Windows Autopilot: A Step-by-Step Guide to Deploying with Zero Touch

Technology needs are evolving in the modern workplace, but the truth is most IT departments have built themselves around the traditional PC life cycle by managing images, controlling updates, locking down behavior, and protecting users. This creates friction that can only be resolved with a more modern approach.

Personally, I don’t think the solution is an either/or choice, but rather a balanced approach that allows organizations to modernize at their own pace and manage risk in smarter ways. Ideally, an organization should be able to take advantage of the cloud and modern IT while giving its employees the tools and capabilities to bring that design point to their existing investments without having to throw everything out.

Windows Autopilot — a feature available in Microsoft Intune platform — makes this possible. It’s a collection of technologies that automatically configures Windows devices from the cloud in a few steps, so admins can pre-configure new devices with zero touch. Whether an organization is cloud only or looking for a hybrid deployment with co-management, they can combine Microsoft Intune and Configuration Manager to provide modern management of endpoints with the protection of a zero-trust strategy.

I’ll walk you through how to use Windows Autopilot to successfully deploy with zero touch, and I’ll explain what Microsoft Intune and Windows Autopilot are in a nutshell, as well as:

• How to deploy Windows devices
• How to automatically register existing devices
• How to create an autopilot deployment profile
• How to enable the enrollment status page options

Microsoft Intune – What Is It?

Microsoft Intune is a comprehensive tool for mobile device management (MDM) and mobile application management (MAM) for your apps and devices. It has the ability to deploy apps, software updates, and operating systems for desktops, servers, and laptops from on premises or the cloud.

The tool will allow your organization to gain more positive outcomes with:

• User experience insights that help improve user productivity and reduce IT support costs;
• a user impact assessment of configuration changes that allows you to optimize the end-user experience; and
• the ability to proactively make improvements to devices by identifying policies or hardware issues that may be slowing them down.

‍Take control of your software:

• Get a set of tools and resources to help manage the complexities of tracking and applying updates to client devices.
• Easily manage the software update process with manual, automatic, and phased deployment scenarios.
• Use the software updates dashboard to view compliance status and quickly analyze data to determine which devices are at risk.

Key benefits:

• No more maintenance of images and drivers.
• No need for IT to touch the devices.
• Simple process for users and IT.
• Integration in the device supply chain.
• Reset device back to a business-ready state.

Windows Autopilot in a Nutshell

This service will allow an organization to take control of their corporate Windows devices and simplify the Windows device life cycle for both IT and end users. The service offers the ability to:

• Direct device shipments to users’ homes without pre-configuration steps.
• Get an out-of-the-box experience (OOBE) with remote deployment and configuration of devices through a zero-touch process.
• Reduce the time IT spends on deploying, managing, and retiring devices.
• Reduce the infrastructure required to maintain the devices.
• Maximize ease of use for all types of end users.
• Reset, repurpose, and recover devices remotely.

How to Deploy Windows Devices

Register through OEM, distributor, or reseller:

• Automatically register devices.
• Request clean images, choice of Windows 10/11 version at the same time (if available).
• Specify group tag to help segment devices by purpose.
• Devices are automatically tagged with the purchase order ID.

Register devices yourself via Intune for testing and evaluation using Get-WindowsAutopilotInfo PowerShell script.

Register (harvest) existing Intune-managed devices automatically.

Use Intune:

• Select profile scenario (user driven, self deploying).
• Define AADJoin Type (AAD Join, Hybrid Join).
• Configure the settings you need.
• Assign to an Azure AD group so Intune will automatically assign to all devices in the group.

Use a dynamic Azure AD group to automate this step:

• Consider static Azure AD group for exceptions.
• Boot up each device.
• Connect to network (Wi-Fi, Ethernet).
• Enter credentials (if required).

Registering Existing Devices Automatically

If an organization has existing Windows 10/11 devices:

• Enable new Autopilot profile setting for all targeted devices.
• Ensure the Autopilot profile is assigned to a group containing the existing Windows 10/11 devices.

If the existing Windows 10/11 devices are not yet Intune managed:

• Enable co-management with ConfigMgr via the “Automatic enrollment into Intune” setting. (See https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview#enable-co-management).  
• Ensure all new Intune-enrolled Windows 10 /11 devices are part of a group with an assigned Autopilot profile.

Autopilot Deployment Profile

For Intune-managed devices, pre-provisioning, self-deploying, and co-management profiles can only be created and assigned in Intune.

Creating a profile

Autopilot deployment profiles are used to configure the Autopilot devices. The tool can create up to 350 profiles per tenant, and you can choose:

• To show the EULA to users;
• To show privacy settings to users;
• The user’s account type (Administrator or Standard user);
• The language to use for the device; and
• A template to use when naming a device during enrollment.

Assigning a profile

Automated using groups.

If there are existing Windows 10/11 devices:

• An Azure AD device object is automatically created for each imported Autopilot device.
• Create one or more Azure AD groups.
• Assign an Autopilot profile to the Azure AD group. 
• Intune will automatically assign the profile to all members of the assigned group.

Options for grouping:

• Dynamic group with all Autopilot devices;
• Dynamic group based on purchase order ID;
• Dynamic group based on device tag (orderID); or
• Manual.

Enable the Enrollment Status Page Options

Configure important details:

• Show Profile Mode.
• Set time limitations.
• Manage error handling and user Information.
• Show OOBE to first orevery new user.
• Block device until all (selected) apps and configuration profiles are installed.

Windows Autopilot is a powerful and convenient cloud-based deployment tool for IT administrators that allows for streamlined device setup and management for organizations of all sizes. With Windows Autopilot, users can quickly and easily get up and running with their new devices without the need for time-consuming manual setup and configuration. This saves time for IT staff and increases productivity for end-users, resulting in a more efficient and effective work environment.

Thanks to its integration with Microsoft Intune and Azure Active Directory, Windows Autopilot provides a seamless and secure experience for users. IT administrators can easily configure device settings, policies, and apps, and users can enroll devices themselves, making it a truly self-service tool. Additionally, Windows Autopilot provides a high degree of customization, enabling organizations to create unique user experiences and tailor settings to meet their specific needs.

Overall, Windows Autopilot is an excellent solution for modern device deployment and management, simplifying the setup process and allowing for greater control and customization. With its cloud-based infrastructure and easy-to-use interface, Windows Autopilot is an indispensable tool for IT administrators looking to manage their devices more efficiently and effectively.

‍

About the Author:

Victor Inostroza is a Sr. Cloud Security Engineer with CyberOne and has several years of experience in the field. He possesses a deep understanding of various cloud platforms and their associated security risks. His passion for technology and security drives him to constantly stay up-to-date with the latest trends and best practices in the industry.

He specializes in cloud infrastructure security, access management, data protection, threat detection, and incident response. Victor has worked with various organizations to develop and implement cloud security policies that meet their unique business requirements and compliance standards.

‍