In this chapter, you will learn about Windows Autopilot, including how it works, why it could be beneficial for your organization, and how it simplifies the delivery process of your physical endpoints.

Windows Autopilot is a collection of technologies used to preconfigure brand-new devices and get them into a state to enable the end user to be productive. Windows Autopilot is designed to easily onboard a brand-new device from anywhere. Previously, enterprises relied on Operating System Deployment (OSD) but, during the global COVID pandemic, where many employees were working from home, more and more enterprises looked for alternatives to get new devices to their end users even when working from home. Windows Autopilot is a perfect fit for this scenario, where an Original Equipment Manufacturer (OEM) or reseller can send the device directly to the end user, who can then unbox the new device, get it up and running, and start working without any need to go into the...

Windows Autopilot has some prerequisites:

• Microsoft Entra ID automatic enrollment needs to be configured.
• The user needs an Intune license.
• The device needs to be registered in the Windows Autopilot service.
• Entra ID branding needs to be configured.

Windows Autopilot is a provisioning method for modern devices. It is not OSD in the traditional manner. Windows Autopilot requires a cloud identity and cloud device identity, which can be either a hybrid Entra ID join or an Entra ID join. In this book, we will only cover Windows Autopilot with Entra ID-joined devices, as this is the cloud-native solution recommended by Microsoft when talking about brand-new devices.

Figure 7.1: Autopilot process

You get started with Autopilot by getting your devices uploaded to the Autopilot service, creating and assigning an Autopilot profile, and then creating and assigning an ESP profile (this step is optional but recommended).

After your device is shipped, the user simply has to enter their credentials before automatic enrollment starts. It is as simple as that.

Figure 7.2: Autopilot welcome screen

After entering the correct credentials, you will be met by the Entra ID sign-in workflow...

The Windows Autopilot hardware hash is a 4K string retrieved from the Windows 10 or Windows 11 OS on the device by running Get-WindowsAutoPilotInfo.ps1 from a PowerShell prompt:

New-Item -Type Directory -Path "C:\Temp\Autopilot"
Set-Location -Path "C:\Temp\Autopilot"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv

Windows Autopilot device registration can be done within your organization manually, for testing, or for devices your organization already owns.

It is used to collect the hardware identity of devices (hardware hashes) and upload this information in a Comma-Separated Values (CSV) file to the Windows Autopilot service from the Microsoft Intune admin center, and also to capture the hardware hash for manual registration, which requires booting the device into Windows 10 or Windows...

If you do not want to collect and upload the devices into Autopilot, some other options are available to you.

For devices already in Intune, which can be Entra ID-joined devices or co-managed devices, you can leverage Convert all targeted devices to Autopilot in the Autopilot profile:

Figure 7.12: Convert all targeted devices to Autopilot

Select Yes to register all targeted devices to Autopilot if they are not already registered. The next time registered devices go through the Windows OOBE, they will go through the assigned Autopilot scenario.

Using the Convert all targeted devices to Autopilot setting doesn’t automatically convert existing Microsoft Entra hybrid devices in the assigned group(s) into a Microsoft Entra device. The setting only registers the devices in the assigned group(s) for the Autopilot service.

Removing this profile won’t remove affected devices from Autopilot. To remove a device from...

The IT admin cannot opt out of these critical updates as part of the Windows Autopilot provisioning as they are required for the device to operate properly.

Critical driver updates and critical Windows Zero-Day Patch (ZDP) updates will begin downloading automatically during the OOBE after the user has connected to a network. Thereafter, Autopilot functional and critical updates are automatically downloaded and installed as well.

Feature updates and quality updates will not be updated during this phase of the OOBE.

Windows will alert the user that the device is checking for and applying updates:

Figure 7.14: Windows checking for updates during the OOBE

Many think that the ESP and Windows Autopilot are one and the same. That is not necessarily the whole truth as the ESP is a core Windows function and can be set as a Windows Configuration Service Provider (CSP). CSPs are explained in depth in Chapter 9.

The ESP can be used as part of any Windows Autopilot provisioning scenario. It can also be used separately from Windows Autopilot as part of the default OOBE for Entra ID join, as well as for any new users signing in to the device for the first time.

Basically, what that means is that any Windows 10/Windows 11 devices that join Entra ID in the OOBE phase will have the ESP shown to the end user, irrespective of whether it is a Windows Autopilot device, as long as there is an ESP assigned to the user or device.

You can create multiple ESP profiles with different configurations that specify the following:

• Showing the installation progress
• Blocking access until the provisioning...

Ensure that Device diagnostics is enabled for Autopilot scenarios in your tenant. This will automatically capture diagnostic logs if the Autopilot process fails and upload the logs to your Intune tenant, where you can access them on the device in Intune:

1. Start the Microsoft Intune admin center (https://intune.microsoft.com/), and choose Tenant administration | Device diagnostics.
2. Ensure that the toggle is set to Enabled:

Figure 7.21: Enabling Device diagnostics

On a Windows Autopilot device, run cmd.exe as an administrator, and then you can run MdmDiagnosticsTool to get the Windows Autopilot diagnostic logs directly from the local device:

c:\windows\system32\MdmDiagnosticsTool.exe -area Autopilot -cab C:\temp\MdmDiagnostics.cab

Figure 7.22: MdmDiagnosticsTool

You will then get the MdmDiagnostics.cab file, where you can extract the content to a folder to get access to the content:

A2757648-0D43...

The two most common reasons why BitLocker automatic encryption does not kick in are:

• The BitLocker policy is not configured correctly.
• BitLocker drive encryption cannot start if there is a removal drive in the device.

When you install a test device in your local Hyper-V environment, you need to do it from an ISO. That ISO is mounted on the device and, therefore, is seen as bootable media:

Figure 7.34: Bootable media detected

As you can see in the screenshot above, this has nothing to do with Microsoft Intune, but with how Windows functions. There is a quick fix: just unmount the ISO in Hyper-V and then do an MDM sync or reboot the device and BitLocker encryption will start.

Windows Hello for Business is a solution that replaces passwords with strong two-factor authentication on devices. It uses biometrics or a PIN to authenticate users to Microsoft Entra, Active Directory, and other identity providers. It is available for Windows 10 and later versions.

Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. The following are the categories of components that support Windows Hello for Business:

• Identity Provider (IdP): The IdP is responsible for verifying the user’s identity and issuing a certificate to the user’s device.
• Registration Authority (RA): The RA is responsible for verifying the user’s identity and issuing a certificate to the user’s device.
• Key Trustee (KT): The KT is responsible for managing the keys used to encrypt and decrypt the user’s data.
• Device: The...

You can leverage deploying Windows 10/Windows 11 in a cloud configuration. In the Microsoft Intune admin center at https://intune.microsoft.com/, choose Troubleshooting + support | Guided scenarios (preview):

Figure 7.40: What is a guided scenario?

Optimize your Windows devices for the cloud with a simple, secure, standardized configuration fit for your needs:

1. Select Start in the Deploy Windows 10 and later in cloud configuration guided scenario.
2. In the introduction, select Next.

Figure 7.41: Guided scenarios

Introduction

Windows 10 and later in cloud configuration helps to standardize and simplify device management for users with focused workflow needs. You can use cloud configuration to configure new devices or to repurpose and extend the life of existing hardware. It works on any Windows 10/11 Pro, Windows 10 Enterprise, or Windows 10 Education device. Let’s now learn more and evaluate the...

Windows SharedPC mode is a feature that optimizes Windows devices for multiple users and guests. It enables settings such as automatic account management, guest and Kiosk accounts, and power and maintenance policies. It also improves the reliability and performance of shared devices. You can configure Windows SharedPC mode using Microsoft Intune, provisioning packages, or PowerShell scripts:

1. Upload Autopilot devices with a group tag such as SharedPC.
2. Create a specific ESP for the SharedPC device.
3. Create a Windows Autopilot profile.
4. Create a SharedPC profile.

Creating a specific ESP for the SharedPC device

A SharedPC device is a multi-user device, and by using Windows Autopilot self-deploying mode, no user has to sign in when onboarding the device into Entra ID or Microsoft Intune, so we will create an ESP and assign it to the Autopilot group for this specific scenario.

Create an ESP with the settings you...

A factory reset returns the device to its default settings. This removes all personal and company data and settings from the device. You can choose whether to keep the device enrolled and the user account associated with this device. You cannot revert this action.

Are you sure you want to reset this device? Here are the options available to you:

• Wipe device, but keep enrollment state and associated user account:

Cleaning the device will remove all preloaded Win32 apps. You can choose whether to retain user data on the device and whether you are sure you want to clean the device:

Figure 7.57: Windows Fresh Start

You can also set the following options:

• Keep the device Entra ID joined.
• A device is enrolled in MDM again when an Entra ID-enabled user signs in to the device.
• Keep the contents of the device user’s Home folder, and remove any apps and settings.

  If you do not retain user data, the device will be restored to the default OOBE completed state, retaining the built-in administrator account. That account is disabled by default on Windows Autopilot devices, and you can find yourself in a situation where you are not able to sign in to the device.

  Bring Your Own Device (BYOD) devices will be unenrolled from Entra ID and MDM. Entra ID-joined devices will be enrolled in MDM again when an Entra ID-enabled user signs in...

In this chapter, you’ve learned about Windows Autopilot, including the difference between user-driven and self-deploying modes, how it works, and why it could be beneficial for your organization to simplify the delivery process of your physical endpoints.

We covered what is included in Windows Autopilot device IDs and how to create Entra ID groups based on different attributes to automate different end user scenarios.

We explained what an ESP is, how to configure it, and how to disable the user part of ESP in special scenarios.

In the next chapter, we’re going to explain everything concerning application delivery and management via Microsoft Intune.

1. What is the name of the policy that disables the Windows first logon animation process?
   1. FirstLogonAnimationExperience
   2. FirstExperience
   3. FirstLogonAnimation
   4. WindowsLogonAnimation
2. What is the default BitLocker encryption method on Windows 11?
   1. AES-CBC 128-bit
   2. XTS-AES 128-bit
   3. AES-CBC 258-bit
   4. XTS-AES 258-bit

1. (c)
2. (b)

If you want to learn more about Windows Autopilot after reading this chapter, please use the following free online resources, and join the Autopilot Microsoft Tech Community!

• Windows Autopilot | Microsoft Tech Community: https://techcommunity.microsoft.com/t5/windows-management/windows-autopilot/m-p/90052
• Windows Autopilot documentation | Microsoft Docs: https://docs.microsoft.com/en-us/mem/autopilot/
• Windows AutoPilot: An introduction | Microsoft Tech Community: https://techcommunity.microsoft.com/t5/windows-deployment/windows-autopilot-an-introduction/td-p/87291

Learn more on Discord

To join the Discord community for this book – where you can share feedback, ask questions to the author, and learn about new releases – follow the QR code below:

https://packt.link/SecNet