Last updated 14.08.2020
I have written the following blog to share some of the valuable sources of information I have discovered while developing my knowledge related to the rollout of Modern Workplace clients using Microsoft365 Intune and Autopilot.
Instead of a standard how to guide I have decided to share a list of valuable learning resources that helped and that will hopefully help you during your journey to cloud.
First thing first, so what is autopilot and what does it do?
Also have a look at this very nice 2min video presentation from Microsoft
What are the scenarios of Autopilot? What and where can we use it?
Screenshot from Microsoft
As you can tell when adding an Autopilot hybrid profile, things get a lot more complicated as there is offline domain join involved. But it just got a lot smoother with its new feature in Intune 2006 where it is possible to use 3rd party VPN solution.
Michael Niehaus is the man when you need insight in the process.
And the list of working VPN configurations here:
Important to know is, that since Windows 10 1903 Autopilot is not a static configuration in the OS anymore. It will download its newest configurations during OOBE after the device is internet connected. This way bugs or new features can be released to everyone in no time.
When an Autopilot update is available, it is typically released on the 4th Tuesday of the month. The update could be released on a different week if there is an exception.
The following diagram illustrates a typical Windows Autopilot deployment orchestration during the Out of Box Experience (OOBE) with the new Windows Autopilot update node.
Screenshot from Microsoft
Keep track with “what’s new” in windows autopilot
Take Autopilot for a spin
In the last bit of the guide, they deploy the Autopilot configuration to a Group with a static member. I do not like static things, so instead of going manual, start doing automatic grouping of devices.
Per Larsen did a nice blog post on that subject.
What to do with existing devices:
As for now folks you are ready for Autopilot and setting it up. But there is a scenario that we forgotten. The thing about letting Vendors handling device import to Autopilot is a great way of doing things, but what if you already have a lot of devices and just want to autopilot enable those? Do you need to extract the hardware hash on all devices or is there a quicker way? Yes of course there is!
Starting from Windows 10 1809 you can inject an Autopilot payload file to the system before the OOBE kicks in. The device will ask for that tenant ID which was specified inside the injected JSON file.
First you need to create that Autopilot configuration in Intune. (you already did if you followed the guide)
Then you need to export your profile
Fire up Powershell and export your JSON
#Connect to Intune and export autopilot profile
$creds = Get-Credential
Connect-MSGraph -Credential $creds
Get-AutopilotProfile | Where-Object DisplayName -eq "Your Autopilot profile name" | ConvertTo-AutopilotConfigurationJSON | Out-File -FilePath C:AutoPilotConfigurationFile.json -Encoding ASCII
You can either create an image where you inject the file directly into the WIM file using “WIM Witch” by Donna Ryan
if you have more than one Autopilot configuration to apply use an MDT solution like this from Per Larsen: (a scenario could be that you like to have some AzureAD only and some Azure AD hybrid joined, or you just have a hardware failure and like to get your device back up running)
If you use the Autopilot offline method and like the dynamic grouping, as you really should do, then you need to know this. Add this query to your Azure AD group where your device restriction and other configuration apply.
(device.enrollmentProfileName -eq "OfflineAutopilotprofile-4ac25e0a-1e00-41af-98cd-9c9ad1fd57a5")
Where the serial is found in the autopilot configuration. Every time a new computer is build by MDT it will automatically be added to your dynamic group and get every setting you specified, applied to that group. Nice right?!
And with that information you are good to go try your new deployment system, with absolutely no SERVERS involved! (almost no servers )
Questions and answers:
Windows Hello for Business
Question: After Autopilot has run, and user logs on to the device, Windows Hello for Business prompts even that it is not configured on the Windows enrollment page. I would like it NOT to prompt, how can I solve this?
Answer: Go to Devices –> Windows –> Configuration Profiles –> create profile. Add a Windows 10 Identity Protection policy and set it to disable. Deploy it to your Autopilot devices, and the configuration will apply during Device setup.
Question: Can I clone an Azure AD or MDM-enrolled windows 10?
Answer: You can, BUT you should NOT do that!. Even that you sysprep your device you will never escape all the registry settings tied to the specific device. Source: Michael Niehaus
Debugging and deep analysis:
Inside Windows Autopilot user-driven Hybrid Azure AD Join by Michael Niehaus
Troubleshooting Windows Autopilot Hybrid Azure AD Join by Michael Niehaus