Microsoft have added a new way of preparing Windows device for Modern Managed pc’s via Intune. The new name is “Windows Autopilot device preparation”.
Microsoft article: https://learn.microsoft.com/en-us/autopilot/device-preparation/overview

What is going to happen during the installation:

During the out-of-box experience (OOBE), a user authenticates with their corporate credentials. If there’s a Windows Autopilot device preparation policy assigned to the user signing in, then that policy is delivered to the device. It then determines the configuration that needs to be applied to the device based on the settings configured in the policy. After that, device setup continues in the following order:

  1. The device joins Microsoft Entra ID and enrolls in Intune.
  2. The Intune management extension installs.
  3. When the device is joined to Microsoft Entra ID during the first step, the user is automatically added to the local Administrators group on the device. If the user account is configured as a standard user, the setting is enforced by removing the user out of the Administrators group.
  4. The deployment syncs with the mobile device management (MDM) service such as Intune and checks if line-of-business (LOB) and Microsoft 365 applications are selected in the Windows Autopilot device preparation policy. It also syncs all MDM policy at this time, but application of the policy isn’t tracked during the deployment.
  5. If there are LOB and Microsoft 365 applications selected in the policy, then they’re installed. If a LOB or Microsoft 365 application fails to install, then the deployment fails at this point.
  6. The deployment checks if PowerShell scripts are selected in the Windows Autopilot device preparation policy. If there are PowerShell scripts selected in the policy, then they run. If a PowerShell script fails, then the deployment fails at this point.
  7. The deployment checks if Win32 and Microsoft Store applications are selected in the Windows Autopilot device preparation policy. If there are Win32 and Microsoft Store applications selected in the policy, then they’re installed. If a Win32 or Microsoft Store application fails to install, then the deployment fails at this point.
  8. If all steps succeed, the Required setup complete page is displayed for the user.
  9. Once the Required setup complete page is dismissed, the user is automatically signed in and the desktop is displayed.
  10. At this point, another sync is triggered and all other configurations is delivered to the device. Additional configurations might include:
    • Applications and PowerShell scripts that were assigned to the device group specified in the Windows Autopilot device preparation policy but weren’t explicitly selected in the policy.
    • Any additional MDM policy.
    • User-based configurations.

Pre-req:
Windows 11 Requirements:
Windows 11, version 22H2 with KB5035942 or later.
Windows 11, version 23H2 with KB5035942 or later.

Device shouldn’t be registered or added as a Windows Autopilot device – if the device is registered or added as Windows Autopilot device, the Windows Autopilot profile takes precedence over the Windows Autopilot device preparation policy.

Make sure that you don’t block enrollment of personal devices. If you do, then you will see an error and the enrollment will not start.
If you are using “Corporate device identifiers”, then it is ok that personal devices is blocked.

Set up Windows automatic Intune enrollment
(These setting might already be setup if you have used autopilot before)

Sign in to the Azure portal
Open Microsoft Entra ID
Click Overview -> Manage -> Mobility (MDM and WP)
Click Microsoft Intune
Choose Some or All -> Click Save

Allow users to join devices to Microsoft Entra ID
(These setting might already be setup if you have used autopilot before)

Sign in to the Azure portal
Open Microsoft Entra ID
Click Overview -> Manage -> Devices
Open Overview -> Device settings
Choose Some or All -> Click Save

Create a device group

Sign into the Microsoft Intune admin center
Click Groups -> New Group
1. Group type: Security
2. Enter a name
3. Click No owners selected
add user Intune Provisioning Client
* If the user dont exsists, then you have to create it. See the section below.
Click Create

*Adding the Intune Provisioning Client service principal

Open powershel in admin mode and run Install-Module azuread
Run Connect-AzureAD
Enter your email

(The accout have to be a Microsoft Entra ID administrator that has permissions to add service principals)
Enter your password
Run New-AzureADServicePrincipal -AppId f1346770-5b25-470b-88bd-d5744ab7952c

Create a user group

Click Groups -> New Group
1. Group type: Security
2. Enter a name
3. Click Create

Assign applications and PowerShell scripts to device group

During the out-of-box experience (OOBE) experience, before the end-user is signed in for the first time, Windows Autopilot device preparation allows deployment of up to:

  • 10 managed applications
  • 10 PowerShell scripts
Add Application
Click Apps -> Windows
Select the app the you want to install
Click Properties -> Edit Assignments
Under Required click Add group
Choose the device group that you created earlier in the blog post. In my example it is: Windows Autopilot device preparation device
Click Review + save
Click Save
Do this for all the application that you want to install during the enrollment
Add Powershell script
Click Devices -> Scripts and remediations
Click Platform scripts
Click Properties
Click Add groups
Choose the device group that you created earlier in the blog post. In my example it is: Windows Autopilot device preparation device
Click Review + save
Click Save
Do this for all the scripts that you want to install during the enrollment

Create Windows Autopilot device preparation policy

Sign into the Microsoft Intune admin center
Click Devices -> Windows
Open Enrollments -> Devices Preparation policies
Click Create
Click Next
Enter a Name -> Click Next
Search for the device group that created earlier in the post.

Click Next
Add the settings that you want -> Click Next

Click Next
Search for the user group that created earlier in the post.

Click Next
Click Save

Windows corporate identifier

To prevent the enrollment of personal Windows devices, you can lock it to company devices with Windows corporate identifier. Create a .csv file that contain “MANUFACTOR, MODEL, SERIAL NO” like this:

Microsoft,surface 5,01234567890123
Lenovo,thinkpad t14,02234567890123

and save it as a .csv file.

Sign into the Microsoft Intune admin center
Click Devices -> Enrollment
Click Corperate device identifiers -> Add -> Upload CSV file
Choose Manufactorer, model and serial number (Windows only) -> Click the upload bottom and choose the .csv file that you created ealier -> Click Add
Click Devices -> Windows
Choose Enrollment -> Device platform restriction
Under Windows restrictions -> Click All users
Click Proberties -> Edit
Block Personally owned under Windows (MDM) -> Click Review + save
Click Save
If a user try to enroll a device that is not approved, they will get an error.

Customize setting during OOBE

When you enroll a device with Windows Autopilot device preparation, the user will see some of the standard windows option compared to the old way of enrolling a Autopilot device.
You can see what option the user will see belov

I hope that Microsoft will give us intune admins options to controll that in the future. But for now, that is the way it is.

You are able to take control of some of the configs with settings and powershell scripts.

Computer Name

When you enroll a device via “Windows Autopilot device preparation”, the user have the option to enter a computer name. If you have decided to go with a special naming stadard like “PC-SERIALNO”, the you have to customize the enrollment process with a PowerShell script (At the writing of this blog. Could be different in the future.) Michale Nihaus have a script in this blogpost. I have modified a bit to only use serial no and because I use a lost of virtual pc’s for testing, I have also added a check the there is a serial no in WMI. If not, then I add a serial no.

Download the rename-pc powershell script.https://github.com/chamtl/rolig-dk/blob/main/rename-pc.ps1
Sign into the Microsoft Intune admin center
Open Devices -> Windows
Click Scripts and remedations
Click Add
Enter a Name -> Click Next
Upload the script that you have downloaded above -> Modify the settings -> Click Next
Click Add groups -> Add the Windows Autopilot device preparation device group. -> Click Next
Click Add
To assign the script to the deployment.

Click Enrollment
Choose Device preparation policies
Click on the profile that we created earlier in this post.
Click Edit under the settings
Click Add
Add the script Rename Pc during OOBE -> Click Save
Click Next
Click Save

Setting

Sign into the Microsoft Intune admin center
Click Tetant administration -> Connectiors and tokens
Click Windows data -> turn on Windows data
Click Devices -> Windows
Click Configuration -> Create -> New Policy
Choose Windows 10 and later -> Settings catalog -> Click Create
Enter Name and Description -> Click Next
Add these settings -> Click Next
Click Next
Add the Windows Autopilot device preparation device group -> Click Next
Click Create

That it for now.

twitterlinkedin

By Claus