Windows Autopilot Integration
Overview
Windows Autopilot is Microsoft's deployment program that uses a collection of technologies to fast setup and pre-configure new devices. In general, it is similar to Apple's Device Enrollment Program or the Knox Mobile Enrollment or Android Zero Touch for Samsung Knox and Android devices. Windows Autopilot simplifies the complete lifecycle of the device and users will be able to easily enroll devices from the out-of-the-box experience without any interaction of the IT department. Your users only need to connect to an internet connection, and they need to know their user credentials and can enroll the device to a within a few steps.
To achieve this scenario technically, devices or device identifiers will be added to a cloud service and when devices or users are starting with the out-of-the-box experience, internet connected devices will contact the cloud service to retrieve specific configurations within a profile. To add devices to the cloud service, you have different options and the first one is to contact your hardware vendor as they might be capable to add devices after purchasing them into the Windows Autopilot deployment program for you. Another option is to add devices manually to Windows Autopilot.
The Windows Autopilot Integration offers the option to sync, create, delete and edit Autopilot devices and profiles. For devices from the Autopilot device pool, computer objects are automatically created in Unified Endpoint Management and are thus also available as assets (Asset Management) in your company before they are connected to a system.
After the device enrollment with your target management system (e.g. Silverback), configurations can be applied to transform the device into an enterprise ready and secured device, e.g. with deploying and installing the UEM Agent to install Software Packages on top. Additionally, you can easily deploy the EgoSecure Data Protection agent for an additional security layer.
Requirements
- We recommend to review first the following article: Windows 10/11 All about Windows Autopilot
- Installed and configured Windows Autopilot Extension
- Installed and configured Azure Active Directory / Office 365 Data Provider for assigning Groups to Profiles
- Access to Unified Endpoint Management
- For Autopilot enrollments via Silverback, successfully accomplished the configuration for Silverback:
Introduction
After you have installed and configured the Windows Autopilot Extension and an initial synchronization has been successful, you can proceed with this article that gives you an overview of the overall Autopilot integration into the Unified User Experience. First, after the installation, you will find new menu items for the Windows Autopilot integration in the navigation under the Operating Systems section. The menu items include the Windows Autopilot landing page as well as Devices and Profiles, two additional sub-items.
The landing page shows you four different areas, which are separated into Quick Starts, Statistics, Devices by Service Connection and Devices by Manufactuer and Model. The Quick Starts section includes actions that are performed around Windows Autopilot, such as performing a manual synchronization, adding new devices or profiles, and creating a group for Autopilot devices. The Statistics section shows a total number of available devices and profiles. The other two charts show the number of devices per service connection and the number of devices by manufacturer and model.
Dynamic Autopilot Device Groups
Starting from the Quick Starts panel, you will find a button that is called Create Default Group. Since it is not possible to assign profiles directly to devices via Microsoft Intune or via the Graph API, a small detour via assigning profiles to groups and assigning devices to these groups is necessary. For this we added a simple mechanism to create a dynamic device security group for all Autopilot devices. To create this dynamic group, proceed with the following:
- From the Quick Starts press Create Default Group
- Select first your Service Connection. By default the first entry from the Windows Autopilot Data Provider is selected.
- To select another Service Connection, press the search icon and select your desired Service Connection
- Ensure that the selected Service Connection has the Group.Create API Permission
- Now enter a Group Name like All Windows Autopilot Devices
- Enter a description, e.g. Dynamic device security group created via UUX that will contain all Windows Autopilot Devices (optional)
- By default, the Dynamic membership rule is set to the following and will include all Autopilot devices
(device.devicePhysicalIds -any _ -contains "[ZTDid]")
- You can modify the rule, e.g. to create a group that includes all Autopilot devices with a specific group tag
(device.devicePhysicalIds -any (_ -eq "[OrderID]:179887111881"))
- Another option is to create a rule that includes all your Autopilot devices with a specific Purchase Order ID
(device.devicePhysicalIds -any (_ -eq "[PurchaseOrderId]:76222342342"))
- Press Create Default Group
- After pressing Create Default Group, the Windows Autopilot - Create Autopilot Default Group Workflow will be initiated immediately
- Review the Workflow Execution from the Administration application under Services & Processes > Workflow Studio > Workflow Instances.
- During the execution of the Workflow, the Group will be created via an API Call to Microsoft Graph
- Please note that the Dynamic rule processing at Azure might take some time
- You can review the processing status from the Group overview in Azure (e.g., Not started or Succeeded)
- To use this group to assign Windows Autopilot Profiles later on, the Azure Active Directory / Office 365 Data Provider must have imported the Group
- To speed up the process, navigate to the Administration application and activate the Data Provider to initialize an import of your recently created group(s)
Windows Autopilot Profiles
Autopilot deployment profiles are used to configure the deployment method and to customize the out-of-box experience for your users. You can create up to 350 profiles per tenant and profiles are need to be assigned to a group to address the settings for the devices included there. According to the supported features with Silverback, the values for deployment options are set by default to the supported methods.
Profiles Overview
By navigating to Operating System > Autopilot > Profiles, the Profile overview shows the following information for existing profiles:
| Column | Example | Enabled by default |
|---|---|---|
| Device Type | Windows PC | Yes |
| Name | Windows Autopilot Profile | Yes |
| Description | My first Windows Autopilot Profile created via UUX | Yes |
| Language | German (Germany) | Yes |
| Created | 28/01/2022 13:31 | Yes |
| Modified | 24/04/2023 15:31 | Yes |
| Last import | 24/04/2023 15:34 | Yes |
| Service Connection | Windows Autopilot Connection for Imagoverum | Yes |
| Profile ID | e0770bb6-82be-4cfe-9952-38b4ffd40b99 | No |
Create new Autopilot Profile
To create a new Autopilot Profile, you can start either from the Autopilot Landing Page or from the Profiles view.
- Navigate to Operating System
- Select Autopilot and press either
- Add Profile from the Quick Starts Landing Page
- Add Windows Autopilot Profile from the Profile navigation item
You can review the user experience for your profile configurations here: Windows 10/11 All about Windows Autopilot
Service Connection and Name
- Select first your Service Connection. By default the first entry from the Windows Autopilot Data Provider is selected.
- To select another Service Connection, press the search icon and select your desired Service Connection
- Enter a Name, e.g. Windows Autopilot Profile
- Enter a description, e.g. My first Windows Autopilot Profile created via UUX (optional)
Deployment Information
| Setting | Supported Options | Description |
|---|---|---|
| Device Type | Windows PC | Will set up Autopilot for Windows PCs |
| Deployment Method | User-driven | User-driven must be set as the deployment method, as this means that User credentials are required to enroll the device. |
| Join to Azure AD as | Azure AD Joined | Specify how devices join Active Directory (AD) in your organization. As the Hybrid Azure AD joined feature is not supported for 3rd party vendors, Azure AD Joined is predefined. |
Setup Wizard and Software Information
| Setting | Supported Options | Description |
|---|---|---|
| Hide Microsoft Software License Terms | Enabled / Disabled | Beginning with Windows 10 Version 1709, you can decide to skip the EULA page presented during the OOBE process. Please refer to Windows Autopilot EULA dismissal below for important information to consider about hiding the Microsoft Software License Terms. |
| Hide privacy settings | Enabled / Disabled | This optional setting configures to not ask about privacy settings during the out-of-the-box experience |
| Hide change account options | Enabled / Disabled | When users are at the Welcome Screen where they should enter their credentials, a button will be shown or hidden that lets the user to proceed with the change account option. |
| Automatically configure keyboard | Enabled / Disabled | If a language is selected, you can enable this option to the keyboard selection page. This options requires as the Language (Region) section, an Ethernet connection, too. |
| Apply device name template | Enabled / Disabled | With Windows 10 Version 1809 or later, you can configure a template to name a device during enrollments. |
| Device Name Template | e.g. SUEM-IMG-CL0%RAND:2% | The names must be 15 characters or less, and can contain letters, numbers, and hyphens. You can use the %SERIAL% macro to add e.g. the serial number or the %RAND:x% macro to add a random strings of numbers. E.g the following macro with add a two digits number add the end SUEM-IMG-CL0%RAND:2% |
User Account and Language (Region)
| Setting | Supported Options | Description |
|---|---|---|
| User Account Type | Standard / Administrator | Here you can configure whether the user setting up the device should have administrative access once the enrollment process is complete. |
| Language (Region) |
|
This options lets you define the language to use for the device and is supporting beginning with Windows 10 2004. Please be aware that language settings require Ethernet connection so that the Autopilot profile containing these settings can be downloaded and processed early on. Wi-Fi connections have the requirement to choose a language, local, and keyboards. |
Assignments
With assignments you can enter the name of groups to include and exclude groups from the profile. By default, the filter for groups is set to Azure Security groups that are imported and synchronized by the Azure Active Directory / Office 365 Data Provider. Please make sure to select only groups that are from the same tenant as you have selected your service connection for the profile.
| Setting | Supported Options | Description |
|---|---|---|
| Included Groups |
|
Enter the name of the group or use the search button to select the groups you want to include in this profile. |
| Excluded Groups |
|
Enter the name of the group or use the search button to select the groups you want to exclude from this profile. |
Save Profile
- After Saving the Profile, a new Profile Object will be created in Unified Endpoint Management and you will see it directly in the User Interface
- After approximate one minute, a Compliance Rule will initiate the Windows Autopilot - Create/Update Profile Synchronize Workflow
- During the execution of the Workflow, the Profile will be added via an API Call to Microsoft Graph
Review the Workflow Execution from the Administration application under Services & Processes > Workflow Studio > Workflow Instances.
Modify Windows Autopilot Profiles
Edit Profile
- Navigate to Profiles and select your desired Profile
- Press Edit and review that the Service Connection can't be changed
- Now change the Name from Windows Autopilot Profile to Updated Windows Autopilot Profile
- Change for testing purpose additional settings or options
- Press Save
- After approximate one minute, a Compliance Rule will again initiate the Windows Autopilot - Create/Update Profile Synchronize Workflow
- During the execution of the Workflow, the Profile will be updated via an API Call to Microsoft Graph
Delete Profile
- Navigate again to Profiles and select your desired profile
- Press Delete
- Confirm with Delete
- After confirm the deletion, the profile will instantly be removed from the Profile section
- After approximate one minute, a Compliance Rule will initiate the Windows Autopilot - Delete Profile Synchronize Workflow
- During the execution of the Workflow, the profile will be deleted via an API Call to Microsoft Graph
Additional Information
- Profiles created via Intune or any other available Method will be synchronized to Unified Endpoint Management. To configure the automatic schedule for the synchronization, refer to Extension II: Windows Autopilot
- Profiles that are synchronized to Unified Endpoint Management and deleted via Intune or any other available method will be removed from Unified Endpoint Management with the next synchronization.
- Profiles that are synchronized to Unified Endpoint Management and modified via Intune or any other available method will be updated in Unified Endpoint Management with the next synchronization.
Windows Autopilot Devices
In general, multiple processes are available for adding devices to Windows Autopilot. You can either let your hardware vendor upload your new devices or you can add existing devices manually to Windows Autopilot. Microsoft offers several platforms for device registrations for new devices to Windows Autopilot and in case you have the hardware Id of the device in a *.csv file, you can upload the file via Unified Endpoint Management. The Devices section shows the overview of all registered Autopilot devices with the option to add and remove your devices manually. Every Windows Autopilot devices becomes an Computer Object and will become a part in the Asset Management.
Devices Overview
| Column | Example | Enabled by default |
|---|---|---|
| Serial Number | 1BRFVT2 | Yes |
| Manufacturer | Dell Inc. | Yes |
| Model | Latitude 5491 | Yes |
| Group Tag | Marketing Devices | Yes |
| Purchase Order | 76222342342 | Yes |
| Last Import | 24/04/2023 16:05 | Yes |
| Service Connection | Windows Autopilot Connection for Imagoverum | Yes |
| Addressable User Name | No | |
| Intune Enrollment State | Enrolled, Not Contacted | No |
| Managed Device ID | 5f199d68-5e2e-41ee-bb5b-0c41a1a054dd | No |
| Name | SUEM-IMG-CL01 | No |
| Principal User | No | |
| Product Key | 1BRFVT2 | No |
| Resource Name | No | |
| SKU Number | 0818 | No |
Add Devices to Windows Autopilot
Microsoft offers several platforms for device registrations for new devices to Windows Autopilot and in case you have the hardware Id of the device in a *.csv file, you can upload the file via Unified Endpoint Management.
- Navigate Operating Systems > Autopilot and select Devices
- Press + Add Autopilot Device
- Select first your Service Connection. By default the first entry from the Windows Autopilot Data Provider is selected.
- To select another Service Connection, press the search icon and select your desired Service Connection
- Press Choose a file to load
- Select the *.csv file that contains the hardware ids of your devices
- Press Add Autopilot Device
- After approximate one minute, a Compliance Rule will initiate the Windows Autopilot - Upload Devices Workflow
- During the execution of the Workflow, the devices will be created via an API Call to Microsoft Graph
The device creation process might take up to 15 min after a successfully execution of the workflow.
- Please note that the device will appear as a Computer Object in the Unified User Experience after the next Sync with Autopilot
- The management type in Unified Endpoint Management will be unknown until the device will be enrolled via Silverback or Empirum or both
- The device will also become an active asset in the Asset Management with the Management Type Mobile Device Management
- Please note that It might take some time until the device(s) will get the active state and the management type
- Please refer to Additional Notes for adding devices for additional information and Sync with Autopilot to execute a manual sync
Additional Notes for adding devices
- While uploading devices, please note that is no validation for correctly formatted *.csv files. and the Workflow might show a success Windows Autopilot - Upload Devices Workflow even if the *.csv files have missing information, are malformatted or devices are registered already to an other tenant.
- After every Data Provider import of devices, the device name will be reset to the name given in the source. This might toggle the names in the Unified User Experience. If the imported name is empty, the device will be named as n/a.
- After uploading devices, it might take a while until the profile will be assigned to the device by Intune through the group membership
Remove Devices from Windows Autopilot
In case you want to remove a device from Windows Autopilot, you can utilize the dedicated action Remove from Autopilot that is visible in the device preview.
- Navigate to Operating Systems > Autopilot > Devices
- Select the device you want to remove
- Locate and press the action Remove from Autopilot
- Confirm with Yes when you are sure to remove the devices
- After confirmation, the Windows Autopilot - Delete Autopilot Device Action Workflow will be initiated immediately
- This action will execute the following:
- Remove the device from Windows Autopilot via API Call. The Computer Object itself will be remained
- Remove relevant Autopilot Information from the Computer Object to not show it anymore under Autopilot Devices
Additional Notes for removing devices
- Devices that are synchronized to Unified Endpoint Management and deleted via Intune or any other available method will remain untouched in Unified Endpoint Management and Asset Management. You can use the change status action to set any other status than active.
- In case you execute the Remove from Autopilot action for such devices, the device will disappear from the Autopilot devices section, but the Workflow execution will indicate an error as the target device(s) for the deletion are not available in the source system anymore.
- To remove such devices completely, use the dedicate Delete Action
Sync with Autopilot
Manual Sync
From every navigation item under Operating Systems > Autopilot, you can perform a full sync with Windows Autopilot. Locate and press the Sync with Autopilot button to synchronize all profiles, profile assignments, and devices with Microsoft Intune. Technically it will execute the activate action for Windows the Data Provider and will execute the action for all available configurations (Service Connections). In additional, the action is available under the Endpoint devices.
Configure Automatic Sync
The configuration of the Automatic Sync is covered in the Extension Installation and Configuration. Please refer to Extension II: Windows Autopilot
Additional Notes
- Learn how to easy integrate and Distribute Agents to enrolled devices via Windows Autopilot