Intune Autopilot

Welcome to my first post, im going to kick things off firstly introducing Microsoft Intune Autopilot. If you are new to Windows Autopilot, this setup guide should help you in setting up Windows Autopilot in Endpoint Manager from scratch.

I always wanted to publish a Windows Autopilot setup guide for people who are getting into Microsoft Intune. With this guide anyone who wants to test Autopilot can start off and all this can be done in your lab. If you have a physical device with TPM 2.0 or VM would be sufficient.

Windows Autopilot is reliable way to deploy Windows and is being currently used by many large organizations. We also see Microsoft improving Autopilot by adding more improvements to it. Windows Autopilot can help you deploy Windows 10 or later with least admin interaction.

In this post, I will cover the Intune Autopilot basics, process overview, Autopilot prerequisites, and then I will show you how to set up and configure Autopilot in Microsoft Intune. You can also use this guide to get started with Intune Autopilot Deployment.

What is Intune Autopilot

According to Microsoft, Intune Autopilot is a cloud based solution used to provision and pre-configure company owned devices, getting them ready for productive use. Autopilot (Microsoft Autopilot) can be used to reset, repurpose, and recover devices. The Autopilot solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that’s easy and simple.

Pros of using Intune Autopilot

• Automatically join devices to Microsoft Entra or via Hybrid Join
• Automatically enroll devices into Microsoft Intune
• Automatically deploy applications based on device profile or user group
• Automatically enforce security polices onto the enduser device
• Enforce compliance polices
• Generate reports and gain insight of the organisation tenant

Intune Autopilot device requirements

The following is requirement for Intune Autopilot.

• Windows 10 Pro or later (non home edition)
• TPM 2.0 Compliant device
• Entra P1 or P2 License
• Intune P1 or P2 License

Capture Device HWID

When dealing with autopilot in production, you provide delegated access to VAR/Supplier (Value-Added Reseller) so they can upload HWID to the businesses Intune tenant where you can dynamically assign provisioning profile.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
 Install-Script -Name Get-WindowsAutopilotInfo -Force
 Get-WindowsAutopilotInfo -Online

Copy
Raw

After running the commands and logging into MS Graph with appropiate permissions to upload device hash.

You will see the device serial number appear in endpoint portal

Device > Enrollment

Create Device Group for Autopilot

• In the Microsoft Endpoint Manager admin center, choose Groups > New group.
• For Group type, choose Security.
• Type a Group name and Group description (ex: Windows Autopilot Lab).
• Azure AD roles can be assigned to the group: No
• For Membership type, choose Assigned. (Typically would be Dynamic device and you would use query rules to automate assigning AP groups to devices that are uploaded).

Click Members and add the Autopilot VM to the group. Hit Select and then create the group.

Create the Windows Autopilot Deployment Profile

• In the Microsoft Endpoint Manager admin center, click Devices.
• Then under Enroll devices | Windows enrollment select Deployment Profiles.
• Click on Create profile and then select Windows PC.

On the Create profile page, provide unique name for the Autopilot profile. Let convert all targeted devices to Autopilot be set to No. Click Next.

• Deployment Mode – User Driven
• Join to Azure AD as – Azure AD joined
• Microsoft Software License Terms – Hide
• Privacy Settings – Hide
• Hide change account options – Hide
• User Account type – Standard
• Allow White Glove OOBE – No
• Language (Region) – Operating System default
• Automatically Configure keyboard – Yes
• Apply device name template – Yes

Device name template will be different in production matching company agreed naming convention

On the Assignments page, Select groups to include. Click the PCN - Blog - AP (group name you have created for the example) group, and then click Select. Click Next to continue.

Click Create to create a Autopilot deployment profile.

Windows Autopilot Setup Process

Now it’s time to visit our Windows VM and check the Windows Autopilot setup in action. Before you proceed ensure the following prerequisites are met.

• The Windows VM must have an internet connection. So check the adapter settings and ensure it can communicate to internet. (If you are using a physical device for this lab)
• Turn on the device You should see the lets set things for your work or school.
• On the Welcome screen, enter Azure Active Directory credentials and on the next screen enter the password for the account

Autopilot provisoning process

Step 1 – Device Preparation

• Securing your hardware
• Joining your organizations network
• Registering your device for mobile management
• Preparing your device for mobile management

Step 2 – Device Setup

Configures the Windows device.

Step 3 – Account Setup

Configures your account.

1. Click OK to use Windows Hello with your account.

2. Approve the signing request using MS Authenticator

3. In order to secure this device, setup a PIN to access the device without using your actual O365 account password.

You have successfully set the PIN now. Click OK and this completes the Windows Autopilot Setup.

You also will be able to see the device in endpoint manager.