How to configure Windows AutoPilot with White Glove deployment

Some time ago I wrote a blog about “How to setup Windows AutoPilot and add existing devices the quickest way”. At that time, White Glove did not exist yet. And it’s great to know how to setup Windows AutoPilot and add existing devices the fastest way, but how to get endusers to work on a new device the fastest way?

What is White Glove?

That’s where White Glove comes into play. White Glove is a feature that enables pre-enrollment staging. All device based policies, including certificates, applications and settings will be pre-installed on the device. This will result that the user enrollment on the device goes much faster! The White Glove staging can be performed by OEM’s, IT Partner, or your own IT department (I show you in a minute). But before you start with White Glove, make sure you know the following requirements;

  • Windows 10, build 1903 must be installed on the device;
  • It must be a physical device that support TPM 2.0 (no virtual machines this time);
  • The devices must be connected via a Ethernet connection (Wi-Fi not supported)
  • And off course an Intune subscription and a Azure AD P1 or P2 license

In this blog

I assume you have already configured Windows AutoPilot in your environment like described it this blog, so I will not cover those steps. But what I will cover is the following;

  • Edit your current Windows AutoPilot profile to enable it for White Glove
  • How to stage a device with White Glove
  • The end-user experience

Enable White Glove in your Windows AutoPilot profile

To enable White Glove in your Windows AutoPilot profile, navigate within the Azure Portal to; Intune > Device Enrollment > Windows Enrollment > Deployment Profiles and open your AutoPilot profile.

Open the properties of the AutoPilot profile and make sure you set Allow White Glove OOBE to Yes

That’s all you have to do on the backend.

How to stage a device with White Glove

Lets stage a device with Windows AutoPilot White Glove. As I mentioned before, only physical devices are supported, so I cannot use a virtual machine. Therefor I need to make photos instead of screenshots for this blog. I hope they have become clear enough.

For this blog I will use a Microsoft Surface 4 Pro device connected with a Ethernet adapter.

Turn on the device, and once you see the first blue OOBE screen (probably language selection), press the Windows button five times.

This will activate another screen. Select the Windows AutoPilot provisioning option and click Continue.

The device will check the Windows Autopilot service for the configuration. If everything is correct click the Provision button.

The device will now be configured with the first two phases of the AutoPilot enrollment, including the installation of device based application installations (for example the Microsoft Office 365 installation).

Once the pre-staging is finished a green screen will appear if everything is ok, or a red screen if there were some errors. In this case everything was fine, so on the green screen, click Reseal. Once the reseal is completed the device will be turned off and is ready to ship to the end user.

The end-user experience, lets test the results

Lets test the results by power the device back on and login with a user account.

Select your language and click Yes

Select your region and click Yes

Select your keyboard layout and click Yes

Click the Skip button

On the Welcome screen, login with your user credentials and click Next

As you can see, Device preparation and Device setup are already completed at the first moment this screen appears, this saves the end user a lot of time.

After a few moments, the desktop with all de applications installed on it is presented.

14 comments

  • Hi,

    Do you still have the hardware ID’s uploaded to your Azure tenant before you select the Windows AutoPilot provisioning option? Otherwise how does the machine know which Organisation to register with?

    • Hi Robin,
      Thanks for this detail introduction. I got a question. Once I need to recover a device, which performed AutoPilot before(means joined my company’s Azure AD), to a factory mode, how could I do that? The OEM HDD partition is still in that laptop but no matter how, the Win10 reset/recovery still brings me to Azure AD login screen. I plan to sell this laptop to others and obviously they don’t have my company’s Azure AD account. Do you know how to process this wiping or reset to OEM factory mode? Thank you.

      • If the laptop is managed with Microsoft Intune and is assigned to a Windows AutoPilot Profile, remove the assignment and the device first and then wipe the device with Intune. That will do.

  • Hi Robin,

    Thank you for your great post.

    I have question regarding AutoPilot White Glove in relation to your post: https://www.robinhobo.com/automatic-add-existing-windows-10-devices-to-windows-autopilot/#respond

    I have a HAADJ AutoPilot profile and an HAADJ AutoPilot dynamic group with convert all windows devices to AutoPilot.

    The HAADJ AutoPilot Dynamic group is assigned to Office 365 and various other apps and set to REQUIRED for install.

    How do i prevent baseline apps like Office 365 from redeploying to devices through the HAADJ AutoPilot dynamic group membership but still have it deploy when a device is reset?

  • Hi Robin
    I made that setting in our enviroment but if i try to use white glove, i get the error message: We couldn’t find any provisioning packages. Go back and try reconnecting your removable media. If that doesn’t work, talk to your support person”.
    I have a preinstalled win10 1903 build on this maschine. do u know what iam missing? do i have to setup a provision package first and if yes do u have a short manual? thanks in advance and kind regards

  • Hello Robin,
    Can we achieve whiteglove deployment using WorkspaceOne (Airwatch) instead of Intunes ?

  • Hi Robin,

    I have an issue , after the white glove is successful green and reseal. During the user experience we are not getting the Azure AD sign in page instead it gives the local login page to domain.
    Any suggestions ?

  • My company uses Join hybrid domain. We also implement Windows Autopilot+ white glove. Some users already have Azure ID UPN.

    Is it possible deploy new device outside prem?

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close