Implementing Windows Autopilot - the future of device deployment

By Paul Winstanley, Microsoft System Center Configuration Manager Consultant, SCCM Solutions Ltd. He has 22 years experience in IT and is a community leader at Windows Management User Group (WMUG) and blogs at sccmentor.com. He was recently awarded MVP in Enterprise Mobility.

Microsoft has recently unveiled Autopilot, a new and emerging solution designed to allow you to setup and pre-configure devices for your environment, with little or no infrastructure in place.

The idea behind Autopilot is to remove some of the complexity of your current operating system deployment, reducing the task down to a set of simple settings and operations that can get your device ready to use, out of the box, quickly and efficiently.

Autopilot is a cloud-centric solution, your devices will need line of site to the Internet to pick up settings and configure correctly.

The Windows 10 Creators Update is required to get you started with Autopilot. Current configuration choices are limited but this is expected to grow with the Fall update due imminently.

If you are already aware of the Apple Device Enrollment Program (DEP), then Autopilot is similar. A unique hardware identifier can be pre-registered before the device is turned on, and when shipped to the user and connected to the Internet all the configuration, branding, software and compliancy can be pushed down to the device.

The following pre-requisites must be in place for Autopilot to work:

  • A device, pre-installed with Windows 10 Creators Update (1703 release) and with Internet access
  • Sufficient rights to the Azure portal
  • Intune account, or another MDM solution, to manage devices
  • Sufficient rights on the Windows Store for Business
  • An Azure AD premium P1 or P2 subscription

You can try Autopilot right now. The following details what you need to do to experience this first hand.

Gather data for Autopilot

You'll need to gather some information from your device. The idea with Autopilot is that your suppliers will be able to populate this information for you, but you can upload this information yourself.

You can either collect this information from within the OS and reset the machine, or you can invoke a CMD prompt from the OOBE phase, when the device powers on for the first time, to do this press Shift+F10.

Three bits of information are required and to collate this run the following commands (Note the last two commands are PowerShell commands and that you need administrator rights to execute) :

 wmic bios get serialnumber
 Get-ItemPropertyValue "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey\" "ProductId"
 $wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"
$wmi.DeviceHardwareData | Out-File "($env:COMPUTERNAME).txt"

The resultant information needs to be stored in a .csv file and the format needed is comma separated as follows:

 Device Serial Number,Windows Product ID,Hardware Hash
9695-7543-8434-9503-5022-9771-82,00330-80000-00000-AA342,T0GoAQEAHAAAAAoA4wHXOgAACgCetcetc

You can repeat this process for all the devices you wish to Autopilot and add them to the same .csv file.

Configuring Autopilot in the Windows Store for Business

With data collected and ready to upload, go to the Windows Store for Business portal and log in. Then click Manage\Devices

 

2017-08-28 16_52_12-Microsoft Store for Business.jpg

 

Click the AutoPilot deployment drop down and choose Create New Profile

 

2017-08-28 16_55_19-Microsoft Store for Business.jpg

 

At present the following choices are available to the Windows 10 Creators Update:

  • Skipping Work or Home usage selection (Automatically enabled)
  • Skipping OEM registration, OneDrive and Cortana (Automatically enabled)
  • Skipping privacy settings
  • Preventing the account used to set-up the device from getting local administrator permissions

Enable Skip Privacy Settings and Disable local admin account creation on the device. Then click Create.

 

2017-08-28 16_57_11-Microsoft Store for Business.jpg

 

Next you need to import the device or devices from the csv file that was created. To do this, click the Add Devices link.

 

2017-08-28 17_01_53-Microsoft Store for Business.jpg

 

Select the csv file for import.

 

2017-08-28 17_02_56-Open.jpg

 

Enter a relevant name for the group of devices you are importing.

 

2017-08-28 17_03_45-Microsoft Store for Business.jpg

 

Notice that the devices are being imported and you have to wait for this process to complete.

 

2017-08-28 17_04_52-Microsoft Store for Business.jpg

 

With the device/s imported, the next step is to assign the Autopilot profile to the device. Select the device/s and click the Autopilot deployment drop down and choose your profile. Once again, you will be informed that the request is being processed.

 

2017-08-28 17_07_02-Microsoft Store for Business.jpg

 

Once the profile has applied, you will see it assigned against against the device.

 

2017-08-29 20_09_25-Microsoft Store for Business.jpg

 

You are now in a position to fire up your Windows 10 device and let Autopilot do its work.

Autopilot in action

Before you fire up your Windows 10 device, make sure that you are auto enrolling your devices in Intune, or other MDM solution. Microsoft has an excellent guide on how to do this here.

With your Windows 10 device Internet connected, you'll be prompted to choose the region and keyboard settings that you prefer. After this is done your device will inform you that things are happening

 

OOBE-004.JPG

 

After a restart, you will be presented with your work login. It's as simple as that. 

 

OOBE-015.JPG

 

With your MDM solution of choice in place, you can start to push down applications, compliancy and settings to the device or end user. For example, you can push the latest Office 365 release direct from Intune, and this will stream down in the background.

It's going to be interesting to see where Microsoft takes Autopilot with the next release, the Creators Update, and what impact this will have overtime on traditional on-prem Windows image deployment mechanisms.

Further viewing

Microsoft has published a couple of Autopilot videos that are worth taking a look at.

Comments

  • Anonymous
    September 26, 2017
    I am getting these errors while running those last two commands in the CMD:C:\Users\Administrator>Get-ItemPropertyValue "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DefaultProductKey" "ProductId"'Get-ItemPropertyValue' is not recognized as an internal or external command,operable program or batch file.C:\Users\Administrator>$wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'"$wmi.DeviceHardwareData | Out-File "($env:COMPUTERNAME).txt"'$wmi' is not recognized as an internal or external command,operable program or batch file.
    • Anonymous
      September 27, 2017
      Those aren't CMD commands but PowerShell ones ;-)
      • Anonymous
        September 28, 2017
        The comment has been removed
        • Anonymous
          October 02, 2017
          It is working in windows 10 1709 - it already works in the insider build
          • Anonymous
            October 18, 2017
            Where do I find the documentation on how to activate the Autopilot Reset? We have old computers we would like to reuse with new employees.
    • Anonymous
      September 27, 2017
      The comment has been removed
    • Anonymous
      September 28, 2017
      Get-ItemPropertyValue is a Powershell command not a cmd - see - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-itempropertyvalue?view=powershell-5.1
  • Anonymous
    September 27, 2017
    Bishop - run those two commands in PowerShell
  • Anonymous
    September 28, 2017
    The comment has been removed
  • Anonymous
    October 02, 2017
    I have played a little bit with Autopilot and I got everything working except bitlocker encryptionWhen configuring autopilot profile I chose "Disable local admin account creation". Then I have setup an Intune MDM policy that requires bitlocker encryption for the device. However when the device is enrolled and MDM policy is being applied, user is asked to verify that no other disk encryption software is installed, when clicking "yes" admin rights are required but those are not available as the device was setup without local admin rights. This leads to end user needing to call admin to enable bitlocker. Will this change in the future or how can I automate bitlocker encryption with the current windows 1703? Thanks
    • Anonymous
      October 19, 2017
      I have the same issue, sampo. If anyone has an idea on how to solve that, it is very welcome.
      • Anonymous
        October 25, 2017
        you can now disable that third party popup question when creating the Endpoint Protection BitLocker policy in Intune.
  • Anonymous
    October 03, 2017
    The comment has been removed
    • Anonymous
      October 06, 2017
      Same problem here, the last command is not returning any information. The file is well created but is empty.
      • Anonymous
        October 06, 2017
        Maybe because the version of Windows 10 is 1607 and not 1703 or later
  • Anonymous
    October 08, 2017
    Many thanks for sharing your experience, skills and knowledge.
  • Anonymous
    October 11, 2017
    A bit late to the show... but should the Get-WMIObject command really generate a 4002 character long string in the output file? Seems a bit longer than expected.Running 1703 on a two different Dell and one HP computer with same long output. The last 3000-ish characters contains only capital A's.Correct?
  • Anonymous
    October 19, 2017
    The comment has been removed
  • Anonymous
    November 16, 2017
    Hi, The auto enrollment URL talks about the enrolling with Intune-can someone provide details for Airwatch? can we make certain devices get enrolled in Airwatch and certain through Intune?
  • Anonymous
    December 21, 2017
    Hi Paul - I have a question about this "collect this information from within the OS and reset the machine" - How do, I reset the machine from which, I have collected hardware information?ThanksRam
  • Anonymous
    December 21, 2017
    Hi - Not sure why AutoPilot system is in workgroup mode. MDM is properly configured in Intune within Azure and all users can enroll. I even looked at the devices in Intune and, I can see AutoPilot system as Azure AD Joined and MDM is Microsoft Intune. Strange.Ram
  • Anonymous
    December 27, 2017
    The comment has been removed