Windows Autopilot is a feature provided within Intune that simplifies the deployment and management of Windows devices in an organization.
Traditionally, deploying Windows devices involved a time-consuming process of manually setting up each device, installing the operating system, configuring settings, and installing necessary applications. Windows Autopilot streamlines this process by leveraging cloud-based services and automation to enable a self-service deployment experience.
Now that we know what is Autopilot let’s build a profile to make it work and delve into the details.
First of all, an Autopilot device or generally any device that we want to automate its enrollment has to be identified somehow. This is done by using the serial number of the device. Every device has a unique serial number so this is the perfect match for identification and separation.
! Hint: we will need the serial of the devices that we want to include in Autopilot
As we already know when a device is enrolled in Intune, the serial number can be found under devices blade. But what happens when we want to get the serial of the device before enrolling it into Intune. This is done by running a specific script that is explained below in the guide.
Chapter 1: Autopilot Blade
Intune has a specific blade for managing Autopilot configuration and settings.
This can be found by going to Devices -> Windows -> Windows Enrollment
Chapter 2: Devices Hash
In Autopilot every device has a unique device hash that includes its serial number and a hash. Basically, the Autopilot device hash is a unique hardware identifier associated with a Windows device. It is a .csv file that can be automatically extracted and uploaded by the vendors of the devices or manually by the IT personnel. The process of extracting and uploading the hash is described below.
Chapter 3: Deployment Profile
An Autopilot deployment profile defines specific settings such as deployment mode, privacy settings etc.. More details about this can be found here. To create a deployment profile follow the next steps.
First go to Autopilot blade and select Deployment Profiles
Then name the profile and select the settings so they match your requirements.
You can select Windows PC or HoloLen. We will select Windows PC.
Give a name and a description to your profile. Select Yes if you want all corporate owned, non-Autopilot devices in assigned groups to register with the Autopilot deployment service. In this case we select Yes to apply this setting (keep in mind that this setting will apply only to the assigned group).
Choose the preferred settings below. The settings that you should give extra care is the User account type, maybe the settings for the language and keyboard and surely the Apply device name template setting. The last setting allows us to specify a specific name for the devices during the enrollment. Names must be 15 characters or less, and can have letters, numbers, and hyphens. Names can’t be all numbers. Use the %SERIAL% macro to add a hardware-specific serial number. Or, use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add. This can be used if a specific name convention is defined by the organization. In another post ways to rename script are already described.
Moving forward, the assignments of this profile should be added.
STOP HERE! and check the next 2 chapters (Chapter 4 and 5) that describe how create a dynamic group to include all autopilot devices.
Now the Autopilot profile is ready. The next step is to create an Enrollment status page or ESP (Chapter 6).
ESP is a user-facing screen that provides information about the progress and status of the device enrollment process. It is displayed to the end-user during the initial setup and configuration of a device that is being enrolled using Autopilot.
Chapter 4: Import device to Autopilot
Let’s import a device in Autopilot in order to use it in our example. As mentioned already to import a device we need the hardware hash of the device. We can either ask our retailer to pre-import the hashes to Autopilot or do it manually. To extract the hardware from a device and import it manually we have to run a PowerShell script provided by Microsoft here. After running the script with elevated rights a .csv file is created. After that we import it in Autopilot as shown below.
Click Import here and select the folder icon at the right to select and import the .csv file created.
Wait until import is completed and you are able to see the imported device in the result list.
Now we have imported a device into Autopilot.
To be able to identify this device we have to assign a group tag to it. A group tag is a feature that allows us to assign specific Autopilot profiles to a group of devices. Let’s add the CorporatePC group tag to our devices. The group tag will be used later to populate a dynamic group based on it.
Let’s move forward and create a dynamic group that will include all of these Autopilot devices.
Chapter 5: Autopilot Group Creation
Head to groups and click “New Group”. Give your group a name and description and select “Dynamic Device” as Membership type.
Open Dynamic device members by clicking “Add dynamic query”, follow the images below and add the below as dynamic query rule:
(device.devicePhysicalIds -any _ -eq “[OrderID]:CorporatePC”)
The above query will look if a device’s order ID or group tag is equal to CorporatePC and if yes it will add it to the group. More details can be found here.
Click Save and the Group is ready.
Wait a bit in order for the group to be populated (or better the rule to calculate the devices that should be included – that depends on the number of devices in infrastructure).
Chapter 6: Enrollment Status Page (ESP)
Head to Windows enrollment from Intune and select Enrollment Status Page.
As you can see there is a default ESP configured that is applied to every device and user. We will create a new one with higher priority. Select Create and name your ESP profile.
At the next page we can see the various options and configuration we are able to configure such as to show the application installation progress, set enrollment time limits etc.. More details can be found here.
Select the desired settings and assign the profile to the Autopilot group we created earlier.
It is important to mention here that we can force the user to wait at the ESP until specific apps are installed. In this example we choose the Microsoft suite and Company portal as required apps during enrollment.
Now click Create to create the ESP profile. After creation you will see that the new ESP profile has a priority of 1.
Now everything is set up and ready to roll. The next time a user is connected to device imported in Autopilot, the ESP will show and an automatic enrollment will be made.
Chapter 7: End-user Experience
When a user connects to a device that had registered for Autopilot the below screen will be shown and after the necessary checks and installation, the user will connect to the device.
