What is Auto-Pilot
Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. I can really see the appeal we use XMA for our hardware, I deploy our standard image to the desktops before its delivered to the end user but AutoPilot may change that approach.
I was at a WMUG event when Gerry Hampson MVP and Paul Winstanley MVP spoke about AutoPilot, Peter Egerton also explored it on his blog I was intrigued and wanted to try it out (I have linked their blog posts) .
Windows AutoPilot allows you to:
- Automatically join devices to Azure Active Directory (Azure AD)
- Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription)
- Restrict the Administrator account creation
- Create and auto-assign devices to configuration groups based on a device’s profile
- Customize OOBE (some) content specific to the organization
Prerequisites
- Devices must be registered to the organization
- Company branding needs to be configured
- Network connectivity to cloud services used by Windows AutoPilot
- Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
- Devices must have access to the internet
- Azure AD Premium P1 or P2
- Users must be allowed to join devices into Azure AD
- Microsoft Intune or other MDM services to manage your devices
Gather AutoPilot Device Data
You will need to register a device to ensure AutoPilot works, the idea behind this is that your supplier(in my case XMA) will populate this information in a CSV file and you can add it to the Windows Store for Business (or directly in Azure). At the moment getting the device serial number and Windows product ID is easy but moving forward I need to get the hardware hash. Below are some examples.
Manually
Device Serial Number | wmic bios get serialnumber | |
Windows Product ID | Get-ItemPropertyValue “hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\” “ProductId” | |
Hardware Hash | $wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter “InstanceID=’Ext’ AND ParentID=’./DevDetail'” $wmi.DeviceHardwareData | Out-File “($env:COMPUTERNAME).txt” |
Semi-Automation
Michael Niehaus has created a great Powershell script to semi automate this process. You can get it here Get-WindowsAutoPilotInfo, here are some examples
Export Computer AutoPilot Data
.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER -OutputFile .\MyComputer.csv
Append Computer AutoPilot Data
.\Get-WindowsAutoPilotInfo.ps1 -ComputerName MYCOMPUTER -OutputFile .\MyComputer.csv -Append
Export AutoPilot Data from a SCCM Collection
Get-CMCollectionMember -CollectionName "All Systems" | .\GetWindowsAutoPilotInfo.ps1 -OutputFile .\MyComputers.csv
Export AutoPilot Data from a Active Directory
Get-ADComputer -Filter * | .\GetWindowsAutoPilotInfo.ps1 -OutputFile .\MyComputers.csv
Create AutoPilot Profile
This can now be done in the Azure Portal and the Windows Store for Business
- Go to the Azure Portal.
- Go to Intune – Device Enrollment.
- Select Windows Enrollment – Deployment Profiles.
- Create the new profile (I am showing Azure and Windows Store for Business)
Import AutoPilot Data
Importing the device data must currently be done in Windows Store for Business but soon you will be able to import in Azure, it’s currently in preview.
Please not the preferred way to do this now is through Azure not Windows Store for Business
- Go to Windows Store for Business
- Go to Devices – add device
- Select your .csv file and then select the AutoPilot profile you want to apply.
- Now the device has been imported and a profile has been assigned.
Company Branding
Part of the appeal of AutoPilot is to customize the branding of the sign in page.
- Go to the Azure Portal.
- Go to Azure Active Directory – Company Branding.
- Click Edit and set your branding.
- Once this is done your sign in page and OOBE sign in will be customised.
AutoPilot in Action
So I have deployed a standard Windows 10 1709 ISO in VMware Workstation.
- So in this example im using Windows 10 1709 and I am just building the VM off the ISO.
- So the OOBE is asking for a region.
- Now the keyboard layout.
-
Now if I have a second keyboard.
- Now we get the sign in page with some basic company branding.
- So once the user signs in I have auto-enrollment enabled in Azure (MDM Auto-Enrollment), once that happens polices and applications will be deployed.
Its worth remembering that Windows AutoPilot is a start, its by no means a finished product but I can see a lot of potential for the future.
Series Links
- Traditional Management vs Modern Management – Part 1 – Encryption
- Traditional Management vs Modern Management – Part 2 – Office 365
- Traditional Management vs Modern Management – Part 3 – AAD/Auto MDM Enrollment
- Traditional Management vs Modern Management – Part 4 – Windows AutoPilot
- Traditional Management vs Modern Management – Part 5 – Security
Very nicely done, but may I suggest that you rewrite to use the Intune portal to upload Autopilot CSV files and create the Autopilot Profiles rather than the Microsoft Store for Business please. It is the preferred methodology. Thank you!
I have added a note to push people to use Azure portal not Windows Store for Business
Hi – Excellent write up on autopilot.
Just one Question – How to reset autopilot system after obtaining Device ID, Product ID & Hardware Hash?
I was able to get above information during OOBE stage by pressing Shift+F10 and executed Powershell command. Then, I powered off autopilot system – uploaded csv file at MSfB and successfully completed autopilot deployment within Azure & MDM.
Thanks
Ram
Sorry for the late reply, enjoying a well needed rest. Can you explain what you mean, do you mean remove the system or change the hardware hash.
Thanks
First of all, great post. A full tutorial on how to configure autopilot and branding is great.
But I’m curious how autopilot should be used, because I don’t see it as a replacement for my corporate laptop which I can now enroll out of the box instead of a corporate factory image. I mean the laptop is still full of bloated crap-ware upon purchase, and companies want to know exactly what’s on it, or install their application suite onto it.
The only thing’s I’m seeing autopilot does is: joining azuread automatically, branding a logo in the join azuread screen and hide the traditional OOBE/Privacy and EULA screen. Lastly you can decide of the user is admin or not. That is nowhere near a traditional deployment. I’m really searching for a proper use case here. I can’t find one other than remote workers or internet facing workers logging in for the first time on a new device.
Hello Rens
My vendor will put on a vanilla OS or my corporate image if i need them too but i completely agree with your statement on the bloatware crap that OEMs put on laptops.
It is very hard to see this as a replacement for ConfiMgr/GPO/AD. If you have Windows Devices managed in Azure AD using Intune you will not have the control as you would with your on premise environment but with a focus on a more agile workforce i can see how this could be handy(in the future).
I feel like AutoPilot is the start, if Microsoft really work on this and understand the concerns that SysAdmins have, then it will be the future. If they dont it will be just a technology that gets replaced by something else.
Lets see what happens
Thanks for your prompt response, I agree.
No problem, we all have the same concerns.
Is it fair to say this is quite lacking compared to current GPO’s, MDT, ConfigMgr approaches and is more for a BYOD model only at this time?
Its more that fair to say that, Intune is not a replacement for ConfigMgr. CSP’s are certainly not a replacement for GPO’s, things are moving in the right direction.