Microsoft have added a new way of preparing Windows device for Modern Managed pc’s via Intune. The new name is “Windows Autopilot device preparation”.
Microsoft article: https://learn.microsoft.com/en-us/autopilot/device-preparation/overview
What is going to happen during the installation:
During the out-of-box experience (OOBE), a user authenticates with their corporate credentials. If there’s a Windows Autopilot device preparation policy assigned to the user signing in, then that policy is delivered to the device. It then determines the configuration that needs to be applied to the device based on the settings configured in the policy. After that, device setup continues in the following order:
- The device joins Microsoft Entra ID and enrolls in Intune.
- The Intune management extension installs.
- When the device is joined to Microsoft Entra ID during the first step, the user is automatically added to the local Administrators group on the device. If the user account is configured as a standard user, the setting is enforced by removing the user out of the Administrators group.
- The deployment syncs with the mobile device management (MDM) service such as Intune and checks if line-of-business (LOB) and Microsoft 365 applications are selected in the Windows Autopilot device preparation policy. It also syncs all MDM policy at this time, but application of the policy isn’t tracked during the deployment.
- If there are LOB and Microsoft 365 applications selected in the policy, then they’re installed. If a LOB or Microsoft 365 application fails to install, then the deployment fails at this point.
- The deployment checks if PowerShell scripts are selected in the Windows Autopilot device preparation policy. If there are PowerShell scripts selected in the policy, then they run. If a PowerShell script fails, then the deployment fails at this point.
- The deployment checks if Win32 and Microsoft Store applications are selected in the Windows Autopilot device preparation policy. If there are Win32 and Microsoft Store applications selected in the policy, then they’re installed. If a Win32 or Microsoft Store application fails to install, then the deployment fails at this point.
- If all steps succeed, the Required setup complete page is displayed for the user.
- Once the Required setup complete page is dismissed, the user is automatically signed in and the desktop is displayed.
- At this point, another sync is triggered and all other configurations is delivered to the device. Additional configurations might include:
- Applications and PowerShell scripts that were assigned to the device group specified in the Windows Autopilot device preparation policy but weren’t explicitly selected in the policy.
- Any additional MDM policy.
- User-based configurations.
Pre-req:
Windows 11 Requirements:
Windows 11, version 22H2 with KB5035942 or later.
Windows 11, version 23H2 with KB5035942 or later.
Device shouldn’t be registered or added as a Windows Autopilot device – if the device is registered or added as Windows Autopilot device, the Windows Autopilot profile takes precedence over the Windows Autopilot device preparation policy.
Make sure that you don’t block enrollment of personal devices. If you do, then you will see an error and the enrollment will not start.
If you are using “Corporate device identifiers”, then it is ok that personal devices is blocked.
Set up Windows automatic Intune enrollment
(These setting might already be setup if you have used autopilot before)
Sign in to the Azure portal | |
Open Microsoft Entra ID | |
Click Overview -> Manage -> Mobility (MDM and WP) | |
Click Microsoft Intune | |
Choose Some or All -> Click Save |
Allow users to join devices to Microsoft Entra ID
(These setting might already be setup if you have used autopilot before)
Sign in to the Azure portal | |
Open Microsoft Entra ID | |
Click Overview -> Manage -> Devices | |
Open Overview -> Device settings | |
Choose Some or All -> Click Save |
Create a device group
Sign into the Microsoft Intune admin center | |
Click Groups -> New Group | |
1. Group type: Security 2. Enter a name 3. Click No owners selected | |
add user Intune Provisioning Client * If the user dont exsists, then you have to create it. See the section below. | |
Click Create |
*Adding the Intune Provisioning Client service principal
Open powershel in admin mode and run Install-Module azuread | |
Run Connect-AzureAD | |
Enter your email (The accout have to be a Microsoft Entra ID administrator that has permissions to add service principals) | |
Enter your password | |
Run New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c |
Create a user group
Click Groups -> New Group | |
1. Group type: Security 2. Enter a name 3. Click Create |
Assign applications and PowerShell scripts to device group
During the out-of-box experience (OOBE) experience, before the end-user is signed in for the first time, Windows Autopilot device preparation allows deployment of up to:
- 10 managed applications
- 10 PowerShell scripts
Add Application | |
Click Apps -> Windows | |
Select the app the you want to install | |
Click Properties -> Edit Assignments | |
Under Required click Add group | |
Choose the device group that you created earlier in the blog post. In my example it is: Windows Autopilot device preparation device | |
Click Review + save | |
Click Save | |
Do this for all the application that you want to install during the enrollment | |
Add Powershell script | |
Click Devices -> Scripts and remediations | |
Click Platform scripts | |
Click Properties | |
Click Add groups | |
Choose the device group that you created earlier in the blog post. In my example it is: Windows Autopilot device preparation device | |
Click Review + save | |
Click Save | |
Do this for all the scripts that you want to install during the enrollment |
Create Windows Autopilot device preparation policy
Sign into the Microsoft Intune admin center | |
Click Devices -> Windows | |
Open Enrollments -> Devices Preparation policies | |
Click Create | |
Click Next | |
Enter a Name -> Click Next | |
Search for the device group that created earlier in the post. Click Next | |
Add the settings that you want -> Click Next | |
Click Next | |
Search for the user group that created earlier in the post. Click Next | |
Click Save |
Windows corporate identifier
To prevent the enrollment of personal Windows devices, you can lock it to company devices with Windows corporate identifier. Create a .csv file that contain “MANUFACTOR, MODEL, SERIAL NO” like this:
Microsoft,surface 5,01234567890123
Lenovo,thinkpad t14,02234567890123
and save it as a .csv file.
Sign into the Microsoft Intune admin center | |
Click Devices -> Enrollment | |
Click Corperate device identifiers -> Add -> Upload CSV file | |
Choose Manufactorer, model and serial number (Windows only) -> Click the upload bottom and choose the .csv file that you created ealier -> Click Add | |
Click Devices -> Windows | |
Choose Enrollment -> Device platform restriction | |
Under Windows restrictions -> Click All users | |
Click Proberties -> Edit | |
Block Personally owned under Windows (MDM) -> Click Review + save | |
Click Save | |
If a user try to enroll a device that is not approved, they will get an error. |
Customize setting during OOBE
When you enroll a device with Windows Autopilot device preparation, the user will see some of the standard windows option compared to the old way of enrolling a Autopilot device.
You can see what option the user will see belov
I hope that Microsoft will give us intune admins options to controll that in the future. But for now, that is the way it is.
You are able to take control of some of the configs with settings and powershell scripts.
Computer Name
When you enroll a device via “Windows Autopilot device preparation”, the user have the option to enter a computer name. If you have decided to go with a special naming stadard like “PC-SERIALNO”, the you have to customize the enrollment process with a PowerShell script (At the writing of this blog. Could be different in the future.) Michale Nihaus have a script in this blogpost. I have modified a bit to only use serial no and because I use a lost of virtual pc’s for testing, I have also added a check the there is a serial no in WMI. If not, then I add a serial no.
Download the rename-pc powershell script. | https://github.com/chamtl/rolig-dk/blob/main/rename-pc.ps1 |
Sign into the Microsoft Intune admin center | |
Open Devices -> Windows | |
Click Scripts and remedations | |
Click Add | |
Enter a Name -> Click Next | |
Upload the script that you have downloaded above -> Modify the settings -> Click Next | |
Click Add groups -> Add the Windows Autopilot device preparation device group. -> Click Next | |
Click Add | |
To assign the script to the deployment. Click Enrollment | |
Choose Device preparation policies | |
Click on the profile that we created earlier in this post. | |
Click Edit under the settings | |
Click Add | |
Add the script Rename Pc during OOBE -> Click Save | |
Click Next | |
Click Save |
Setting
Sign into the Microsoft Intune admin center | |
Click Tetant administration -> Connectiors and tokens | |
Click Windows data -> turn on Windows data | |
Click Devices -> Windows | |
Click Configuration -> Create -> New Policy | |
Choose Windows 10 and later -> Settings catalog -> Click Create | |
Enter Name and Description -> Click Next | |
Add these settings -> Click Next | |
Click Next | |
Add the Windows Autopilot device preparation device group -> Click Next | |
Click Create |
That it for now.