Introduction
Windows Autopilot is a cloud-based deployment method that customizes the Out of Box Experience (OOBE) stage to allow an end-user to join their device to their organization's Entra ID tenant and enroll their device with Intune. Once these steps are complete, users can log in to their devices using their "work or school" account. As an essential part of Microsoft's "modern management" model, Autopilot allows end users to effectively start using their company devices from any location with an Internet connection, while maintaining oversight for IT administrators. This process ensures that all devices are configured in accordance with organizational guidelines. The following section outlines the procedure that IT units can follow to enroll their devices with Intune using Autopilot.
Procedure
1. Create an Autopilot deployment profile. This will allow you to configure settings that customize OOBE for the end-user.
Navigate to Devices → Windows → Enrollment → Deployment profiles → Create profile → Windows PC
2. Provide a name and description for the profile.
Note: It is advisable to select Yes for the Convert all targeted devices to Autopilot. This will register any existing devices in the targeted group with Autopilot if they are not registered.
3. Configure the OOBE settings as follows.
Note: In this example, we are configuring a user-driven Autopilot. This deployment mode requires the end-user to sign in with their "work or school" account to start the Autopilot process. It also sets them as the primary user on the device. This is a beneficial for devices issued to a dedicated user, as it allows them self-servicing options like BitLocker key recovery. The other deployment mode is Self-Deploying. When this option is chosen, only the language, keyboard, and device name settings can be configured. Everything else is greyed out. This deployment mode is useful for shared device environments (e.g., computer labs, classrooms, etc.). When a device is being configured from a self-deploying Autopilot profile, the joining to Entra ID and enrollment with Intune will happen without any user intervention. When configurations are complete, the device will be left at the lock screen and available to be signed in by a user.
Note: According to best practices, the user account type should be set to Standard, however if the practices of your unit involve making end-users admins on their devices, then set the account type to Administrator. Additionally, if your device naming scheme is simple, you can configure the Apply device name template to allow the Autopilot profile to name your devices.
4. Apply the necessary scope tags to the profile
5. Assign the profile to a device group.
Note: Make sure that this device group is a dynamic group with the following membership rule set. Replace GROUPTAG with the group tag for your unit. A group tag is a label that identifies an Autopilot device as belonging to your unit. It can be anything (e.g. our group tag is CAESATH). The syntax for the dynamic membership rule is as follows: (device.devicePhysicalIds -any (_ -eq "[OrderID]:GROUPTAG"))
The value may look strange when using the basic rule builder, as it looks like the end quote and end parenthesis is missing. Despite appearance, this syntax is correct. To reduce confusion, it is recommended to just paste (device.devicePhysicalIds -any (_ -eq "[OrderID]:GROUPTAG")) with the adjusted group tag in the rule syntax box. Click Edit there to paste the text.
6. Review and create the profile
7. Create an Enrollment Status Page. This will allow you to control what the end-user sees as Autopilot prepares their device for use
Navigate to Devices → Windows → Enrollment → Enrollment Status Page → Create
8. Provide a name and description of the profile.
9. Configure the enrollment status page as follows.
Note: Many of the settings below will depend on how your unit wishes to configure them. There is not a one-size-fits-all approach. For example, the block device use until all apps and profiles are installed must be determined by what makes sense for your unit. At CAES, we have chosen not to block device use until all apps and profiles are installed. It is possible for a device to get stuck at the enrollment status page. It is preferable in our environment to allow the user to proceed to the desktop and have Intune configurations continue to apply afterward.
The following settings become available to configure if the Block device use until all apps and profiles are installed is set to Yes. Each of the remaining settings must also be determined by IT units.
The last setting Block device use until required apps are installed if they are assigned to the user/device allows for more granular control by allowing an IT unit to select a subset of apps to be a requirement for successful installation before the user can arrive at the desktop.
10. Once all the desired settings have been configured, assign the profile to the appropriate device group(s), set the necessary scope tags, and review and create the profile.
11. Create a configuration profile that sets the preferred Aad tenant domain name to uga.edu. Assign this profile to the Autopilot device group. This will enhance the end-user experience by allowing them to not have to type in their full email address in the username field when logging in to a computer. They can just enter their MyID.
12. Register a device with Autopilot. This can be done manually or through an OEM during new orders. For example, to enable Dell to register devices for new orders on your behalf, the Autopilot option must be selected during the order configuration. The Tenant ID and domain must be specified as follows:
Dell can also register the device with a group tag if the Autopilot w/G-Tag is specified. This option requires all information (Tenant ID, domain, and group tag) to be filled out after the order is placed, instead of during the order. When the order is placed, the shopper will receive an email from Dell to provide the Tenant ID, domain, and group tag information.
Note: It is advisable to choose the Group Tag option. Otherwise, it will need to be manually added to the Autopilot device record once Dell has registered it.
13. A device can also be manually registered with Autopilot. To manually register a device, open an administrative PowerShell console and run the following commands
Tip: The following commands can also be run during OOBE, so that a device can be registered before delivery to an end-user. Pressing Shift+F10 (or Shift+Fn+F10) will launch a command prompt window. Type in powershell and press Enter to switch from the cmd command-line to powershell.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo -Online -GroupTag "ITUNITGROUPTAG"
Note: Replace "ITUNITGROUPTAG" with the group tag for your unit.
Upon running the commands, there will be a prompt to authenticate with your UGA credentials. Use your administrative Z-Account for this. If you require admin consent to use the -Online parameter for the Get-WindowsAutopilotInfo cmdlet, submit an Intune Support Request to receive consent.
Once authentication is successful, the necessary information will be uploaded to Intune to register the device with Autopilot. The PowerShell console should present the following:
The Autopilot record for the device can be checked in the Intune admin center under Windows Autopilot devices.
Navigate to Devices → Windows → Enrollment → Devices
Search by the serial number of the device and ensure that the Autopilot profile created in steps 1 - 6 is assigned to the device. If it is not assigned, then the device will not enter the Autopilot workflow during OOBE.
14. Once it is confirmed that the Autopilot profile is assigned to the device, turn on the device and wait until OOBE presents the following screen.
15. Once the end-user signs in with their UGA credentials, Autopilot will begin the process of joining their device to Entra ID, enrolling into Intune, and applying configurations.
Note: If the enrollment status page profile created in steps 7 - 10 allows for the user to proceed to the desktop without waiting for all Intune policies to apply, then they will be able to select "Continue anyway" during this stage.
