Microsoft 365 Business

Technical Fundamentals
Module 7: Device Management 2 (Autopilot)
Pedro F. Pereira
Pedro.F.Pereira@Rumos.pt
Module 7: After this module you should know
and understand:
Device
Management Zero Touch Deployment benefits

Plan, Configure and Deploy devices with Autopilot

White glove deployment

Traditional Windows deployment // The old way

OFFICE & APPS

DRIVERS POLICIES

SETTINGS

Build a custom image, Deploy image to a new Time means money, making
gathering everything else computer, overwriting what this an expensive proposition
that’s necessary to deploy was originally on it
Modern Windows deployment // The new way

Un-box and turn on Transform with minimal Device is ready

off-the-shelf Windows PC user interaction for productive use
Device lifecycle
management with
Windows Autopilot
and Intune Break fix

Key Benefits:
No more maintenance of images and drivers

No need for IT to touch the devices

Simple process for users and IT

Integration in the device supply chain

Reset device back to a business ready state

Procurement Deployment Business ready Management Retirement

The transformation
OEM-optimized Windows 10
+ Software
+ Settings
+ Updates
+ Features
+ User data
Ready for productive use
Windows Autopilot value to partners
Benefits to partner
Greater account control and deeper engagement
Changes costly custom imaging practice to high value Modern
Desktop Deployment and Managed Services practice
Entry point for Surface ADR/DMPs into CSP Program
Increased M365 cross sell/up sell revenue opportunities
No touch configuration from Microsoft to end-user
Tip of the spear towards modern manageability practices
Partner-led services
Via Partner Center, enable devices by S/N
Manage Autopilot apps/policy settings via Intune &
Store for Business
Manage M365 Environment to include device inventory
management
Provide triage support desk services to customer sites
Migration services from custom imaging to no touch Autopilot
Develop customer strategy for moving to Modern Management
Revenue opportunity
Services

Accessories Extended Hardware

Service

Building the sale Devices

Security monitoring and analytics reporting $$ Pens

Deployment advisory and assessment services $

Office 365

Mice
Increased M365 cross sell/up sell $$$
Device lifecycle management $$
Long-term customer rapport & trust Priceless Dial Autopilot deployment
services

Headphones

Microsoft 365
licensing
Type Covers, etc.

Windows Update
management
Windows Autopilot Three simple steps

deployment Cloud driven

Register devices

Assign an Autopilot profile to

the devices

Ship the device to the user

Administering
Windows Autopilot

Microsoft Store for Business Partner Center

Microsoft 365 Business

Windows Autopilot

Step 1. Registering devices

Participant Device Manufacturers
Windows Autopilot // Major OEM status

OEM Device registration Clean images Notes:

Initially customers will register existing devices for

✓ ✓ testing/validation

They will want to know about OEM offerings, to make

Free $30/PC offering
sure they can eventually have the OEM register

✓ devices for them

Dell: $30/PC offering includes device registration,

(Targeting later CY19) $3 option clean image or custom image loading, and choice of
N, N-1, or N-2 Windows 10 releases

✓ ✓ Lenovo: $5/PC offering removes most apps from the

OS; $8-35/PC offering allows choice of N, N-1, N-2
Free; additional offerings at
$5/device $5/PC and $8-35/PC Windows 10 releases and offers preloading of up to
five Win32 apps

✓ ✓ HP: Pilot program available today, they will e-mail a

spreadsheet to the customer so the customer can
Free Free upload the devices via MSfB
Registering new devices
Supply chain integration

OEMs, distributors, and resellers make the process easy:

Automatically add new devices to Azure tenant at time of shipment
Associate devices to customer’s purchase order for easy
device grouping
Tag devices with a customer specified label
Provide a preinstalled image that is ready for configuration*

For a list of those supporting Windows Autopilot supply

chain integration please visit:

https://aka.ms/WindowsAutopilot
Registering existing devices
Automatically for all Intune-managed Windows 10 devices

If you have existing Windows 10 devices:

Enable new Autopilot profile setting for all targeted devices
Ensure the Autopilot profile is assigned to a group containing the
existing Windows 10 devices

If your existing Windows 10 devices are not yet

Intune-managed:
Ensure all new Intune-enrolled Windows 10 devices are part of a
group with an assigned Autopilot profile
Registering existing devices
Manually for existing devices

To register existing devices:

Use the PowerShell script available at
https://www.powershellgallery.com/packages/Get-
WindowsAutopilotInfo
Run for each device (requires Windows 10 1703 or higher)
Upload resulting CSV file via Intune portal
See https://docs.microsoft.com/en-
us/windows/deployment/windows-autopilot/add-
devices#collecting-the-hardware-id-from-existing-devices-using-
powershell for more information

Great for testing and validation with existing devices and

virtual machines.
Registering devices // Summary
OEM API
Devices registered with:
Manufacturer, model, serial number
Serial number, Windows product ID
Customer authentication required:
Original e-mail model being replaced by
Microsoft Store for Business authorization
method (requires tenant admin)
API (only)
Partner Center Microsoft Intune
Devices registered with: Devices registered with:
Manufacturer, model, serial number Serial number, hardware hash
Serial number, Windows product ID Portal or Intune Graph API
Serial number, hardware hash
Customer authentication required:
Partner Center delegation (no AAD rights required)
Portal or Partner Center API
Windows Autopilot

Step 2. Assign profile

Creating an Autopilot profile

Configure important details:

Deployment mode
Specific settings required for the deployment mode
New! BitLocker encryption even for non-admin users (requires
Windows 10 1809)

Out-of-box experience (OOBE) settings

New! Hide change account options (requires Windows 10 1809)

New! Device naming pattern, supporting variable

substitution (requires Windows 10 1809):
%SERIAL%

%RAND:x% (where X is the number of digits)

Windows Autopilot
Windows Autopilot

Step 3. Deploy!
Windows Autopilot overview

Device IDs Windows Autopilot Autopilot profile sync Intune

Device sync

Configure
Windows
Autopilot profile

Self-service deploy
IT Admin

Hardware Vendor

Ship

Deliver direct to Employee

Employee unboxes
device, self-deploys
Windows Autopilot
Enrollment status page

Ensure policies, apps and settings are complete

prior to the end user gaining access to the desktop
Confirm minimum baseline requirements
Protect data during device set up
Deliver a compliant secure device
Personalize the out of box experience
New! Unlock Windows 10 in S mode (requires Windows 10 1809)

Requirements
Windows 10, version 1803 (with May cumulative update or later)
Azure Active Directory Premium
Microsoft Intune
Windows Autopilot // Deployment Scenarios

Available AVAILABLE in 1809 AVAILABLE in 1809 AVAILABLE in 1809

User-driven mode Self-deploying mode User-driven mode with Windows Autopilot for
with Azure AD Join Hybrid Azure AD join existing devices

Windows 10 1703 Windows 10 1809 Windows 10 1809 Windows 10 1809

and above and above and above and above

Join device to Azure AD, No need to provide Join device to AD, enroll in Windows 7 to Windows 10
enroll in Intune/MDM credentials, automatically Intune/MDM
joins Azure AD ConfigMgr task sequence,
followed by Windows
Autopilot user-driven mode
Windows Autopilot

User-driven deployment
with Azure AD
Windows Autopilot // User-driven deployment with Azure AD

Prerequisites: Steps:
Windows 10 version 1703 1. Device connected to internet network
Azure Active Directory Premium 2. Register device with Windows Autopilot
Microsoft Intune 3. Assign Intune Autopilot Profile configured for
Azure AD join
4. Boot device
Design notes

Should be done by the end user

User authenticates with Azure AD from the start

Choose between admin and non-admin

Typically for single-user (not shared) devices

Demo Screengrab
Windows Autopilot

User-Driven Hybrid
Azure AD join
Windows Autopilot // User-Driven deployment with Hybrid Azure AD

Prerequisites: Steps:
Windows 10 version 1809 1. Set up ODJ connector from AD to Intune
Azure Active Directory Premium 2. Device connected to corporate network
Microsoft Intune 3. Register device with Windows Autopilot
4. Assign Intune Autopilot Profile configured for
Hybrid Azure AD join
5. Boot device
Windows Autopilot // User-Driven deployment with Hybrid Azure AD

Windows Autopilot
Intune
Offline Domain Join Connector
Deployment Service

DC

Complete Join over corp net MDM Autopilot Hardware

Receive ODJ
enrollment profile ID

Receive GPOs over corp net

IT Admin Employee unboxes

device, self-deploys
VIDEO
Windows Autopilot

Self-deploying mode
Windows Autopilot // Self-deploying mode with Azure AD

Prerequisites: Steps:
Windows 10 version 1809 1. Device connected to internet
Azure Active Directory Premium 2. Register device with Windows Autopilot
Microsoft Intune 3. Assign Intune Autopilot Profile configured for
self-deploying mode
Device with TPM 2.0
4. Boot device
How would you use Autopilot to deploy…

Digital signage Single app kiosk Multi app kiosk VDI clients Shared PC
Design notes

Technicians usually set up these types of devices

No defined user to auth or set up the device

May not have peripherals (keyboards, mice, etc.)

Typically involve “walk up and use” scenarios

Demo Video
Windows Autopilot
for existing devices
Windows Autopilot // Windows Autopilot for existing devices
Prerequisites:
Windows 10 version 1809
Azure Active Directory Premium
Microsoft Intune
System Center Configuration Manager
OneDrive for Business
Steps:
1. Create task sequence to deploy generic Windows 10
image with needed drivers (wipe-and-load)
2. Migrate data to OneDrive for Business (in advance)
3. Deploy task sequence to existing Windows 7 devices,
installing Windows 10 and proceeding through
Windows Autopilot user-driven process to join device
to Azure AD
Design notes

Upgrading the OS is just part of the problem

Need to migrate user data from Win7 to Win10

Unable to harvest hardware hashes in Win7

Demo Video
Windows Autopilot

Roadmap
Windows Autopilot // New in Windows 10 1903!

AVAILABLE in 1903 AVAILABLE in 1903 AVAILABLE in 1903 AVAILABLE in 1903

Windows Autopilot ESP enhancements Cortana voiceover Self-updating Autopilot

“White Glove” disabled in OOBE

Windows 10 1903 and above Windows 10 1903 and above Windows 10 1903 and above Windows 10 1903 and above

White glove partners or IT ESP tracks Intune Cortana voiceover disabled Enable new Windows
staff can pre-provision Management Extensions, by default for Pro and above Autopilot functionality
Windows 10 PC to be fully SCCM and Office installs SKUs without updating Windows.
configured and business-
ready for an org or user IT admin can choose what
apps block during ESP
through Intune
Troubleshooting

Windows Autopilot Level 100/200:

https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-
windows-autopilot-level-100200/

Windows Autopilot Level 300/400:

https://blogs.technet.microsoft.com/mniehaus/2017/12/13/troubleshooting-
windows-autopilot-level-300400/

Troubleshooting improvements in Windows Autopilot:

https://blogs.technet.microsoft.com/mniehaus/2018/05/15/troubleshooting-
improvements-in-windows-autopilot/
End of Module 7

Thank you