offline enrollment, I simply made a conditional access policy to block devices filtered like so:
device.enrollmentProfileName -startsWith “OfflineAutopilotprofile”
Thank you for sharing, punchy. I haven’t found another method yet.
Regards, Peter