Search This Blog

Tuesday, August 4, 2020

Step by step Autopilot scenarios

Last updated 14.08.2020

Introduction

I have written the following blog to share some of the valuable sources of information I have discovered while developing my knowledge related to the rollout of Modern Workplace clients using Microsoft365 Intune and Autopilot.

Instead of a standard how to guide I have decided to share a list of valuable learning resources that helped and that will hopefully help you during your journey to cloud.

First thing first, so what is autopilot and what does it do?

Read this link

Also have a look at this very nice 2min video presentation from Microsoft

Video Presentation

 

Prerequisites

Autopilot Prerequisites

 

License Requirements

Autopilot License

What are the scenarios of Autopilot? What and where can we use it?

Autopilot Scenarios

clip_image001

Screenshot from Microsoft

 

Hybrid scenario:

As you can tell when adding an Autopilot hybrid profile, things get a lot more complicated as there is offline domain join involved. But it just got a lot smoother with its new feature in Intune 2006 where it is possible to use 3rd party VPN solution.

Michael Niehaus is the man when you need insight in the process.

User Driven Hybrid

 

And the list of working VPN configurations here:

Known working vpn configurations

 

Autopilot Binaries:

Important to know is, that since Windows 10 1903 Autopilot is not a static configuration in the OS anymore. It will download its newest configurations during OOBE after the device is internet connected. This way bugs or new features can be released to everyone in no time.

When an Autopilot update is available, it is typically released on the 4th Tuesday of the month. The update could be released on a different week if there is an exception.

The following diagram illustrates a typical Windows Autopilot deployment orchestration during the Out of Box Experience (OOBE) with the new Windows Autopilot update node.

clip_image003

Screenshot from Microsoft

 

Keep track with “what’s new” in windows autopilot

 

Take Autopilot for a spin

In the last bit of the guide, they deploy the Autopilot configuration to a Group with a static member. I do not like static things, so instead of going manual, start doing automatic grouping of devices.

Per Larsen did a nice blog post on that subject.

 

 

What to do with existing devices:

As for now folks you are ready for Autopilot and setting it up. But there is a scenario that we forgotten. The thing about letting Vendors handling device import to Autopilot is a great way of doing things, but what if you already have a lot of devices and just want to autopilot enable those? Do you need to extract the hardware hash on all devices or is there a quicker way? Yes of course there is!

Starting from Windows 10 1809 you can inject an Autopilot payload file to the system before the OOBE kicks in. The device will ask for that tenant ID which was specified inside the injected JSON file.

 

First you need to create that Autopilot configuration in Intune. (you already did if you followed the guide)

Then you need to export your profile

Fire up Powershell and export your JSON

 

#Connect to Intune and export autopilot profile

$creds = Get-Credential

Connect-MSGraph -Credential $creds

Get-AutopilotProfile | Where-Object DisplayName -eq "Your Autopilot profile name" | ConvertTo-AutopilotConfigurationJSON | Out-File -FilePath C:\AutoPilotConfigurationFile.json -Encoding ASCII

 

You can either create an image where you inject the file directly into the WIM file using WIM Witch” by Donna Ryan

Or

if you have more than one Autopilot configuration to apply use an MDT solution like this from Per Larsen: (a scenario could be that you like to have some AzureAD only and some Azure AD hybrid joined, or you just have a hardware failure and like to get your device back up running)

 

If you use the Autopilot offline method and like the dynamic grouping, as you really should do, then you need to know this. Add this query to your Azure AD group where your device restriction and other configuration apply.

(device.enrollmentProfileName -eq "OfflineAutopilotprofile-4ac25e0a-1e00-41af-98cd-9c9ad1fd57a5")

Where the serial is found in the autopilot configuration. Every time a new computer is build by MDT it will automatically be added to your dynamic group and get every setting you specified, applied to that group. Nice right?!

 

And with that information you are good to go try your new deployment system, with absolutely no SERVERS involved! (almost no servers Winking smile)

 

Questions and answers:

Windows Hello for Business

Question: After Autopilot has run, and user logs on to the device, Windows Hello for Business prompts even that it is not configured on the Windows enrollment page. I would like it NOT to prompt, how can I solve this?

Answer: Go to Devices –> Windows –> Configuration Profiles –> create profile. Add a Windows 10 Identity Protection policy and set it to disable. Deploy it to your Autopilot devices, and the configuration will apply during Device setup.          

 

Devices

Question: Can I clone an Azure AD or MDM-enrolled windows 10?

Answer: You can, BUT you should NOT do that!. Even that you sysprep your device you will never escape all the registry settings tied to the specific device. Source: Michael Niehaus

 

 

Debugging and deep analysis:

Inside Windows Autopilot user-driven Hybrid Azure AD Join by Michael Niehaus

Troubleshooting Windows Autopilot Hybrid Azure AD Join by Michael Niehaus

No comments:

Post a Comment