Skip to main content
Matrix42 Self-Service Help Center

Windows 10/11 All about Windows Autopilot

Overview

Windows Autopilot is Microsoft's deployment program that uses a collection of technologies to fast setup and pre-configure new devices. In general, it is similar to Apple's Device Enrollment Program or the Knox Mobile Enrollment or Android Zero Touch for Samsung Knox and Android devices.

Devices or device identifiers will be added to a cloud service and when devices or users are starting with the out-of-the-box experience, internet connected devices will contact the cloud service and will retrieve configurations. To add devices to the cloud service, you have different options and the first one is to contact your hardware vendor as they might be capable to add devices after purchasing them into the Windows Autopilot deployment program for you. Another option is to add devices manually to Windows Autopilot and this is what we will do as one part of this Guide.

In general, Windows Autopilot simplifies the complete lifecycle of the device. Users will be able to easily enroll devices from the out-of-the-box experience without any interaction of the IT department. Your users only need to connect to an internet connection, and they need to know their Azure Active Directory Credentials and can enroll the device within a few steps. After that, Silverback can apply all configurations and can transform the device into an enterprise ready and secured device and can install the UEM Agent to install Software Packages on top. Additionally, you can easily deploy the EgoSecure Data Protection agent for an additional security layer. 

This guide is intended to provide an overall Autopilot overview with some different experiences and with several settings that can be added to customize the complete Autopilot setup and reset. 

Requirements

To meet the best experience with Windows Autopilot, please review all requirements below:

Software Requirements

The following operating system versions are supported for Windows Autopilot. Ensure to try to use Windows Autopilot with one of the following Windows 10 or Windows 11 editions:

  • Windows 10/11 Pro
  • Windows 10/11 Pro Education
  • Windows 10/11 Pro for Workstations
  • Windows 10/11 Enterprise
  • Windows 10/11 Education

It may be that the software requirements have changed since this guide was created. To be on the safe side, please check the current requirements under the following link: Windows Autopilot software requirements

Licensing Requirements

Windows Autopilot depends on specific capabilities in the Windows 10 or Windows 11 clients and on Azure Active Directory and for sure it requires a Mobile Device Management solution like Silverback, but we think by starting with this guide you have already Silverback and a valid license in place. To meet the licensing requirements from Microsoft, you can obtain these capabilities through several editions and subscriptions programs. The following overview shows the specific possible programs:

Please review the current licensing requirements from the following link at your time of starting with your project: Windows Autopilot licensing requirements. In general, you need next to a valid Silverback license, the automatic MDM enrollment and company branding features from Azure Active Directory. With Azure Active Directory Premium P1 or P2 you might already be ready to go with Windows Autopilot from the minimum requirements point of view. In case you have doubts about the right subscription from Microsoft, please contact your reseller or partner. If you have in your subscription Intune in place, it will provide you more features then without as we will show this later in this guide.  

A well-known indication that you might not have the sufficient subscription is when you try to add your MDM and MAM application and your view does not look like that. If you do not see the MDM user scope, then you should get in touch with your reseller or partner. 

clipboard_e12d72ce87e6f80ea0134c4d1ab49ade4.png

Network Requirements

Windows Autopilot depends on a variety of cloud and internet-based services like the Windows Autopilot Deployment Service, Azure Active Directory, Windows Update and further. Please review the following Windows Autopilot networking requirements to ensure that your network is properly configured and prepared. Please refer to the Unsupported Feature section in this guide, to ensure to configure the right and only necessary services parts. As an example, the Hybrid Domain Join is at this stage not supported, so you don't' have to configure this network requirement for now. If you do not have Intune in your subscription, you also don't need to configure the service requirements for Intune, and so on.

Configuration Requirements

For Windows Autopilot, you can split the configuration into several parts of the services that will be used. Please refer to the official Windows Autopilot configuration requirements before we are starting with comparing what we need:

Requirement Context
Configure Azure Active Directory automatic enrollment This will be done by adding the MDM and MAM application into your Azure Active Directory.  If you review the screenshot from above, this is exactly what we need to do and we have a dedicated article for that. You will find the links for the creation within this guide. 
Configure Azure Active Directory custom branding This is an optional topic, and you might have already configured this experience. This part is totally separated from Silverback, and you can configure the general Azure Active Directory login experience for your users. You can refer to Quickstart: Add company branding to your sign-in page in Azure AD for additional information. 
The first logon user needs to have Azure Active Directory join permissions for all deployment scenarios, except for Windows Autopilot self-deployment mode as this method works in a user less context. As the self deployment mode is not yet supported in Silverback, you only need to ensure your first logon users have the Azure Active Directory join permissions. To ensure this, you must configure the Device Settings in your Azure Active Directory. Navigate in your Azure Tenant to Azure Active Directory, click Devices and Device settings. Here you will find the Users may join devices to Azure AD option where you can add memberships. Additionally, you can additionally configure administrative accounts to enrolled devices and limit the maximum number of devices per user
Optional: To automatically step up from Windows Pro to Windows Enterprise, enable Windows Subscription Activation. This part is separated from Silverback, and you might need to contact your reseller, partner or with Microsoft to review this functionality. 
Devices must be added to Windows Autopilot to support most Windows Autopilot scenarios This is what we will later do in this guide and there are two ways to manually upload the collected hardware hash. Depending on your subscription, you are required to upload the hashes to the Windows Autopilot cloud services either via Intune, our Unified User Experience, or the Microsoft Store for Business and all of these scenarios are covered in this guide. To automate the process of generating and uploading the hardware hashes in the device purchasing process, please get in touch with your hardware vendor. For existing devices that are currently not added to Windows Autopilot you might be able to find a way to collect this information with your current client lifecycle management system or by performing an automatic execution of the PowerShell scripts with a target location for storing the *.csv files. We are planning to provide the feature set with Empirum as soon as possible. 
Profile configuration This we will do also together, and this can be executed either in Intune, our Unified User Experience or in the Microsoft Store for Business with some limitations for the Store for Business.

The Windows Store for Business has already been discontinued by Microsoft in the meantime, but the discontinuation has been postponed and it may be that by the time you read this article, the Windows Store for Business has finally been discontinued. We will keep the parts for the Store for Business that are in this article until further notice.

Unsupported Features

As of today, not all capabilities that Microsoft can offer in the combination with Office365, Azure Active Directory and Windows 10 or Windows 11 enrollment methods are available to third party vendors. By reading the previously mentioned requirements, you might have faced one of the following terms that are currently not available with Silverback when using Windows Autopilot:

  • Hybrid Domain Join
  • Enrollment Status Page
  • Autopilot self-Deploying mode and Autopilot pre-provisioning
  • Change Primary Users

We are continuously working on extending our feature set in the area of Mobile Device Management with Windows 10 and Windows 11 and we want to provide everything what is possible to you as a customer.

Configure MDM and MAM Application

The first requirement for using Windows Autopilot with Silverback is to create a specific Mobility (MDM and MAM) application in your Azure Tenant. For Cloud Customers, the process starts already one step before as they are required first to validate their Silverback SaaS URL as a verified or trusted domain in their Azure Tenant. The Mobility (MDM and MAM) applications defines as an example, which users are allowed to enroll via Autopilot or Azure Active Directory Join and where or to which Silverback instance the devices should be enrolled. 

Please perform the following guides to create and configure your MDM and MAM Application in Azure and save the application details in Silverback:

Upload Devices

As mentioned in the Configuration Requirements section, there are multiple available processes about adding devices to Windows Autopilot. You can either let your hardware vendor upload your new devices or you can add existing devices manually to Windows Autopilot. Microsoft offers several platforms for device registrations for new devices to Windows Autopilot. As shown in the platform overview, there are several options like Intune, Store for Business or the Microsoft 365 admin center and as an example, the Windows Store for Business is already deprecated. In this guide, we will focus on Intune and anyway on the Windows Store for Business, even when the Store will be retired in the beginning of 2023. The experience between the Store for Business and the Microsoft 365 admin center is anyway quite similar.

As we want to start quickly with adding a device to Windows Autopilot, we will manually add a device to the Autopilot services within this guide. Independent from your Portal, a major task is to upload the hardware hash and link the target device with the Autopilot service, so we will need to get the hardware hash by executing a PowerShell script. Within the next chapter, we will collect the Hardware ID (also known as hardware hash) from an already used device and upload it either via Intune or via the Store for Business.  If you want to collect and upload the Hardware ID from a device during the OOBE (with having Intune in place), please review the video below. Otherwise please proceed with Get Hardware ID.

Use Shift+F10 to start the Command Prompt

Get Hardware ID 

Upload in Intune

  • Login to https://endpoint.microsoft.com/
  • Navigate to Devices and select Enroll devices
  • In the Windows enrollment section, select Devices
  • Click Import and select the *.csv file and press upload

Upload via Unified Endpoint Management

Upload in Windows Store for Business

As we have now successfully retrieved the Hardware ID and uploaded it successfully to Windows Autopilot, we provide the cloud service some time to sync. Doing so, we will proceed with customizing the experience for users during the Autopilot setup. With customizing your Terms of Use that will be presented to users during the Enrollment through the out-of-the-box-experience, you ensure a streamlined and company branded process for your users. But before, we want to provide you some an additional node about device icons in Azure Active Directory. 

Review Devices in Azure Active Directory

You can navigate after uploading devices to Windows Autopilot to your Azure Active Directory > Devices > All Devices. Autopilot devices will be displayed with a different icon. When you hover over the icon, you will see the Autopilot Device information. Please note that recently uploaded devices may be indicated by their serial numbers. The device name might change after the device was enrolled the first time to Azure Active Directory, e.g., via Autopilot.

Customize Terms of Use

When you have added your MDM and MAM application into your Azure Active Directory, you might remember the MDM terms of use URL. This URL contains the Terms of Use that your users will see when they are in the OOBE after entering their credentials. After entering the credentials, they are required to accept a shown Terms of Use page which is by default filled with a Matrix42 branded experience. Starting with Silverback 22.0, you can customize the Terms of Use. You can replace the default Title, the default description and the Matrix42 logo to your customized ones as shown in the following screenshot: 

Configuration

  • Login as Administrator to your Silverback Management Console
  • Navigate to the Admin tab
  • Select Azure Active Directory
  • Navigate to Terms & Conditions
  • Customize your Terms of Conditions and press save

clipboard_e05a8fe2b437674b87dae98f296508a88.png

User Experience

After customizing your Terms of Use, you can press the Preview for dark theme or the Preview for light theme.  A new browser tab will open and will demonstrate the look & feel for your users during the enrollment process. As of today, the white theme will be shown for Azure Active Directory Joins, when the device will be joined after the out-of-the-box experience and the dark theme during enrollments through the out-of-the-box-experience. Themes are currently not related to Windows 10 or Windows 11, but this might change in the future.

Theme / Experience Standard Customized
Dark Theme for Windows 10 OOBE clipboard_e1df1e9b146a2cbc44e0139e929b94e58.png clipboard_e14a1acf3e2350c38f7051b113454526c.png
Dark Theme for Windows 11 OOBE clipboard_e0795977a1a4b57945d1b7f6f48d11baf.png clipboard_e7fa3fd49f6af0afacd53282ebb262ebe.png
Customized White Theme for Windows 10 and Windows 11 Azure Active Directory join  clipboard_efb324e601c296329b3de199595a5f375.png clipboard_e611b606f9c729e1a428ebb565a39c34a.png

After customizing your Terms of Use and reviewing the User Experience, you might want to give a try to your Autopilot enrollment, but first we need to configure additional settings that will apply during the Out-of-the-box experience. These options are quite similar to the Device Enrollment Program for Apple devices and you might be already familiar with the profile creation for Apple devices

Profile Creation for Setup Wizard

As highlighted in the previous chapter, we are now going to configure the out-of-the-box experience for users during the Autopilot setup. For this, we need to create a profile with several OOBE settings and assign this profile to your uploaded devices. We are still having the option to perform the actions for the profile creation in Intune, in our Unified User Experience, or in the Store for Business, but please be aware that the Intune Portal offers more options then the Store for Business and probably the previously mentioned Microsoft 365 Admin Center. Within the Unified Experience, the values for deployment options are set by default according to the supported features with Silverback.

If you have access to Intune and the Store for Business, you might recognize several particularities: 

  • Profile creation in Intune offers more options then in Windows Store for Business
  • Created profiles in Intune will be shown in Microsoft Store for Business
  • Created profiles in Windows Store for Business will not be shown in Intune
  • Profile creation in Intune and assignment through the Store for Business is possible
  • If you create a profile in the Windows Store for Business, some default settings will be applied to the profile, that are only configurable in Intune. 

Before starting with the Profile creation, you can review the effect of several options in the End User Experience Screens section.

Profile Creation with Intune

  • Login to https://endpoint.microsoft.com/
  • Navigate to Devices and select Enroll devices
  • In the Windows enrollment section, select Deployment Profiles
  • Select Create Profile and select Windows PC
  • Enter as Name, e.g. Autopilot Standard Profile
  • Press Next
  • Configure the following options 
Setting Supported Options Description
Deployment Method User-driven User-driven must be set as the deployment method, as this means that User credentials are required to enroll the device. 
Join to Azure AD as Azure AD Joined Specify how devices join Active Directory (AD) in your organization. As the Hybrid Azure AD joined feature is not supported for 3rd party vendors, ensure to select Azure AD Joined. 
Microsoft Software License Terms Show / Hide Beginning with Windows 10 Version 1709, you can decide to skip the EULA page presented during the OOBE process. Please refer to Windows Autopilot EULA dismissal below for important information to consider about hiding the Microsoft Software License Terms.
Privacy Settings Show / Hide This optional setting configures to not ask about privacy settings during the out-of-the-box experience
Hide change account options Show / Hide When users are at the Welcome Screen where they should enter their credentials, a button will be shown or hidden that lets the user to proceed with the change account option.
User Account Type Administrator / Standard Here you can configure whether the user setting up the device should have administrative access once the enrollment process is complete.
Allow pre-provisioned deployment No As this feature is not supported for 3rd party vendors, you are required to set this setting to No. Here you could enable the previously named White Glove feature, when you meet the physical requirements and beginning with Windows 10 1903.
Language (Region) User Select / Define Language This options lets you define the language to use for the device and is supporting beginning with Windows 10 2004. Please be aware that language settings require Ethernet connection so that the Autopilot profile containing these settings can be downloaded and processed early on. Wi-Fi connections have the requirement to choose a language, local, and keyboards.
Automatically configure keyboard No / Yes If a language is selected, you can enable this option to the keyboard selection page. This options requires as the Language (Region) section, an Ethernet connection, too. 
Apply device name template No / Yes With Windows 10 Version 1809 or later, you can configure a template to name a device during enrollments. The names must be 15 characters or less, and can contain letters, numbers, and hyphens. You can use the %SERIAL% macro to add e.g. the serial number or the %RAND:x% macro to add a random strings of numbers. E.g the following macro with add a two digits number add the end  
SUEM-SSZ-CL0%RAND:2%

Profile Creation with Unified Endpoint Management

With Unified Endpoint Management, you can create, modify, and delete Windows Autopilot Profiles. Please note that the creation and assignment of Autopilot profiles in Intune and Windows Store for Business is performed in two separate operations. With Unified Endpoint Management, the assignment is already done directly during the profile creation, so feel free to familiarize yourself with the next chapter Profile Assignments already at this point.

Profile Creation with Windows Store for Business 

  • Login to https://businessstore.microsoft.com/
  • Select Manage and navigate to Devices
  • Click AutoPilot deployment
  • Click Create new profile
  • Configure your Profile
    • Enter as name e.g. AutoPilot
    • Enable Skip privacy settings (optional)
    • Enable Disable local admin creation on the device (optional)
    • Enable Skip End user License Agreement (EULA) (optional)
  • Click Create
Setting Options Description
Skip End User License Agreement (EULA) On / Off Beginning with Windows 10 Version 1709, you can decide to skip the EULA page presented during the OOBE process. Please refer to Windows Autopilot EULA dismissal below for important information to consider about hiding the Microsoft Software License Terms.
Skip Privacy settings On / Off This optional setting configures to not ask about privacy settings during the out-of-the-box experience
Disable local admin account creation on the device On / Off Here you can configure whether the user setting up the device should have administrator access once the enrollment process is complete.

When you create a profile with the Windows Store for Business and compare the available options with Intune, you might have recognized that you have less options in the Windows Store for Business as in Intune. So, when you create a profile in Windows Store for Business, the following additional settings will be applied by default with the following settings:

Option Setting
Deployment Method User-driven
Join to Azure AD Azure AD Joined
Hide change account options Show
Allow pre-provisioned deployment No
Language (Region) User Select
Automatically configure keyboard No 
Apply device name template No

End User Experience Screens

With the Profile creation, you decide how the user experience will be after powering on the device for the device. To provide you an overview about the effects of the settings, this section will show you the screens that users might see or not. 

OS/Screen Microsoft Software License Terms Hide change account options
Windows 10 clipboard_ef0c3b325b076facb437431f4295798b5.png clipboard_ef286d70a95d23d35b02196a79f3484d6.png
Windows 11 clipboard_e403f04dcdfbfb64ce009ed9b5021c725.png clipboard_e97209f585baf1ad6953a59683ed6617f.png
  Automatically Configure Keyboard Automatically Configure Keyboard
Windows 10 clipboard_e3b808b9633929084ff48866faa566ccb.png clipboard_e5059af7d925e7d5a631624c4ec5cba65.png
Windows 11 clipboard_e4e7983be6cae4dc598e5f336b3a3ebdb.png clipboard_ea5219850f46c7abd46729fc930717314.png
  Administrator Account Standard Account
Windows 10/11 clipboard_eb88770938412ba08f70a89e9222606a4.png clipboard_e028e435542a8b80914bb52b1da1553e1.png

Profile Assignments

One next step before we can with try enrollments is the part of assigning profiles. Again, here are some differences in the options that are provided within Intune, our Unified User Experience, and the Windows Store for Business. As Intune allows to assign profiles to device groups, you can configure a dynamic or static device group in Azure Active Directory with Autopilot devices and assign the profiles to the device groups. Since the Windows Autopilot integration in our Unified User Experience uses API calls to Microsoft Graph or Intune, the mechanism of assigning profiles to groups is also the way to go. For this purpose, we have built in a quick option in the Unified Endpoint Management that can be used to create the dynamic group(s) very easily. With the Windows Store for Business on the other hand, you can assign profiles to groups or directly to devices. When uploading devices via the Windows Store for Business, you can select to which group the device belongs to. And when you add the device to a group, a profile can be assigned to the group. You can review this YouTube video Using AutoPilot in Microsoft Store for Business upfront to get already familiar with the things explained in the following sections about assigning profiles with Windows Store for Business.

Create a dynamic group in Intune 

As Intune only provides the assign feature via Groups, you can decide if you want to create a dynamic membership or a static membership group for assigning profiles. To create a dynamic membership, you can complete the following steps:

  • Login to your Azure Portal and select Azure Active Directory
  • Select Groups and click New group
  • Enter a Group Name, e.g. Autopilot Dynamic Membership
  • Enter a Group description
  • Select as Membership Type Dynamic Device
  • Click Add dynamic query
  • Click Under Rule Sync edit
  • Add the following Rule
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")"

Create a dynamic group with Unified Endpoint Management

As mentioned already in the chapter introduction, the Windows Autopilot integration in our Unified User Experience uses API calls to Microsoft Graph or Intune, which means that the mechanism of assigning profiles to groups is also the way to go. For this purpose, we have built in a quick option in the Unified Endpoint Management that can be used to create the dynamic group(s) very easily: 

Create a static group in Intune

Next to dynamic groups, you can create a static group in Azure Active Directory and assign the profile to this static group. To create a static group, perform the following and add afterwards each device that should receive the profile for this group: 

  • Login to your Azure Tenant and select Azure Active Directory
  • Select Groups and click New group
  • Enter a Group Name, e.g. Autopilot Profile 1
  • Enter a Group description
  • Select as Membership Type assigned
  • Click Members
  • Search for your device(s) and select the target device(s)
  • Press Select
  • Press Create
  • Wait a couple of moments and press refresh to review your created group
  • Proceed with Assign Profile to Group in Intune

Assign Profile to Group in Intune 

  • Start at the Windows Autopilot deployment profiles overview
  • Select your Profile
  • Click Properties
  • Under Assignments, click edit
  • Press Add under Included Groups
  • Select your previously created group and confirm with Select
  • Press Review + save
  • Confirm with Save
  • After some time, new devices should appear under the Assigned devices section

clipboard_e63893fde53bf71465f14e781093a029f.png

Assign Profile to Group with Unified Endpoint Management

If you create a Windows Autopilot profile via the Unified User Experience or via Unified Endpoint Management, the part of assigning the profile to groups is already integrated in the simplified profile creation wizard. 

Manually Assign a profile to a device with Store for Business

  • Login to https://businessstore.microsoft.com/
  • Select Manage and navigate to Devices
  • Ensure you are in the All devices Tab
  • Select the desired devices and press AutoPilot deployment
  • Select your desired target profile 
  • Wait for the We updated the profile on your device(s) notification

clipboard_eb8bc9285aa79b4ef01e247fc63684c2d_2.png

Assign a profile to a group with Store for Business

  • Switch in the Windows Store for Business to the Groups Tab
  • Select your target group(s)
  • Press AutoPilot deployment
  • Select your desired target profile 
  • Wait for the We updated the profile on your device(s) notification

clipboard_e289811226e47a115bf43ca49c19efafa.png

Enrollment

After you have now configured everything what is needed for Windows Autopilot, you can factory wipe a device or start your Autopilot devices for the first time and enjoy the Windows Autopilot experience with Matrix42 Silverback. The following video provides the enrollment experience for Windows 11 with a basic Autopilot profile in combination with Matrix42 Unified Endpoint Management Version 21.0 Update 2.

 

Additional Features

The following sections describes some useful settings and options that will enrich and modify the Autopilot experience with Silverback. 

Autopilot Reset

With the Autopilot Reset functionality two scenarios are supported in general. One scenario is the Local reset that can be started as an example by an IT administrator if he has a physical access to the device and administrative permissions on the device. A remote reset can be executed by Silverback from any Administrators. 

Remote Reset

Remote Autopilot reset is an action that came with Silverback 22.0 and the Autopilot Reset works like a PC Reset, like the other Wipe operations that Silverback supports for Windows 10 and Windows 11 devices, except that the Autopilot reset keeps the device enrolled in Azure Active Directory and in Silverback. In addition to that the Autopilot reset will perform the following actions:

  • Removes personal files, apps, and settings.
  • Reapplies a device's original settings.
  • Sets the region, language, and keyboard to the original values.

The Windows Autopilot Reset process automatically keeps information from the existing device:

  • Wi-Fi connection details.
  • Provisioning packages previously applied to the device.
  • A provisioning package present on a USB drive when the reset process is started.
  • Azure Active Directory device membership and Silverback enrollment information.

By executing a Remote Reset, the current user will receive a short notification that the Autopilot Reset is scheduled in 45 Minutes. 10 Minutes before the Autopilot reset will be initiated users will receive the final notification

First Notification Final Notification
clipboard_e21f01f3755121aa6402f4add1b678230.png clipboard_eaf8dc4f0298635f1f3ec9b65aeb9abd0.png

During the execution of Autopilot reset, you can review the status of the operation in the device overview.  Overall the following status information are available

  • Complete
  • Reset has been scheduled
  • Reset is scheduled and waiting for a reboot

If errors appear during the Autopilot reset, a second line of information will be shown with an Error info: 

  • Failed during CSP Execute
  • Failed: power requirements not met.
  • Failed: reset internals failed during reset attempt.

The Remote Autopilot reset can be helpful in break and fix scenarios, as the device remains in management and will reinstall distributed applications after the current or next user signs in with having a fresh setup of Windows 10 or Windows 11. Please be aware when Autopilot reset is executed on a device, the primary user of the device will be removed and the next user who signs will be set as the primary user in Azure Active Directory. As per current design, Silverback keeps the device enrolled with the initial owner of the device who performed the enrollment. Due to the vendor design of the Autopilot Reset feature, the Terms & Conditions must not be accepted again from the next user who logs in.

Successful Autopilot Reset User Login Screen
clipboard_e3bd7d78e22921dad7ef52790748693a6.png clipboard_ee908fd02fb35a05bb665b0f6534bcd7d.png

In our test labs we experienced that for Windows 11 21H2  the You're about to signup notification does not appear and after the Autopilot reset, the next user is presented to enter the password prompt for the defaultuser0. By pressing Other Users, the next user is able to sign-in and sign-out defaultuser0. This behavior might change in the future for newer Windows 11 releases. 

Local Reset

If you want to execute a local Autopilot reset, you need to enable the option first as it is by default set to disabled. To do so, ensure to have set and applied within the Restriction profile, the Local Windows Autopilot Reset (formerly known as Disable the Visibility of the Credentials for Autopilot Reset) in the Credential Providers group to enabled. It will configure the Credential Provider CSP and will allow to display the Autopilot reset option in the Lock Screen.

clipboard_e0696f9d9ea8b4a1653d698dd12c56843.png

After applying the restriction, perform the following:

  • Lock the device screen
  • Perform the following key stroke:
  • clipboard_e00b6619d1b8e69b99686a003a12318b3.png

You should see now a login screen with "Sign-in to proceed with Windows Autopilot reset". Sign in with admin account credentials and the local Autopilot reset is triggered. If you have a provisioning package prepared, ensure to plug it in the USB drive before triggering the local Autopilot Reset. As this local reset option does not inform Silverback about the Reset operation, Profiles and Applications won't be automatically reapplied on the devices after the Reset process is finished. To reapply the profile and apps again, you need to edit, remove or assign a Tag to a device. After the next synchronization process, Silverback will install all profiles and apps again on the device. 

In our test labs we faced regularly the information that Autopilot Reset ran into trouble when performing the key stroke at the lock screen. Anyway, after logging in with administrative credentials, the Autopilot Reset was executed successfully. For further information, please refer to the official Troubleshooting information about Windows Autopilot Reset here: Troubleshooting

clipboard_e84a1660c2bbc0c0f12268a136e692342.png

Require Network In OOBE

The Require Network in OOBE option is available with Silverback 22.0 as a new restriction and this is a typical deployment program option. It will help to actively force a user to perform a device enrollment. As an example, for the Device Enrollment Program the similar option is the Force Enrollment setting and most likely it is doing the same but in a different way. During the out-of-the-box-experience of Windows 10 and Windows 11 devices, users might circumvent the Autopilot enrollment by just simply providing no internet connection. In this case, Windows 10 and Windows 11 device have by default, the I don't have internet connection available and if the user would press this button, they would be able to create a local account on the machine and use the device without being managed. The background here is that devices, doesn't matter to which deployment program they belong, require a network connection to receive a profile from this cloud service and it is pretty simple. No internet connection means no cloud service.

To prevent this situation, you can configure with Silverback the new Require Network in OOBE restriction, which correlates to a UEFI variable that is set to require a network connection and a change in Windows 10 1809 that checks this variable.  As compared in the following screenshots, the I don't have internet option will be shown or will be hidden during the out-of-the-box-experience, but you need to be aware that the device must be one time enrolled to Silverback to apply this restriction. So, at the first out-of-the-box-experience of the device, this option will be available. After the Autopilot setup, you can apply this restriction and during the next OOBE, this option will be hidden and kept active for all next OOBE scenario. That is how the TenantLockdown CSP is designed and mostly this feature is intended for users who accidentally reset they device. 

First OOBE with the I don't have internet option. After applying the restriction and a factory wipe, the option will be hidden. 
clipboard_ebd67b1d77f6d7008e8716efe1a159d97.png clipboard_e4104b0283759413d052e46fc0912c7a7.png

Please note, that users might have a second option to perform a local account creation and circumvent the Autopilot enrollment. If you have read the complete article, you might remember the Hide change account options in the Autopilot profile. If the Autopilot is set to show the account options, users could press at the sign-in page the Account options button and create a local account on the device, so to fully avoid the local account creation on devices, you must set this option to hide. 

Enable Agility Post Enrollment

Autopilot agility is a recently introduced feature that allows updates and bug fixes to the OOBE experience. Microsoft started rolling out this feature to Windows 10 1909 and 2004/20H2 with August (2021) cumulative update and is not yet available for Windows 11. From the documentation point, there are currently conflicting statements as the updates should occur either before or after the device enrollment and may result in an additional reboot and authentication prompt to the user. In our test lab we were able to set the Enable Agility Post Enrollment restriction to yes and the configuration was applied on the device.

Windows Autopilot configuration displays the applied restriction In the MDM Diagnostic Report the Enable Agility Post Enrollment is set to 1
clipboard_e038d77faf2b0bba91efdc27e4bc8cb3e.png clipboard_e66b79d7a26682caa7a5e64e2ffeb964d.png

Assign a user to a device

You might have heard about a features that makes the experience for users even more powerful with predefining the username at the sign-in page for Windows Autopilot devices. The assign a user to a device during Windows setup feature was introduced by Microsoft in 2018 and has been deprecated in the meantime. Please refer to the following Updates to the Windows Autopilot sign-in and deployment experience article by the Intune support team about the background for the deprecation. 

Additional Notes

  • You can use this article to Troubleshoot Azure Active Directory join issues 
  • Use this article to Troubleshoot Autopilot OOBE issues via Event Viewer or Registry
  • You can utilize the dsregcmd /status with a Command Prompt or Windows Terminal to understand the state of devices in Azure Active Directory (Azure AD). The cmd utility must be run as a domain user account
  • If you receive a something went wrong information, you can try again or try to find the correlated error message. There are plenty articles about OOBE issues, as the following with an example OOBEAADV10 error message
  • In most our cases, after receiving a something went wrong information, either a device reboot or a second attempt brought a success. In case you are using Virtual Machines with snapshots, some issues might appear, so ensure to restart your machines after resetting and having an issue during the OOBE. 
  • Be careful when predefining languages with the Autopilot Profile. It might be that the OOBE will fail with an indication that the language is wrong