Windows Autopilot – Self Deploying mode

Posted on by Tony Law

This maybe a preview feature, but it has huge potential to change the way we manage Windows 10 devices in the enterprise.

Applies to: Windows 10, version 1809 or later

Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).

Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.

 Note

Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.

Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See Set up a kiosk or digital sign in Intune or other MDM service for additional details.

 Note

Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device.

The user experience with Windows Autopilot self-deploying mode

Requirements

Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.)

 Note

If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. (Hyper-V virtual TPMs are not supported.)

In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See Quickstart: Add company branding to your sign-in page in Azure AD for more details.

Step by step

In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed:

  • Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.)
  • If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device.
  • Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete.

Validation

When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed:

  • Once connected to a network, the Autopilot profile will be downloaded.
  • If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required:
    • If multiple languages are preinstalled in Windows 10, the user must pick a language.
    • The user must pick a locale and a keyboard layout, and optionally a second keyboard layout.
  • If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network.
  • Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required).
  • The device will join Azure Active Directory.
  • After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services).
  • The enrollment status page will be displayed.
  • Depending on the device settings deployed, the device will either:
    • Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials.
    • Automatically sign in as a local account, for devices configured as a kiosk or digital signage.

In case the observed results do not match these expectations, consult the Windows Autopilot Troubleshootingdocumentation.

Windows Autopilot – A brief overview

Posted on by Tony Law

Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices.
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that’s easy and simple.

Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users.

When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images as well as drivers for every model of device being used. Instead of re-imaging the device, that existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise, to support advanced features).

Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state.

Windows Autopilot walkthrough

The following video shows the process of setting up Windows Autopilot:

Benefits of Windows Autopilot

Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach.

From the user’s perspective, it only takes a few simple operations to make their device ready to use.

From the IT pro’s perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything past that is automated.

Requirements

Windows 10 version 1703 or higher is required to use Windows Autopilot. The following editions are supported:

  • Pro
  • Pro Education
  • Pro for Workstations
  • Enterprise
  • Education

See Windows Autopilot requirements for detailed information on configuration, network, and licensing requirements.

Windows Autopilot Scenarios

Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required by the user.

Windows Autopilot enables you to:

  • Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See Introduction to device management in Azure Active Directory for more information about the differences between these two join options.
  • Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription).
  • Restrict the Administrator account creation.
  • Create and auto-assign devices to configuration groups based on a device’s profile.
  • Customize OOBE content specific to the organization.

Confused between Intune for Education and Full Intune? This post explains the differences

Posted on by Tony Law

For many schools, regardless of size, device deployment poses significant challenges, as it is during deployment that group policies are set, data is secured, devices are readied, and essential applications are enabled. Historically, this task has taken a disproportionate amount of time. As a result, schools interested in using educational technology to improve student learning outcomes have turned to ways to manage those devices with less time and effort, so that more IT time can be spent in more strategic, directly supportive functions. Today, as the digital revolution rolls on, cloud-based deployment solutions are available to simplify this task. Read more about the challenges facing EDU IT and how cloud-based solutions like Intune for Education can help address them in the whitepaper The State of Modern Device Deployment in Education.
With the new and simple Intune for Education step-by-step Express Configuration wizard, Education IT selects a group for devices or users, also the specific apps that we wanted to be available, and key configuration settings from those most often used in schools. IT can use a USB drive to set up Windows 10 for each device and the enroll the device in Intune management via Azure AD. That is all they need to do and they can do it in less than an hour. Learn more about using the Intune for Education with the article What is Intune for Education?
If it’s a mixed device environment and/or more enterprise-grade policies are needed, they can move seamlessly to the Intune console and then back to Intune for Education for simplified Windows 10 device management. Ongoing management is also painless with a centralized console for updates and monitoring. Learn more about using full Intune with the Introduction to Intune article.
You can compare the different use cases with the article How is Intune for Education different from the full device management experience in Intune? Note: schools that are licensed for Intune for Education will also have access to the full Intune console.
With Azure AD identity as the backbone, user and device groups (i.e. schools, classes, grades) update automatically while providing insights to IT on usage patterns and any possible threats to the security of their users. Due to this common identity, all the devices and users that show up and are managed in Intune for Education will also be manageable in full Intune. This also means that you can leverage the new co-management capabilities with ConfigMgr in either Intune for Education or full Intune.
To find out more about Azure AD features in Intune for Education compared to other education offers, click on Learn what Azure Active Directory features come with Intune or Education and other plans at the top of the Intune for Education page. Note that customers can have Azure Premium and Azure AD EDU, with Office 365 or Intune for Education, assigned together or separately with no issues removing one or the other. You can also get your free 90-trial of Intune for Education (with full Intune) on this page too!