Windows Autopilot allows organizational IT to preconfigure all aspects of a Windows device straight from the factory. Crucially, these devices need never pass through the hands of an IT administrator; the configuration all happens automatically the first time the device is switched on.
End-users can have brand new devices delivered to their home from the manufacturer or reseller. These devices will then auto-provision themselves out of the box, deploying the settings and applications required for the user. In order to achieve this, there are a few steps we need to go through.
With a great number of user now working flexibly, getting a configured corporate laptop into their hands can be a challenge. Even if we do manage to achieve this, many devices will be linked to the on-premise Active Directory, meaning a VPN will be required to transfer any new security policies.
New Problems, New Solutions
This is where Intune and Windows Autopilot come in. Devices can be registered in the corporate Intune tenant and assigned policies before ever leaving the factory. When the device starts, it uses the internet to connect to Intune and download the required policies and software.
How It Works
Autopilot customers work with their manufacturer or reseller partners to add the Hardware IDs for new devices to their Microsoft Autopilot device management console. The devices are shipped with a standard install of Windows, which is directed to perform an Autopilot build after the user signs in with their corporate ID for the first time. The device must be connected to the internet, the user must have the rights to enroll devices and the user must have an Intune license assigned.
Manufacturers and resellers who participate in the Autopilot program are listed here.
This guide sets out how devices should be configured in order to qualify as ‘Autopilot Ready’.
The scenario described above assumes the device will be joining Azure Active Directory (which you can learn more about in this blog). It is possible to achieve this outcome for ‘Hybrid Joined’ devices also, meaning the device would be joined to your on-premise Active Directory, but the process is far more complex and requires a VPN connection to be configured and active prior to the device join process. Therefore, this approach should be taken with caution and is not recommended.
Additionally, it is also possible to retro-fit an Autopilot solution for existing devices. This requires the IT team to export and capture the Hardware IDs of these devices, which can then be imported into the Autopilot console.
If Intune management is already in place, this process can be simplified through the use of the Convert all targeted devices to Autopilot setting in the Autopilot deployment profile. For any devices which will be retrospectively added to Autopilot, you should ensure that they meet the minimum hardware specifications and that TPM 2.0 is enabled and ready.
6 Tips for Getting Started With Autopilot
- Device Join – Unless you are planning to build the new devices within the corporate network, always use Azure Active Directory Join (AADJ) and manage the devices via Intune policies.
- Operating System – You really shouldn’t need to ask this, but ensure you request a Clean Windows Image from your vendor without any additional software. It can take significantly longer to provision a device if additional bloatware is installed and can lead to management headaches!
- Use a Naming Template that included the Serial Number – Frustratingly, there is no console-based method to map an Autopilot device to its AAD record without clicking on it. If you want to avoid clicking through hundreds of records, using the serial number in the name can help.
- Avoid Configuration Manager Co-Management – Potentially controversial, but move devices from co-management to dedicated Intune management as quickly as comfortably possible. Co-management longer term leads to confusion and overlap
- Licenses and Permissions – Ensure that your users have an active Intune license and have permission to enroll devices before testing. You can create cloud groups which apply both of these required setting, and simply add your users to them.
- Check your Conditional Access Policies – The number one issue users face during the enrolment process is MFA misconfiguration silently blocking the enrolment. You can find more information on creating an appropriate enrolment policy from Microsoft.