(68) Windows Autopilot

Just to cover all the aspects of Windows Autopilot and how to setup this up.

Software Requirements:

• Windows 11:

  • Windows 11 Pro

  • Windows 11 Pro Education

  • Windows 11 Pro for Workstations

  • Windows 11 Enterprise

  • Windows 11 Education

• Windows 10:

  • Windows 10 Pro

  • Windows 10 Pro Education

  • Windows 10 Pro for Workstations

  • Windows 10 Enterprise

  • Windows 10 Education

• Windows Holographic, version 2004 or later

Networking requirements:

Refer to https://learn.microsoft.com/en-us/mem/autopilot/networking-requirements

Licensing requirements:

• Microsoft 365 Business Premium subscription

• Microsoft 365 F1 or F3 subscription

• Microsoft 365 Academic A1, A3, or A5 subscription

• Microsoft 365 Enterprise E3 or E5 subscription, which include all Windows client, Microsoft 365, and EMS features (Azure AD and Intune).

• Enterprise Mobility + Security E3 or E5 subscription

• Intune for Education subscription, which include all needed Azure AD and Intune features.

• Azure Active Directory Premium P1 or P2 and Microsoft Intune subscription

Configuration requirements:

Automatic Enrollment:

1. Navigate to https://endpoint.microsoft.com/

2. Under Device enrollment, select Enroll devices. Select Windows enrollment.

3. Select Automatic Enrollment.

4. Change MDM User Scope from None to All. Select Save.

Enrolment Status Page:

1. Navigate to https://endpoint.microsoft.com/

2. Under Device enrollment, select Enroll devices. Select Windows enrollment.

3. Select Enrollment Status Page

4. Select All users and all devices, select Edit and select Show app and profile configuration progress from No to Yes.

5. Edit the fields, and add in the applications created under Apps to the ESP.

6. Save any changes.

Windows Hello for Business:

1. Navigate to https://endpoint.microsoft.com/

2. Under Device enrollment, select Enroll devices. Select Windows enrollment.

3. Select Windows Hello for Business.

4. Edit the settings below and save, if your organisation is not ready for Windows Hello for Business.

Deployment Profiles:

1. Navigate to https://endpoint.microsoft.com/

2. Under Device enrollment, select Enroll devices. Select Windows enrollment.

3. Select Deployment Profiles

4. Select Create Profile with the following selected.

5. Deploy to all devices, this will be updated later.

Device Clean-ups:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Device clean-up rules

3. Select Yes for Delete devices based on last check-in date

4. Enter 90 for Delete devices that haven't checked in for this many days.

5. Save changes.

Enrolment device limit restrictions:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices

3. Select Enrolment device limit restrictions

4. Select All Users.

5. Recommended is to set it to 5.

6. Save any changes.

Enrolment device platform restrictions:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices

3. Select Enrolment device platform restrictions.

4. Select All Users

5. This is optional, personal preference, I like to Block all Personally owned. Unless the organisation is willing to support it.

6. Save changes.

Apps:

1. Navigate to https://endpoint.microsoft.com/

2. Select Apps then under by Platform, select Windows

3. Create your Win32 apps using https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool [Note: I won't be covering how to package your apps]

4. The list of applications will be available as listed.

Groups:

1. Navigate to https://endpoint.microsoft.com/

2. Select Groups then select New group.

3. Enter a name for the group like: Windows - All Autopilot Devices. Select Membership as Dynamic Device. Select Add dynamic query like:

device.devicePhysicalIDs -any _ -contains "[ZTDId]"

Device Compliance:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Windows

3. Select Compliance policies

4. Select Create policy.

5. Deploy policy to the group: Windows - All Autopilot Devices or All devices

Device Configuration:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Windows

3. Select Configuration profiles

4. Select Create Profile

5. Deploy profile to the group: Windows - All Autopilot Devices or All devices

PowerShell:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Windows

3. Select PowerShell scripts

4. Select Add.

5. Deploy profile to the group: Windows - All Autopilot Devices or All devices

Update rings:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Windows

3. Select Update rings for Windows 10 and later

4. Select Create profile.

5. Deploy profile to the group: Windows - All Autopilot Devices or All devices

Feature updates:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Windows

3. Select Feature updates for Windows 10 and later

4. Select Create profile.

5. Deploy profile to the group: Windows - All Autopilot Devices or All devices

Policy Sets:

1. Navigate to https://endpoint.microsoft.com/

2. Select Devices then select Windows

3. Select Policy sets

4. Select Create.

5. Deploy profile to the group: Windows - All Autopilot Devices or All devices

Export Device hash into Intune:

Refer to this guide: https://soeintunedevice.wixsite.com/home/post/14-windows-autopilot-export-and-import-device-hash-to-mem

Once the device hash has been uploaded to Intune, the deployment profile will be assigned automatically.

Enrol the device into Intune:

Login under "Welcome to XXXXX" with your Microsoft Credentials.

The device will go through the Enrolment Status Page.

Upon logon, it will ask the user to login with their credentials

After logon of the device, it will show like this.

By navigating to Microsoft Intune, and searching for the device, you will be able to see what apps have been deployed and more.