Cybersecurity Blog

13 min read

Windows Autopilot Overview

Oct 21, 2019 10:35:07 AM

When you bring on a new hire does your IT team spend time having to configure that person's computer and then does the new hire has to spend the next 7 days setting up their accounts and apps? Isn't this boarding process frustrating? Welcome to Windows Autopilot.

 

Windows Autopilot was introduced as a way to facilitate zero-touch, self-service deployments in enterprises or large educational organizations, but can also now be used for small and mid size businesses. It changes the way we deploy Windows devices. Traditionally, organizations purchase a hundred to thousands of new devices every year, ship them to IT, wipe them clean, and re-image them with a new, custom corporate image. While this image may include many common corporate applications, it usually does not include the user's personal data or specific business applications - and is a really time consuming process for both IT and the new hires.

New devices that are unboxed by the new hires are dynamically configured in the background while the user interacts with the status enrollment page.

windows autopilot status enrollment

All configurations and data can flow down to the device out-of-the box with Intune and can be secured and configured without IT interaction. After a few minutes, or sometimes a few hours depending on how large your download is, the device is ready for productive use, including: 

  • The appropriate OEM-optimized Windows license (usually Windows 10 Pro, but can be stepped up to Windows 10 Enterprise without any difficulty if that's what you want the user to use) 
  • The latest Windows 10 feature update (Intune will automatically recognize the new license and update and push all newly enabled features)
  • Custom software load (e.g., productivity apps such as Office; however, it is important to know that Autopilot/Intune will only push down Universal Windows Platform and MSI applications.) 
  • Any personal settings, configurations, and security settings 
  • Any user data 

This leads to an improved user experience as well as time savings for IT as they now do not have to wipe a clean version of Windows to add a custom legacy version of Windows. In addition, the upcoming hybrid join with Active Directory allows you to include more users, e.g., for a Windows 7 to 10 migration. 

This is achieved by joining the device into the Azure Active Directory, enrolling it into Intune, and letting Intune push the configuration down (Microsoft's Modern IT Vision) or in a hybrid scenario that includes traditional desktop management tools (the Microsoft Configuration Manager and Active Directory). 

Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. Everything after that is fully automated. 

 Windows Autopilot allows you to: 

  • Automatically join devices to Azure Active Directory (Azure AD) 
  • Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription) 
  • Restrict the Administrator account creation (Autopilot is the only way to have the first person who logs into Windows enter as a standard user.) 
  • Create and auto-assign devices to configuration groups based on a device's profile 
  • Customize OOBE content/branding specific to the organization
  • Enable the complete configuration of the device using Microsoft Intune 

Windows Autopilot Requirements

 

Software Requirements 

  • Windows 10 version 1703 (semi-annual channel) or higher is required. 
  • The following editions are supported: 
  • Windows 10 Pro 
  • Windows 10 Pro Education 
  • Windows 10 Pro for Workstations 
  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Enterprise 2019 LTSC 

 Licensing requirements 

Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: 

To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: 

Configuration Requirements 

Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. 

  • Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see Enable Windows 10 automatic enrollment for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. 
  • Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See Quickstart: Add company branding to your sign-in page in Azure AD for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). 
  • Enable Windows Subscription Activation if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. 

Specific scenarios will then have additional requirements. Generally, there are two specific tasks: 

 Common Autopilot Scenarios: 

 

 

Catalin Alaci
Written by Catalin Alaci

Implementation Engineer

Post a Comment