Introduction to Windows Autopilot for IT Professionals, as delivered at SpiceWorks #AllAccessIT conference by Andrew Bettany, MCT, MVP on 27th June 2019
2. #AllAccessIT#AllAccessIT
Live life without regret, believe in your potential, don’t stop!
Andrew Bettany
• IT Masterclasses Ltd – bespoke technical training
• Microsoft MVP since 2012
• Microsoft 365 User Group
• Microsoft Press Author
• Freelance Trainer / Course Author
• Microsoft Learning Regional Lead for UK
• LinkedIn & Pluralsight video author
Specialties: Microsoft 365 | Windows Client | Windows Server | Deployment
andrew@itmasterclasses.com @andrew_bettany
3. #AllAccessIT
Traditional Windows deployment // The old way
Build a custom image,
gathering everything else
that’s necessary to deploy
Time means money, making
this an expensive proposition
Deploy image to a new
computer, overwriting what
was originally on it
DRIVERS POLICIES
OFFICE & APPS
SETTINGS
4. #AllAccessIT
Modern Windows deployment // The new way
Un-box and turn on
off-the-shelf Windows PC
Device is ready
for productive use
Transform with minimal
user interaction
5. #AllAccessIT
Key Benefits:
No more maintenance of images and drivers
No need for IT to touch the devices
Simple process for users and IT
Integration in the device supply chain
Reset device back to a business ready state
Device lifecycle management
with Windows Autopilot &
Intune
Business ready
Break fix
RetirementManagementProcurement Deployment
6. #AllAccessIT
Transform device deployment with
Windows Autopilot
Trusted by IT, loved by end-users
Deliver a secure, productive experience
without ever touching the device
Be productive from the start with a
personalized out of box experience
Be productive from
the start with a
personalized out of
box experience
Deliver a secure,
productive
experience without
ever touching the
device
13. #AllAccessIT
OEM Device registration Clean images
Free
$30/PC offering
(Targeting later CY19)
$3 option
$5/device
Free; additional offerings at $5/PC
and $8-35/PC
Free
Free
Windows Autopilot // Major OEM status
14. #AllAccessIT
OEMs, distributors, and resellers make the process easy:
• Automatically add new devices to Azure tenant at time of shipment
• Associate devices to customer’s purchase order for easy device
grouping
• Tag devices with a customer specified label
• Provide an preinstalled image that is ready for configuration*
For a list of those supporting Windows Autopilot supply chain
integration please visit:
https://aka.ms/WindowsAutopilot
Registering new devices
Supply chain integration
15. #AllAccessIT
If you have existing Windows 10 devices:
• Enable new Autopilot profile setting for all targeted devices
• Ensure the Autopilot profile is assigned to a group containing the
existing Windows 10 devices
If your existing Windows 10 devices are not yet Intune-managed:
• Enable co-management with ConfigMgr via the “Automatic enrollment
into Intune” setting. (See https://docs.microsoft.com/en-
us/sccm/core/clients/manage/co-management-overview#enable-co-management)
• Ensure all new Intune-enrolled Windows 10 devices are part of a group
with an assigned Autopilot profile
Registering existing devices
Automatically for all Intune-managed Windows 10 devices
16. #AllAccessIT
To register existing devices:
• Use the PowerShell script available at
https://www.powershellgallery.com/packages/Get-
WindowsAutopilotInfo
• Run for each device (requires Windows 10 1703 or higher)
• Upload resulting CSV file via Intune portal
• See https://docs.microsoft.com/en-
us/windows/deployment/windows-autopilot/add-devices#collecting-
the-hardware-id-from-existing-devices-using-powershell for more
information
Registering existing devices
Manually for existing devices
19. #AllAccessIT
Configure important details:
• Deployment mode
• Specific settings required for the deployment mode
• New! BitLocker encryption even for non-admin users
(requires Windows 10 1809)
• Out-of-box experience (OOBE) settings
• New! Hide change account options (requires Windows 10
1809)
• New! Device naming pattern, supporting variable
substitution (requires Windows 10 1809):
• %SERIAL%
• %RAND:x% (where X is the number of digits)
Creating an Autopilot profile
20. #AllAccessIT
If you have existing Windows 10 devices:
• An Azure AD device object is automatically created for each imported Autopilot
device
• Create one or more Azure AD groups
• Assign an Autopilot profile to the Azure AD group
• Intune will automatically assign the profile to all members of the assigned group
Options for grouping:
• Dynamic group with all Autopilot devices
• Dynamic group based on purchase order ID
• Dynamic group based on device tag (orderID)
• Manual
Assigning an Autopilot profile
Automated using groups
25. #AllAccessIT
Windows Autopilot // Licensing requirements
Requirements include:
• Windows 10
• Azure Active Directory (automatic MDM enrollment and company branding features)
• MDM functionality
Microsoft 365 Business subscriptions
Microsoft 365 F1 subscriptions
Microsoft 365 Academic subscriptions
Microsoft 365 Enterprise E3 or E5 subscriptions
Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and
Intune features
Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM
service)
26. #AllAccessIT
Windows Autopilot
One-time configuration tasks – pre requisites
Azure Active Directory
• Configure automatic MDM enrollment. See https://docs.microsoft.com/en-us/intune/windows-
enroll#enable-windows-10-automatic-enrollment.
• Configure company branding. See https://docs.microsoft.com/en-us/azure/active-
directory/fundamentals/customize-branding.
• Enable Windows Subscription Activation if desired
• Ensure users can join devices to Azure AD (for user-driven mode)
Intune:
• Enable the enrollment status page
• Ensure users can enroll devices in Intune
• (Optional) New! Set up enrollment restrictions so only Autopilot-registered devices can enroll
27. #AllAccessIT
Ensure policies, apps and settings are complete
prior to the end user gaining access to the
desktop
Confirm minimum baseline requirements
Protect data during device set up
Deliver a compliant secure device
Personalize the out of box experience
New! Unlock Windows 10 in S mode (requires Windows 10 1809)
Requirements
Windows 10, version 1803 (with May cumulative update or later)
Azure Active Directory Premium
Microsoft Intune
Windows Autopilot
Enrollment status page
29. #AllAccessIT
AVAILABLE in 1809AVAILABLE in 1809AVAILABLE in 1809AVAILABLE
Windows Autopilot // Deployment Scenarios
User-driven mode
with Azure AD Join
Windows 10 1703
and above
Join device to Azure
AD, enroll in
Intune/MDM
Windows Autopilot
for existing devices
Windows 10 1809
and above
Windows 7 to
Windows 10
ConfigMgr task
sequence, followed
by Windows
Autopilot user-driven
mode
Self-deploying
mode
Windows 10 1809
and above
No need to provide
credentials,
automatically joins
Azure AD
User-driven mode
with Hybrid Azure
AD join
Windows 10 1809
and above
Join device to AD,
enroll in Intune/MDM
31. #AllAccessIT
Windows Autopilot // User-driven deployment with Azure AD
Prerequisites:
Windows 10 version 1703
Azure Active Directory Premium
Microsoft Intune
Steps:
1. Device connected to internet network
2. Register device with Windows Autopilot
3. Assign Intune Autopilot Profile configured for
Azure AD join
4. Boot device
35. #AllAccessIT
Windows Autopilot // Self-deploying mode with Azure AD
Prerequisites:
Windows 10 version 1809
Azure Active Directory Premium
Microsoft Intune
Device with TPM 2.0
Steps:
1. Device connected to internet
2. Register device with Windows Autopilot
3. Assign Intune Autopilot Profile configured for
self-deploying mode
4. Boot device
42. #AllAccessIT
Windows Autopilot // Windows Autopilot for existing devices
Prerequisites:
Windows 10 version 1809
Azure Active Directory Premium
Microsoft Intune
System Center Configuration Manager
OneDrive for Business
Steps:
1. Create task sequence to deploy generic Windows 10
image with needed drivers (wipe-and-load)
2. Migrate data to OneDrive for Business (in advance)
3. Deploy task sequence to existing Windows 7 devices,
installing Windows 10 and proceeding through Windows
Autopilot user-driven process to join device to Azure AD
43. #AllAccessIT
Design notes
Upgrading the OS is just part of the problem
Need to migrate user data from Win7 to Win10
Unable to harvest hardware hashes in Win7
47. #AllAccessIT
AVAILABLE in 1903AVAILABLE in 1903AVAILABLE in 1903
Windows Autopilot // New in Windows 10 1903!
Windows Autopilot
“White Glove”
Windows 10 1903 and above
White glove partners or IT
staff can pre-provision
Windows 10 PC to be fully
configured and business-
ready for an org or user
Enrollment Status Page
enhancements
Windows 10 1903 and above
ESP tracks Intune Management
Extensions, SCCM and Office
installs
IT admin can choose what apps
block during ESP through
Intune
Cortana voiceover disabled
in OOBE
Windows 10 1903 and above
Cortana voiceover disabled by
default for Pro and above SKUs
AVAILABLE in 1903
Self-updating Autopilot
Windows 10 1903 and above
Enable new Windows Autopilot
functionality without updating
Windows.
49. #AllAccessIT
Windows Autopilot // White Glove
Windows 10 1903 and above
Partners or IT staff can pre-provision devices to be
fully configured and business-ready
6 years MVP (Windows) 2012-2018
Windows User Group
IT Masterclasses Ltd – bespoke technical training
Author of MS Press Windows 10 Exam Ref books
Freelance Trainer
Microsoft Learning Regional Lead for UK
With the GDPR deadline fast approaching, this session highlights how both Microsoft 365 and Office 365, allows businesses to take a holistic approach to user, device and data security. In this tech talk, Andrew Bettany, Microsoft MVP, will discuss how you can demonstrate GDPR compliance whilst bringing value and security to your business and customers. Andrew will demonstrate high impact compliance tools including Azure Information Protection, Cloud App Security and Security and Compliance.