Now that we have our security and configuration policies in place for our Windows devices, we are almost ready to enroll our first device (we will cover application deployment in Chapter 11, Packaging Your Windows Applications, but that is not essential for enrollment).

Before we start enrollment, we have to consider that we are working with devices directly from the manufacturer/distributor that could have been sitting in a warehouse or on a container ship for several months. Therefore, it makes sense to configure our Windows update policies ahead of enrollment so that we can sleep safely at night, knowing that even a newly provisioned device will be kept up to date.

In this chapter, we will look at configuring update rings manually and using Windows Update for Business (WUfB) as well as Windows Autopatch, which you can think of as Windows Updates as a Service, where Microsoft does the heavy lifting for you.

Once we have our updates...

For this chapter, you will need a modern web browser and a PowerShell code editor such as Visual Studio Code (VS Code) or PowerShell ISE.

All of the scripts that are referenced in this chapter can be found here: https://github.com/PacktPublishing/Microsoft-Intune-Cookbook.

With fully managed machines, the last thing you want is them updating themselves without any control over when they receive updates and which updates to receive, and you especially do not want users opting into insider builds themselves.

If you do not have Windows Enterprise licensing to utilize Autopatch (covered in the next recipe) or would just rather manage the updates yourself, you are going to need to configure some update rings.

Getting ready

Before building the rings, navigate to the Entra ID portal and create some Entra ID (static) groups. We will populate these with devices to assign to each of the rings.

Create four groups:

• 1 for Preview devices.
• 1 for Pilot devices.
• 1 for VIP devices.
• 1 for everything else (broad ring). This could be a dynamic group to save on admin overhead.

Once you have created these groups, navigate to the Intune portal; we will be using...

You can also use Intune to gain finer control over driver updates on your devices so that you can include automatic deployments or manual approval before deploying. This will allow you to test drivers for any issues before a full-scale deployment.

Intune will automatically check your estate and populate the drivers as appropriate. If you have chosen not to share telemetry with Microsoft, you will need to do so for driver updates to present themselves.

How to do it…

Follow these steps:

1. First, select Devices and then Windows 10 and later updates.
2. Now, click Driver updates for Windows 10 and later and create a new profile.
3. Specify your profile’s Name and Description and click Next.

   Here, you must set if you want updates to be manually approved or automatically updated. Note that you cannot change this setting after configuring it; you will need to delete the profile and create a new one.

4. In this case, we are going to...

If you have Windows Enterprise Licensing (Microsoft 365 E3, E5, or Windows E3), instead of manually configuring and populating your Windows update rings, you can use Windows Autopatch from Microsoft. This is a semi-managed service that automates updates for Windows, Microsoft Office, Microsoft Teams, Edge, Drivers, SQL ODBC, and .NET. When using Autopatch, Microsoft can also centrally pause updates so that if it notices a particular update is causing issues, it can block it before it is installed on your devices and then automatically resume it when the issue has been resolved.

As well as the click-and-forget option, you can also use Autopatch groups for more granular control over your updates. This will be covered in the There’s more… section of this recipe.

Getting ready

Before we deploy any configuration, you need to onboard your tenant into the service. For this, you will need two administrative contacts and a user account with...

Windows Hello for Business (WHfB) provides multi-factor authentication (MFA) on Windows devices via either PIN, biometrics (face, fingerprint), or a FIDO2 security key.

This can be configured either at a tenant level (via the Device Enrollment menu) or at a more granular level using Settings catalog. In this recipe, we will cover both methods, starting with the tenant level, as that needs to be left set to Not Configured for Settings catalog to work.

The recommended approach is to use Settings catalog.

How to do it…

We will start this recipe by covering how to enable WHfB in the GUI.

Configuring at the tenant level

Follow these steps:

1. Navigate to Devices, then Enrollment, and click on the Windows tab. Then, click on Windows Hello for Business.

   This will load a fly-out window where we can configure the Configure Windows Hello for Business and Use security keys for sign-in settings.

2. Change Configure Windows Hello...

Now that we have our policies in place to manage devices, we can start configuring the policies so that we can enroll and provision them. The first of these is the Windows Autopilot Enrollment Profile, which tells the device what to do when it hits the Autopilot service during the Out of Box Experience (OOBE).

You can have multiple profiles assigned to different Entra ID groups, usually using the Group Tag functionality, which we will cover in Chapter 14. By using group tags when adding devices to Autopilot, you can then add devices to Dynamic Entra ID groups and assign them to the appropriate Autopilot profile. Here are a couple of examples of why you would want multiple profiles:

• Kiosk devices (using self-deploying mode): These profiles self-deploy and require no user input during provisioning. This means they can be configured to automatically sign in using a local device account. You can then configure policies to force...

The final step before we can deploy a Windows device using Autopilot is to configure our ESP. This is the screen that users see after entering their credentials during OOBE and displays the progress of their device configuration and onboarding. It also has the potential to be where you will experience most of your issues, so be sure to check out the There’s more… section for some troubleshooting tips.

How to do it…

Follow these instructions:

1. First, navigate to Devices, then click on Enrollment. Select Windows and then Enrollment Status Page.

   You can have multiple pages configured that are queried according to their priority (and then also queried for group membership).

   As the ESP is used to block a device until a particular subset of applications has been installed, you may find yourself needing more than one, should different departments/regions/groups have key applications that must be installed before they can log in and use the...

We now have everything in place and can enroll our first Windows device into Intune using Autopilot. This recipe will run through the different options for adding the hardware hash into Autopilot and then provisioning a new machine.

Getting ready

For this recipe, you will need a Windows machine capable of running Windows 11. This can include a virtual machine (VM) that we will be using, but it has to haveTrusted Platform Module (TPM) enabled to pass the prerequisites for Windows 11. The machine will be wiped during the process, so please ensure there is no data on it.

To add devices, you will also need the get-windowsautopilotinfo PowerShell script: https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo.

Once you have a machine ready, follow the steps to build it.

How to do it…

The first thing we need to do is add the device to the Autopilot service. We have a few options available for this.

Requesting from your hardware...