How to setup Windows AutoPilot and add existing devices the quickest way

UPDATE (Dec, 2 2020) : There is now an even faster way of adding devices to Autopilot. Step 3 of this blog can be replaces with new steps described in this blog : How to add Windows 10 devices to Windows Autopilot even faster

Windows 10 Modern Management is hot. More and more companies are looking for the possibilities to manage Windows 10 devices with their Enterprise Mobility Management (EMM) product. This does not only mean that they want a single tool with which they can manage all type of devices (like iOS, Android and Windows), but also a new way of managing their Windows 10 devices.

With this new way of management the end user and the administrator are more flexible. The location of the device has become irrelevant and a local domain join or a VPN connection to the company location to receive the latest updates, applications and policies are no longer needed.

Until recently, there was still the challenge to automate the enrollment process. With traditional PC management you have tools like Microsoft SCCM with which you could deploy complete images and automate local domain join with custom scripts. With Windows 10 in combination with Modern Management, image deployments are no longer necessary. And for automatic enrollment we now have Windows AutoPilot.

What is Windows AutoPilot?

With Windows AutoPilot you control the Out-Of-Box Experience (OOBE). You can hide questions for the end user like, “Accept Eula”, “Personal or Company device owner” and privacy settings. The only thing the user has to do (at this moment) is connect to a Wi-Fi, select their keyboard layout and login with their company credentials, that’s it! The rest is automated including the Azure AD Join and enrolling with a MDM/EMM product (last one is optional). Once enrolled with a MDM/EMM solution, applications and policies can be published to the device fully automatically.

How does it work?

Every time a Windows 10 device starts up for the first time (or after a factory reset) it runs the OOBE setup. During this setup the devices will check if the Device ID of the device is known in any Azure Tenant. If so, the assigned profile will load which is customized by the corresponding company (in this blog I will show you how to do that).

This gives the IT administrator great possibilities. He no longer has to prepare a new devices for the end user, the IT administrator can even let the device be delivered at the end users home address, right from the factory, without any effort from his side.

The end users starts the devices, logs in with the company credentials and a few minutes later the devices is ready for use with the company policies applied. If for some reason the device gets unstable after a while, just do a factory reset or device wipe. After the cleanup and re-installation of Windows 10 (fully automatic), the device will run the OOBE setup again and the user can login with a fresh Windows 10 installation (with company policies applied).

How do I get the device ID’s in Azure?

With every new order by hardware vendors like Microsoft, Dell and HP you can specify that you are using Windows AutoPilot. They will add the device ID’s to Azure for you or can deliver a file with all new device ID’s that you can import to the Azure Tenant yourself.

And what about existing devices? That’s also possible to add them to your Azure Tenant, it requires some manual steps, as I show you in this blog.

Licenses

Windows AutoPilot is a Azure AD Premium feature. This means that every user that needs to make use of this feature needs at least a Azure AD Premium P1 license or a Microsoft Enterprise Mobility + Security (EM+S) E3 or E5 license if you also want to manage the Windows 10 device with Microsoft Intune, like in this blog.

In this blog

In this blog I show you step-by-step how to configure Windows AutoPilot and how to add existing devices the quickest way with my personal best practices. I will configure Windows AutoPilot in combination with Microsoft Intune for the MDM part. Note that Microsoft Intune is optional and can be replaced with another MDM vender like AirWatch, XenMobile or MobileIron.

In this blog I will cover the following;

  1. Configure Windows AutoPilot pre-requirements
  2. Configure Windows AutoPilot Profiles and automatic assignments
  3. Add an existing Windows 10 device to Windows AutoPilot
  4. Test the results

1. Configure Windows AutoPilot pre-requirements

Before we can start with Windows AutoPilot some pre-requirements must be configured. I will guide you through these steps in this blog. In advance I have created a security group that includes all users who will use AutoPilot and Microsoft Intune. This group is also linked to the right licenses in Azure AD. I also have created an Azure AD user with the name “localadmin”. This will be a local admin that will be created locally on every Windows 10 device during Azure AD Join / AutoPilot.

For the following steps login as global admin to the Azure Portal (https://portal.azure.com).

Go to Azure Active Directory and open the Devices page

Open the Device settings page. On this page you can configure which user and in what way can Azure AD Join a Windows 10 device.

Personally, I limit this always to members of a security group. The same group on which I assigned the licenses. In this way, only users that have the correct licenses will be able to join their device to Azure AD with auto enrollment in Microsoft Intune (see following steps below). So, I set Users may join devices to Azure AD to Selected and select the security group.

The following setting is Additional local administrator on Azure AD joined devices. I always add an additional local administrator (in this case the “localadmin” user). Remember that the user who joins a Windows 10 device with Azure AD is always the administrator (with the exception that there is AutoPilot profile is assigned which indicates that the user must be a normal user). All other users who logs on to the device have normal user rights. So, it’s always good the have a backdoor with another local administrator for troubleshooting purposes.

Configure the other settings the way you want and click Save

Go back to Azure Active Directory and open the Mobility (MDM and MAM) page.

Click on Microsoft Intune

On this page you can configure who is allowed to enroll a device in Microsoft Intune via Azure AD Join. As mentioned before, I always add a security group to scope the users who can enroll their device. So, also in this case I add the AutoPilotBlog security group to the MDM user scope. Leave everything else default (if you’re not sure if everything is configured correctly you can also click on Restore default MDM URLs).

Click Save.

Go back to Azure Active Directory and open the Company branding page.

Company branding is required for AutoPilot to work properly. Therefor we need to make a new Company branding (if not already in place). Click the Configure button.

Configure the requested settings like background image, banner logo and square logo image and click Save

Go back to Azure Active Directory and open the Properties page.

This final step for configuring the pre-requirements is more like a check. Make sure that all the information is correct. It will be displayed on the devices during the Windows AutoPilot enrollment.

2. Configure Windows AutoPilot Profiles and automatic assignments

In the next step I show you how to configure a Windows AutoPilot profile and how to assign it to devices. It is possible to assign a AutoPilot profile automatically to devices so that you do not have to do that manually every time you add new devices. To accomplish this, a dynamic group needs to be created as I will show you in the next steps.

Go back Azure Active Directory and open the Groups page.

Click + New group

Fill in the following information;

Group type: Security
Group name: All AutoPilot Device (or something else you like)
Group description: All AutoPilot Device (or something else you like)
Membership type: Dynamic Device

Click on Add dynamic query

Select Advanced rules and add the following rule;

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")

See for more information the Microsoft documentation (link).

Click Add query and Create

In this blog I will not cover how to setup Microsoft Intune like policies, applications, Windows Hello for Business and CNAME configuration. I will cover this in another blog. I will only cover the steps that are related with Windows AutoPilot / Azure AD Join.

Navigate to Intune > Device enrollment > Windows enrollment > Enrollment Status Page

Enrollment Status Page is a new feature and in Preview while writing this blog. It allows the administrator to block the device right after the enrollment with Azure AD / Windows AutoPilot and at the moment that not all policies are applied and/or apps are installed yet. This step is optional for the AutoPilot configuration.

Click the Default profile.

 

Click Settings. For this blog I will enable the Enrollment Status page, and give users the ability to close it so that they can work on their device right away. Click Save.

Go back to Windows enrollment and open the Deployment Profiles page.

Click + Create profile

Configure the profile as follows;

Name: Anything you like
Description: Anything you like
Deployment mode: User-Driven
Join to Azure AD as: Azure AD joined

Click Out-of-box experience (OOBE)

Configure the settings you like. In my case all hide End user license agreement (EULA) and Privacy Settings and give the users Administrator rights.

Click Save and Create

Click the just created profile.

Click Assignments and click + Select groups

Select the All AutoPilot Devices group created in previous steps and click Select and Save

3. Add an existing Windows 10 device to Windows AutoPilot

When ordering new devices via Microsoft, Dell, HP and some other big vendors, you can indicate that you are using Windows AutoPilot and want to enable the new devises for it. The vender can add those new devices then automatically to your Windows AutoPilot tenant. Very useful and time-saving! But what about new devices that are already been delivered to you and not added to AutoPilot? Well, there is a PowerShell script you can run to get the hardware ID’s of these devices. And once you have the hardware ID’s uploaded to your Azure tenant and assigned to a AutoPilot profile, the devices are AutoPilot enabled.

If you have a new device that is not enabled for Windows AutoPilot yet, like in my case a new Microsoft Surface Pro device, its very easy to get the hardware ID. When you turn an a new devices delivered with Windows 10 pre-installed for the first time, you don’t have to run the complete OOBE setup to run the PowerShell script afterwards and do a factory reset. This will cost a lot of time! I show you a much faster way in the next few steps.

NOTE: The next steps only work for physical devices, NOT virtual machines…

Start the device and wait a few second until you can select your region.

Press the following key combination SHIFT + F10

A CMD prompt will appear, type in PowerShell and hit Enter

In the next steps I will create a scripts folder on the C drive and enable PowerShell to run scripts. Run the following commands;

CD\
md scripts
cd scripts
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Run the following command;

Save-Script -Name Get-WindowsAutoPilotInfo -Path c:\scripts

NuGet provider is required for this action. Press Y and Enter. NuGet will automatically be downloaded and installing.

Run the dir command to see that the PowerShell script is downloaded to the scripts folder.

Run the following command;

Get-WindowsAutoPilotInfo.ps1 -OutputFile c:\scripts\robinhobo.csv

Replace “robinhobo.csv” with a name of your choice. When you now run the dir command again you see that there is a robinhobo.csv file. This file needs to be uploaded to Microsoft Intune.

I copy the csv file to a USB drive with this command; copy robinhobocom.csv d:\

After that run; shutdown /p

This will turn off the device.

Go back to the Microsoft Intune portal and navigate to; Microsoft Intune > Device enrollment > Windows enrollment > Devices

Click Import

Click the blue folder icon and upload the just created csv file.

After a few minutes the imported devise shows up. Notes that it is automatically assigned to a profile.

4. Test the results

In this final step of this blog I will show you the results of previous made configuration.
Startup the device again where we exported the device ID.

Select your region and click Yes

Select your keyboard layout and click Yes

Click Skip

As you can see, AutoPilot is working and the company branding is applied. Fill in a user’s email address and click Next

Enter the user’s password and click Next

This is the Enrollment Status Page as we have configured in step 2. I skip it for now by clicking on Continue anyway

After a few minutes the new Windows 10 devices is ready for use.

As you can see in the Access work or school settings the devices is Azure AD joined.

And also in Microsoft Intune the devices is enrolled successful.

27 comments

  • Hello
    I set up Autopilot like you described and tryed to test. When i try to log on on Azure, i get the Error:
    looks like we can’t connect to the url for your organization’s mdm terms of use. i google it and just found one aspect to have a Azure AD Premium License, i have that assigned. is there a field in azure ad where to put an URL for that?
    Thanks in advance
    Kaya

  • These steps worked great, but where does the background and banner logo come in? I only saw the Square Logo during OOBE setup.

  • Nice article, but I ran into one point of confusion

    You mentioned this:
    With every new order by hardware vendors like Microsoft, Dell and HP you can specify that you are using Windows AutoPilot. They will add the device ID’s to Azure for you or can deliver a file with all new device ID’s that you can import to the Azure Tenant yourself.

    But when I contacted Dell in regards to a hardware purchase recently our sales rep. had no idea what autopilot was and after they looked in to things there they said they could not provide such a document.

    Is there some kind of special method to get this information from them that you know of?

    Thanks!

  • Fantastic!

    You just solved my problem I’ve been banging my head on my desk about for days. I had the Autopilot device security group incorrectly setup with “assigned” instead of dynamic device with the A to Z tag.

    Great tutorial, much appreciated.

  • All of the steps were completed, my device has been successfully enrolled in autopilot, and profile assigned. The only problem is when I restart my device the OOBE never shows up. Do I need to reset my PC and remove everything before it will work?

    NOTE: This is a Windows 10 1803 preinstall that was given to me by my IT org.

  • First, thank you for this, it’s really nice. Secondly, have you seen a situation where fresh start will not wipe any user accounts?

    • Hi John, thanks! I have never seen a situation where user accounts stay on the device after a complete wipe. What actions did you perform?

      • Not a wipe proper, but the Fresh Start function, which is a “kind of wipe” as I understand it.

        john

  • Excellent article. i was able to get all this done for my devices. however when i set the user to standard instead of administrator, bitlocker will not run without an administrator account. any thoughts or suggestion on this

    • Thanks Bobby, regarding for problem. This was a problem with old Windows 10 builds. Have you tried it with the latest Windows 10 build?

  • Hi Robin Hobo, Firstly Thanks!, I Just have a quick question , How to create a local admin account that will be created locally on every Windows 10 device during Azure AD Join / AutoPilot?

    • Thanks Amoldeep, you can configure this on the following blade; Azure Active Directory > Devices > Device Settings. And then “Additional local administrators on Azure AD joined devices”

  • Hi, do you have any advice on how to merge multiple .csv files with hardware IDs in order to import multiple devices not one by one? A bit frustrating when there are 100 devices and you can import only one device every 15 min.
    By the way great article!!

  • I am currently searching high and low for a way to retrieve the hardware ID’s of every PC on the network. I do not want to have to go to every machine, Id like to run it from a domain controller. Once we have these we are going to install Windows 10 onto all of them and have them setup with autopilot so we can remove our on-premise domain controllers. Can you advise?

  • Thank you robin, Setting up Windows AutoPilot and add existing devices the quickest way your blog was really helpful.

  • Hey Robin!

    This blog is very informative but i have a question
    How does the win 32 apps will be synced with the new devices?
    Do I need to download intune company portal and download the apps or
    does the apps pre-installed after I register the device in Windows Autopilot?

    • Hi Hari, the Win32 app will be deployed automatically to the Windows 10 devices if it is assined as mandatory (required) application.

  • Hi Robin Hobo,
    Thank you for all your job and to share that with us 🙂 I follow your job for many time.

    About AutoPilot,
    I try hybrid configuration with AutoPilot, intune and active directory on premise with connector. Actualy, It’s only works without any proxy. We try many exception with no success. Have you a master list off exception or magic solution please ? ^^
    Regards,

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close