Windows 10 Modern Management is hot. More and more companies are looking for the possibilities to manage Windows 10 devices with their Enterprise Mobility Management (EMM) product. This does not only mean that they want a single tool with which they can manage all type of devices (like iOS, Android and Windows), but also a new way of managing their Windows 10 devices.
With this new way of management the end user and the administrator are more flexible. The location of the device has become irrelevant and a local domain join or a VPN connection to the company location to receive the latest updates, applications and policies are no longer needed.
Until recently, there was still the challenge to automate the enrollment process. With traditional PC management you have tools like Microsoft SCCM with which you could deploy complete images and automate local domain join with custom scripts. With Windows 10 in combination with Modern Management, image deployments are no longer necessary. And for automatic enrollment we now have Windows AutoPilot.
With Windows AutoPilot you control the Out-Of-Box Experience (OOBE). You can hide questions for the end user like, “Accept Eula”, “Personal or Company device owner” and privacy settings. The only thing the user has to do (at this moment) is connect to a Wi-Fi, select their keyboard layout and login with their company credentials, that’s it! The rest is automated including the Azure AD Join and enrolling with a MDM/EMM product (last one is optional). Once enrolled with a MDM/EMM solution, applications and policies can be published to the device fully automatically.
Every time a Windows 10 device starts up for the first time (or after a factory reset) it runs the OOBE setup. During this setup the devices will check if the Device ID of the device is known in any Azure Tenant. If so, the assigned profile will load which is customized by the corresponding company (in this blog I will show you how to do that).
This gives the IT administrator great possibilities. He no longer has to prepare a new devices for the end user, the IT administrator can even let the device be delivered at the end users home address, right from the factory, without any effort from his side.
The end users starts the devices, logs in with the company credentials and a few minutes later the devices is ready for use with the company policies applied. If for some reason the device gets unstable after a while, just do a factory reset or device wipe. After the cleanup and re-installation of Windows 10 (fully automatic), the device will run the OOBE setup again and the user can login with a fresh Windows 10 installation (with company policies applied).
With every new order by hardware vendors like Microsoft, Dell and HP you can specify that you are using Windows AutoPilot. They will add the device ID’s to Azure for you or can deliver a file with all new device ID’s that you can import to the Azure Tenant yourself.
And what about existing devices? That’s also possible to add them to your Azure Tenant, it requires some manual steps, as I show you in this blog.
Windows AutoPilot is a Azure AD Premium feature. This means that every user that needs to make use of this feature needs at least a Azure AD Premium P1 license or a Microsoft Enterprise Mobility + Security (EM+S) E3 or E5 license if you also want to manage the Windows 10 device with Microsoft Intune, like in this blog.
In this blog I show you step-by-step how to configure Windows AutoPilot and how to add existing devices the quickest way with my personal best practices. I will configure Windows AutoPilot in combination with Microsoft Intune for the MDM part. Note that Microsoft Intune is optional and can be replaced with another MDM vender like AirWatch, XenMobile or MobileIron.
In this blog I will cover the following;
Before we can start with Windows AutoPilot some pre-requirements must be configured. I will guide you through these steps in this blog. In advance I have created a security group that includes all users who will use AutoPilot and Microsoft Intune. This group is also linked to the right licenses in Azure AD. I also have created an Azure AD user with the name “localadmin”. This will be a local admin that will be created locally on every Windows 10 device during Azure AD Join / AutoPilot.
For the following steps login as global admin to the Azure Portal (https://portal.azure.com).
Go to Azure Active Directory and open the Devices page
Open the Device settings page. On this page you can configure which user and in what way can Azure AD Join a Windows 10 device.
Personally, I limit this always to members of a security group. The same group on which I assigned the licenses. In this way, only users that have the correct licenses will be able to join their device to Azure AD with auto enrollment in Microsoft Intune (see following steps below). So, I set Users may join devices to Azure AD to Selected and select the security group.
The following setting is Additional local administrator on Azure AD joined devices. I always add an additional local administrator (in this case the “localadmin” user). Remember that the user who joins a Windows 10 device with Azure AD is always the administrator (with the exception that there is AutoPilot profile is assigned which indicates that the user must be a normal user). All other users who logs on to the device have normal user rights. So, it’s always good the have a backdoor with another local administrator for troubleshooting purposes.
Configure the other settings the way you want and click Save
Go back to Azure Active Directory and open the Mobility (MDM and MAM) page.
Click on Microsoft Intune
On this page you can configure who is allowed to enroll a device in Microsoft Intune via Azure AD Join. As mentioned before, I always add a security group to scope the users who can enroll their device. So, also in this case I add the AutoPilotBlog security group to the MDM user scope. Leave everything else default (if you’re not sure if everything is configured correctly you can also click on Restore default MDM URLs).
Go back to Azure Active Directory and open the Company branding page.
Company branding is required for AutoPilot to work properly. Therefor we need to make a new Company branding (if not already in place). Click the Configure button.
Configure the requested settings like background image, banner logo and square logo image and click Save
Go back to Azure Active Directory and open the Properties page.
This final step for configuring the pre-requirements is more like a check. Make sure that all the information is correct. It will be displayed on the devices during the Windows AutoPilot enrollment.
In the next step I show you how to configure a Windows AutoPilot profile and how to assign it to devices. It is possible to assign a AutoPilot profile automatically to devices so that you do not have to do that manually every time you add new devices. To accomplish this, a dynamic group needs to be created as I will show you in the next steps.
Go back Azure Active Directory and open the Groups page.
Click + New group
Fill in the following information;
Group type: Security
Group name: All AutoPilot Device (or something else you like)
Group description: All AutoPilot Device (or something else you like)
Membership type: Dynamic Device
Click on Add dynamic query
Select Advanced rules and add the following rule;
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
See for more information the Microsoft documentation (link).
Click Add query and Create
In this blog I will not cover how to setup Microsoft Intune like policies, applications, Windows Hello for Business and CNAME configuration. I will cover this in another blog. I will only cover the steps that are related with Windows AutoPilot / Azure AD Join.
Navigate to Intune > Device enrollment > Windows enrollment > Enrollment Status Page
Enrollment Status Page is a new feature and in Preview while writing this blog. It allows the administrator to block the device right after the enrollment with Azure AD / Windows AutoPilot and at the moment that not all policies are applied and/or apps are installed yet. This step is optional for the AutoPilot configuration.
Click the Default profile.
Click Settings. For this blog I will enable the Enrollment Status page, and give users the ability to close it so that they can work on their device right away. Click Save.
Go back to Windows enrollment and open the Deployment Profiles page.
Click + Create profile
Configure the profile as follows;
Name: Anything you like
Description: Anything you like
Deployment mode: User-Driven
Join to Azure AD as: Azure AD joined
Click Out-of-box experience (OOBE)
Configure the settings you like. In my case all hide End user license agreement (EULA) and Privacy Settings and give the users Administrator rights.
Click Save and Create
Click the just created profile.
Click Assignments and click + Select groups
Select the All AutoPilot Devices group created in previous steps and click Select and Save
When ordering new devices via Microsoft, Dell, HP and some other big vendors, you can indicate that you are using Windows AutoPilot and want to enable the new devises for it. The vender can add those new devices then automatically to your Windows AutoPilot tenant. Very useful and time-saving! But what about new devices that are already been delivered to you and not added to AutoPilot? Well, there is a PowerShell script you can run to get the hardware ID’s of these devices. And once you have the hardware ID’s uploaded to your Azure tenant and assigned to a AutoPilot profile, the devices are AutoPilot enabled.
If you have a new device that is not enabled for Windows AutoPilot yet, like in my case a new Microsoft Surface Pro device, its very easy to get the hardware ID. When you turn an a new devices delivered with Windows 10 pre-installed for the first time, you don’t have to run the complete OOBE setup to run the PowerShell script afterwards and do a factory reset. This will cost a lot of time! I show you a much faster way in the next few steps.
NOTE: The next steps only work for physical devices, NOT virtual machines…
Start the device and wait a few second until you can select your region.
Press the following key combination SHIFT + F10
A CMD prompt will appear, type in PowerShell and hit Enter
In the next steps I will create a scripts folder on the C drive and enable PowerShell to run scripts. Run the following commands;
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Run the following command;
Save-Script -Name Get-WindowsAutoPilotInfo -Path c:\scripts
NuGet provider is required for this action. Press Y and Enter. NuGet will automatically be downloaded and installing.
Run the dir command to see that the PowerShell script is downloaded to the scripts folder.
Run the following command;
Get-WindowsAutoPilotInfo.ps1 -OutputFile c:\scripts\robinhobo.csv
Replace “robinhobo.csv” with a name of your choice. When you now run the dir command again you see that there is a robinhobo.csv file. This file needs to be uploaded to Microsoft Intune.
I copy the csv file to a USB drive with this command; copy robinhobocom.csv d:\
After that run; shutdown /p
This will turn off the device.
Go back to the Microsoft Intune portal and navigate to; Microsoft Intune > Device enrollment > Windows enrollment > Devices
Click the blue folder icon and upload the just created csv file.
After a few minutes the imported devise shows up. Notes that it is automatically assigned to a profile.
4. Test the results
In this final step of this blog I will show you the results of previous made configuration.
Startup the device again where we exported the device ID.
Select your region and click Yes
Select your keyboard layout and click Yes
As you can see, AutoPilot is working and the company branding is applied. Fill in a user’s email address and click Next
Enter the user’s password and click Next
This is the Enrollment Status Page as we have configured in step 2. I skip it for now by clicking on Continue anyway
After a few minutes the new Windows 10 devices is ready for use.
As you can see in the Access work or school settings the devices is Azure AD joined.
And also in Microsoft Intune the devices is enrolled successful.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.