Microsoft has released information on Windows Autopilot – it is the automation process that was missing  when we do cloud only management of Windows 10 devices with Azure Active Directory and Intune.

Some of the benefits of Windows AutoPilot are:

• Intune can push policies, settings, and configuration to the device, and install Office 365 and other apps without IT ever having to touch the device or apply a custom image to the device.
• Intune can configure Windows Update for Business to apply the latest updates.
  The device can automatically upgrade from Windows 10 Pro to Windows 10
• Enterprise seamlessly using AAD – no product keys to manage, no reboots, no prompts for the user.(Requires a Windows 10 Enterprise E3 subscription)

New capabilities to Windows AutoPilot that will be added in the Windows 10 Fall Creators Update release later this year include:

• Self-service deployment for Active Directory domain-joined devices – Windows AutoPilot Deployment will enable self-service deployment capabilities to get new Windows 10 devices into an Active Directory domain-joined state along with Microsoft Intune enrollment.
• Enhanced personalization for self-service deployment – Windows AutoPilot will offer the ability to pre-assign a new Windows 10 device to a specific user in your organization and deliver a highly-personalized OOBE.
• Windows AutoPilot Reset – A new reset capability In Windows AutoPilot will enable organizations to easily reset their configured devices while still maintaining MDM enrollment and the Azure AD join state, and automatically get the device back into a business-ready state.

Windows Autopilot has some prerequisites:

• Devices must be registered to the organization
• Devices have to be pre-installed with Windows 10, version 1703 or later
• Devices must have access to the internet
• Azure AD premium P1 or P2
• Microsoft Intune or other MDM services to manage your devices

Devices must be registered to the organization

We need a csv file to import into the Microsoft Partner Center file must contain:

Device Serial Number,Windows Product ID,Hardware Hash

Getting the serial number run this WMI query

wmic bios get serialnumber

Getting the Windows Product ID run this Powershell command

Get-ItemPropertyValue “hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey2\” “ProductId”

Getting the Hardware Hash run this WMI query

$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail’”
$wmi.DeviceHardwareData | Out-File “$($env:COMPUTERNAME).txt”

Then you get a import.csv that look like this:

Device Serial Number,Windows Product ID,Hardware Hash
R9-ZNP67,00329-00000-0003-AA606,T0FzAQEAHAAAAAoA6AOCOgEABgBgW7EdzorHH3g

Devices have to be pre-installed with Windows 10, version 1703 or later

It is working with a clean install of Windows 10 version 1703 as well.

Devices must have access to the internet

With ethernet connected it will skip this part of the OOBE

With wireless – you need to connect to the wireless network

Azure AD premium P1 or P2

Is needed to automatic get the device MDM enrolled as part of the AzureAD joining process.

Microsoft Intune or other MDM services to manage your devices

To manage, configure and deploy application to the device when it is AzureAD joined.

How does Windows Autopilot work:

How to mange it in Microsoft Partner Center

First you have to sign in to the MPC and find the customer

Select Devices

Windows AutoPilot profiles – Add new profile

1. Enter a name and maybe a description
2. Select “Skip privacy settings in setup”
3. Select “Disable local admin account in setup” – if you don’t what the user to be a local admin
4. Select Sumit

Apply profiles to devices

Select Add devices

1. Enter the “new group name” of the devices in the import file
2. Browse for the import file
3. Validate the import file content
4. Upload the file

1. Select the device
2. Apply profile created earlier

Click Yes to assign the profile

Now the user of the device will be prompted to login to the AzureAD tenant as part of the OOBE.

Who it the user experience of Windows Autopilot

This is first screen that the end-user has to select the region

Then the keyboard layout

Second keyboard layout

Accept the license agreement

Then Windows will look for network connectivity – if no ethernet is found the end-user will be prompted for wireless settings.

Importen: At this moment the device needs internet connectivity

When network connectivity is established Windows will connect to AzureAD to see if it is a “known” devices

The end-user needs to sign-in with the AzureAD account

Enter the password

When AzureAD joined and automatic MDM enrollemnt is in-place the MDM tool will take over the management of the devices and push down the CSP settings and applications that are assigned to the device.

And then Windows will  do a auto login with the user – and the end-user is ready to work.

Non of this process require that the user is in the company internal network.

At the moment Windows Autopilot is only enabled in Microsoft CSP program – and will be enabled in Windows Store for Business (WSfB) and then I will update this blogpost.

Read more about Windows Autopilot at:

https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/