Extension II: Windows Autopilot
Overview
Windows Autopilot is Microsoft's deployment program that uses a collection of technologies to fast setup and pre-configure new devices. In general, it is similar to Apple's Device Enrollment Program or the Knox Mobile Enrollment or Android Zero Touch for Samsung Knox and Android devices. Windows Autopilot simplifies the complete lifecycle of the device and users will be able to easily enroll devices from the out-of-the-box experience without any interaction of the IT department. Your users only need to connect to an internet connection, and they need to know their user credentials and can enroll the device to a within a few steps.
To achieve this scenario technically, devices or device identifiers will be added to a cloud service and when devices or users are starting with the out-of-the-box experience, internet connected devices will contact the cloud service to retrieve specific configurations within a profile. To add devices to the cloud service, you have different options and the first one is to contact your hardware vendor as they might be capable to add devices after purchasing them into the Windows Autopilot deployment program for you. Another option is to add devices manually to Windows Autopilot.
The Windows Autopilot extension offers the option to connect to the Windows Autopilot Service (Intune) from Unified Endpoint Management with a Service Connection to sync, create, delete and edit Autopilot devices and profiles. For devices from the Autopilot device pool, computer objects are automatically created in Unified Endpoint Management and are thus also available as assets (Asset Management) in your company before they are connected to a system.
After the device enrollment with your target management system (e.g. Silverback), configurations can be applied to transform the device into an enterprise ready and secured device, e.g. with deploying and installing the UEM Agent to install Software Packages on top. Additionally, you can easily deploy the EgoSecure Data Protection agent for an additional security layer.
Before you start
Before you start, please note the following:
- In general, the Windows Autopilot cloud service can be configured independently of the mobile client management solution used, allowing the Windows Autopilot extension to be integrated into Unified Endpoint Management for different solutions and for managed service providers. The configuration of Autopilot profiles is optimized for using the Unified User Experience in combination with Matrix42 Silverback.
- While using Assignments of Autopilot Profiles through the Unified User Experience, shared data from the Azure Active Directory / Office 365 Data Provider is required. If you want to use the full stack of features for the Autopilot Extension, ensure that the Data Provider is configured. The Autopilot Extension will use existing information about Azure AD Groups that are imported by the Data Provider. While assigning profiles to group, this data is taken, but the assignment itself will be defined by the used Service Connection.
- During this guide, we will create a new App Registration in Microsoft Azure with granting API permissions. Depending on your current setup, you might have already a Service Connection that is connected to specific APIs in Microsoft Graph (e.g. for the Azure Active Directory / Office365 Data Provider) and a tenant might also be already configured in your Enterprise Automation Platform. In this scenario, you might want to use the existing App registration and extend existing API permissions.
- The Windows Autopilot Extensions comes along with the Generic Inventory Data Provider and the Intune Integration Core prerequisites as the extension will use and extend shared services and data.
Requirements
- Enterprise Automation Platform 11.0.1 and newer
- Unified Endpoint Management 22.0.1 and newer
- Administrative Access to Enterprise Automation Platform, Unified Endpoint Management, and Microsoft Azure
- We recommend to review first the following article: Windows 10/11 All about Windows Autopilot
- While using or intending to use Enrollments with Autopilot and Silverback, successfully accomplished the Azure AD Integration:
Create App Registration
The first step is to create an App Registration in Azure, note down the Applications Details and configure the Permissions for the App Registration.
Create App registration
- Login to Azure
- Select Azure Active Directory
- Click App registrations
- Select + New registration
- Enter a name, e.g. Windows Autopilot Integration for Unified Endpoint Management
- Press Register
- Wait until the process is finished
Capture Application Details
- Open any Text Editor and copy & pase down the following values:
- Application (client) ID
- Directory (tenant) ID
Remove Default Permission
- Navigate to API permissions
- Press the three dots next to User.Read
- Select Remove permission
- Confirm with Yes, remove
Add required permission
- Press + Add a permission
- Select Microsoft Graph
- Select Application permissions
- Search for DeviceManagementService
- Expand DeviceManagementServiceConfig
- Enable the permission DeviceManagementServiceConfig.ReadWrite.All
- Search for Group
- Expand Group
- Enable the permission Group.Create
- Press Add permissions
- Now press Grant admin consent for your Organization Imagoverum
- Confirm with Yes
Create Secrect
- Navigate to Certificates & secrets
- Under Client secrets, press +New client secret
- Enter a Description, e.g. Autopilot Integration Key
- Select an Expiration day, e.g. 24 months
- Press Add
- Press Copy to Clipboard in the Value column
- Paste the value to your Text Editor
Configure Service Connection
Add Tenant
- Login to your Enterprise Automation Platform
- Launch the Administration application
- Navigate to Integration
- Select Service Connections
- Select Tenants
- Press + Add Tenant
- Enter a Name for your tenant, e.g. Imagoverum
- Select as Service Microsoft 365
- Paste now your Client ID (Application ID), Tenant and Client Secret into the corresponding fields
- Press Save
- Press Done
Add Service Connection
- Navigate to Connections
- Press Add Service Connection
- Select as Service Microsoft 365 with the Scope Azure Active Directory (Application)
- Select your Tenant, e.g. Imagoverum
- Update the Name to e.g. Imagoverum Windows Autopilot Connection
- Press Setup Authentication
- Wait until the Service Connection Authentication has been successfully fulfilled
- Press Done
Install Autopilot Extension
- Press Extension Gallery
- Login with your Matrix42 Credentials
- Search for Windows Autopilot
- Press Install
- Press Next
- Press Install
- Wait until the installation is finished
- Press Finish
Configure Data Provider
Add Service Connection
- Launch again the Administration application
- Navigate to Integration and select Data Providers
- Double-click the Windows Autopilot Data Provider
- Double-click the Windows Autopilot Configuration
- Enter a description (optional)
- Select your previously configured Service Connection
- Press Save and press Done
- Press Done
Enable Data Provider
- Now select the Windows Autopilot Data Provider
- Press Enable
- Confirm with Yes
- Press Activate
- Confirm with Yes
- Click Monitor Import to review the import process
It might take a while until the App Registration APIs are applied, so in case you will see an error during the Import about missing permission, be patient.
- Press Close
Configure Automatic Sync
- Navigate to Services & Processes
- Select Engine Activations
- Enter in Name: Windows Autopilot
- Double-click Windows Autopilot - Data Import
- Select Schedules
- Click on the current schedule
- By default, the automatic sync will be executed every 24 hours at 12:00 AM in UTC time
- Change the schedule to your needs and press Finish
- Press Save and press Done
- Proceed now with the following:
- If you want to orchestrate multiple tenants with Windows Autopilot, proceed with Multiple Tenants
- Otherwise, proceed with Next Steps
Multiple Tenants (optional)
In case you want to orchestrate multiple tenants with Windows Autopilot, you can extend the Data Provider with additional configurations. Devices and Profiles in the Unified User Experience can be distinguished based on the Service Connection column.
- Navigate to Data Providers
- Select the Windows Autopilot Data Provider
- Press Edit
- Click + to add a new configuration
- Under General, perform the following actions:
- Enter a description
- Set the state to Enabled
- Select your additional service connection
- Select Windows Autopilot - Data Collector as Data Collector Workflow
- Select Windows Autopilot - Import Workflow as Data Post Processing Workflow
- Navigate to Settings
- Enter a Organizational Unit
- Change the status (optional)
- Add as Management Type Mobile Device Management
- Add the following Matching Keys:
| Priority | Expression |
|---|---|
| 1 | SPSAssetClassBase.SerialNumber |
| 2 | SPSComputerClassIntuneIntegration.IntuneID |
- Press Save and Press Done (2x)
- Press Activate and Confirm with Yes
- Click Monitor Import and select your new Data Provider Configuration
Review Import
- Navigate to Unified Endpoint Management
- Select Operating Systems and Autopilot
- Select Profiles
- In case your Autopilot Configuration contains already profiles, you should see here now a list of existing profiles
- Navigate to Devices
- In case your Autopilot Configuration contains already devices, you should see here now a list of existing devices
Next Steps
- Proceed with Windows Autopilot Integration