The Ultimate Guide to Intune Autopilot - How to use Windows Autopilot with Microsoft Intune
ฝัง
- เผยแพร่เมื่อ 23 ก.ค. 2024
- Have you checked my other channel? / @deanellerbymvp :-)
Use this link for an exclusive youtube discount on the full course:
www.udemy.com/course/learn-in...
Autopilot allows an organisation to take new or existing devices, join them to Azure AD and enroll them into Microsoft Intune (Microsoft Endpoint Manager) without any IT interaction at all!
The Cloud Management Community is YOUR community for Cloud Management, Mobile Device Management and Microsoft Endpoint Manager. Join the discussion on Twitter (@the_cmcommunity) and subscribe to be notified when we go LIVE.
Dean Ellerby is a Microsoft Enterprise Mobility MVP, Certified Trainer, Organiser at CloudManagement.Community, Contributor at Petri.com, Pluralsight Author and a Senior Cloud Security Architect. He's on Twitter @dean_ellerby. Any views or opinions expressed here are his own.
0:00 A look at the portal
1:00 Deployment Profiles
7:00 Group creation
12:25 What's the issue? Importing a device
24:20 Company Branding
25:46 Test out Autopilot - วิทยาศาสตร์และเทคโนโลยี
This is REALLY well put together... Kudos and thanks!
Way better than they teach in University. I just finish taking MD-101 course at my local university. I was taught to do couple of labs which had very long process to setup Windows Autopilot by importing .csv file manually and wasn’t taught about using dynamic device group expression to automate things.
Thanks.
Thanks Danial ! Appreciate the feedback.
Absolutely fantastic tutorial. Yours was the best out of them all.
2 years later and this video still holds up!!! I caught my issue the first few minutes in but decided to stay and verify everything else was set and wow! Great video my man, thank you!!
Thank you! Funny you should mention that - I released the updated version this week!
th-cam.com/video/uZ2CG5w92Ao/w-d-xo.htmlsi=2q-2oHMJhKoSQ_pE
@@theCMC dang! That is a coincidence! I will be reviewing that in the AM when I’m working on my new tenet’s Autopilot setup before I roll it out for the first test drive! Cheers mate!
best explained tutorial out there, thank you good sir!
21:30 - Just a tip: You can actually shut down the computer by writing shutdown -s -t 0 in the command prompt, rather than writing exit twice and then turn it off rather aggressively with the power button (Unfortunately there's no power off button in the OOBE interface). the -s switch tells the command to shutdown (-r would've rebooted the computer instead), and the -t 0 switch tells the computer to do it right away, ie 0 seconds from now.
This is a phenomenal tutorail!!! keep up the good work
Thank you ! 🙏
Thank you! This is a GREAT tutorial! Kudos! No fluff just meat n potatoes.
I really like your videos explained in a very good simple way all can undestand.
Thanks 🙏
Thanks for the video. Very informative.
Perfect video.
I'll just add that retailers should in theory have a list of computers you bought from them in a csv file so that you can load them into endpoint manager.
They will have a list of Serial Numbers, but not Hardware Hashs.
Only the CSP or OEM partner can upload devices wit just the Serial Number.
End user Organisations must use the Hardware Hash csv
Very well explained. Thanks, Dean. Quick question though. Do I need to collect the hardware hash for the machines that I want to Intune? as the hardware ID of each device is different though it's the same brand. In that case, how can I enrol 10 devices at once?
Great video Dean! I have a question, how can i deploy software and applications through auto pilot? is this possible to do with the admin rights?
This is a great tutorial very helpful and informative thank uu
Truly a great video
Great video!
Thank you very much!
Great video! very helpful and informative
Thanks! /Dean
SHIFT(HOLD) + fn(HOLD) + F10 .you're welcome guys
Good evening! I followed this turotial and it is awesome, i am unable to trigger the OOBE for Autopilot. the device is in the Autopilot List, but im unable to do the pre made OOBe.
Great video. I got Autopilot up and rolling successfully. Is there a way during autopilot to remove the bloatware in Windows 11 such as TikTok and Disney+ ?
First of all, thanks Dean, this is very informative and I love the way you speak and explain things - Make it so much easier to understand. Your videos are of the highest quality!
I am however a bit confused about the part where we have to obtain the unique hardware ID by running a few Powershell commands. I assumed, being user-driven and Autopilot, there wouldn't be a manual process involved? Also who will do this part? The end-user? I can't possible imagine majority of end-users doing that part. And if it's IT who has to do it, how will we remote into the target device?
Thanks! You are right; it doesn’t make sense to have to touch each machine!
I made a video explaining why most videos do it this way, and how you should do it in the real world!
Windows Autopilot with Microsoft Intune in the real world
th-cam.com/video/X2S0I84fTcU/w-d-xo.html
Really good. many thanks
Great tutorial! Thanks!
Glad you enjoyed it!
Thanks for the help and the wealth of information! thankful...
Thanks ! You're welcome 😀
If you manually set the hostname before you run the script will it store that hostname you gave it? I want to set all my devices with the asset tag they are assigned.
@4:55 - can we rename the device after the deployment to something like (first letter of username, plus user last name (up to 14 char) ?
Thanks for the video.
Thanks Dean, so useful! Just want to add a couple of things. Windows Home although MS say its supported under InTune/Autopilot, I've had to upgrade Win11 machines to Pro before they allow a user to onboard and allow Work accounts to login. Also when importing the hardware hash with the -online switch, the (global) admin, needs an InTune license to allow this.
Thanks Gareth! I wasn’t aware of the Home edition thing.
For the Intune license requirement, is that still the case even when the tenant admin has switched the tenant to not require an Intune license for admin tasks?
@@theCMC yep that's enabled to "not require", but I still had to allocate myself a license (possibly more for AAD Premium L1 than Intune?) to complete the PS script. It wasn't for a gotcha, just in case others have a similar setup to me. Some of us have live in M365 Bus Std & Bus Premium and E3/E5 is just a dream!
Thanks Gareth,
I guess it’s for AADP1 then. Interesting! Thanks for the tip.
/Dean
Yes indeed, if Home edition is on your hardware. You must kick off this to upgrade to Pro: Changepk.exe /ProductKey VK7JG-NPHTM-C97JM-9MPGT-3V66T
Thx very much for the Guide. Just wondering how to achieve the procedure with a lot of apps (msi &win32 )? Got always an error when it comes to the last step of the installtion User Account
How about existing windows 10 devices that are already in azure ad but not in intune or autopilot, how do we pull those into autopilot? You should make a video on that. I appreciate it
You mentioned about getting devices sent straight from suppliers to the end users (All our staff work from home). How do their devices get enrolled?
Also, the non-technical user will have to boot it up to get it on their Wifi.
cheers for this BUT you said "it is not for a prod but for lab only" so what is the prod's most officiant way of enrolling devices. Also, there are no links for the "resources section"? And it is fine for ONE-only devices. We have 10 -20 newly purchases devices per week, how do you do that :)
My Context: We are launching a private school and would like to utilize AP for a 30 device lab and rapid provisioning as we hire on more teachers/faculty.
@9:45 you mention the string ZTDId as the string to add the device to the dynamic group. That value seems too broad for the different departments at our aforementioned school...I was thinking of using device name?
as of May 15, 2023 - the "Allow White Glove OOBE" is now "Allow pre-provisioned deployment."
@2:57 - one is enable a manual feature, the other to enable an automatic feature.
- this new feature:
- if you enable it but do not do the actions to make it run, what should the outcome be (would it be as if you never enable it)?
Quick question. When I perform the enrollment, it is successful but the device does not show up under Intune Devices. However, it does show up under Entra Devices, but "Enabled" is set to "No". I must have missed something during original setup. is there a way I can change it to where enrolled devices are automatically enabled?
Great video, do you need to configure the MDM user scope under automatic enrolment for this to work?
Yes. Automatic Enrollment is required and takes place as the user. /Dean
Is there anyway to automate this via MDT, like using task sequence for the HardwareHash Export and uploading it straight to Autopilot with a Task Sequence Powershell script? ending on the "Let set up things for your work or school"
Many thanks
thanks for your video! In a situation where a company has a reseller ship laptops directly to end users, it sounds like there's no great way to utilize autopilot unless the reseller is willing to connect the device to the internet and pull the autopilot information to send it back to the mothership. They would have to do so or ther end user/engineer on site would, is that right?
You're welcome!
In fact there is a method for that - the reseller model is perfect for Autopilot. Take a look at this video (it's a little old, but the message is still the same!)
th-cam.com/video/X2S0I84fTcU/w-d-xo.html
Really very good instruct! is Teams default App in this VM or there is one App policy for teams in place and it covers all Windows Devices?
Teams default in Windows 11
Thanks a big help❤❤❤
Hi Dean,
I have a question here. If the Windows device is brand new out of box, from where does it fetch the script ? What i mean is i tried on a test machine with Windows 10 and i get error that my system is not configured with default installation path yet. How and Where will my system search for the script when i try to run it ?
I have one small problem: The apps that I deployed don't get installed after I sign in my test user. I also don't see the Setting up for work or school screen. In the intune managment center I can only see the new device in the Autopilot Group that I created. The apps are set to be installed on all devices or to all users depending on the needed priviliges. Anything I need to do to have that device show up in the management center?
Excellent Video
Thank you very much!
Awesome video, thank you!
What about a new laptop that only has Wifi? Does Windows give the user the opportunity to connect to their local Wifi connection?
Yes - if the internet is not present at the OOBE, the user is prompted to set their input locale and connect to Wifi. The input locale is required to ensure the user can type the required wifi password accurately.
I'm trying to find the video you have done where you create the timmy tester account and have added apps to MEM. Can you share which video they are in please?
That's actually part of the full course; here's a discount link:
www.udemy.com/course/learn-intune/?couponCode=TH-cam
Any tips on how to deal with pre-existing laptops, which have a local user account on it but i want them to be intune managed?
Hello! We have devices that are getting added to AutoPilot from a Dell purchase. I have two enrollment profiles created. if I want half of the devices to receive one enrollment profile and the other half to receive the profile, how would I define this information within the dynamic group to assign to each auto pilot profile? Thanks for the help!
One way (the usual way) is to ask Dell to provide a Group Tag for each device when they add to Autopilot for you.
There are other ways…
Hi, can you show us what software do you use to capture the iOS screen in the virtual box? Thanks.
Sure. I use Reflector 4.
www.airsquirrels.com/reflector/
can the device also hybrid join by deploying autopilot?
27:32 - I've seen an issue directly after entering the password during autopilot enrollment where our virtual machine doesn't proceed to the "Setting up for work or school"-page.. Instead it reverts to the regular log on screen asking me to sign in again, but when I do that it says that I need rights to sign into remote desktop services. Rahul (Another MVP) posted a blog post about this but his solution using account protection profiles doesn't seem to apply during autopilot enrollment. Any ideas how to get around this? Thanks! =)
Can you briefly comment on how you setup MFA with the authenticator then an additional step of WHFB? Is it two conditional access policies? Love the channel btw!
Hey Michael! Sorry for the delay. I didn't do anything clever here. I expect I have set the checkbox to require MFA for Azure AD Join, which caused the request for MFA.
I also set the default to require WHfB during initial login.
When following along with this video I get an error message: failed to create group Autopilot device. Dynamic membership rule validation error: Not enough operands found for operator. I'm not sure what happened, I followed your example
Hey Dean, when the user receives the laptop, are they first asked to connect to a wifi network I assume? How does that work.
Hey Samad,
If the laptop has a LAN cable connected, and can access the internet, the initial “Connect to a network” WiFi page is skipped.
If not, the user is asked to connect to their WiFi network at the first prompt.
Great video! How would you then recommend the hardware hash to Autopilot when there are a lot of devices? The online or manual options are great for lab environments.
Hi Patrick, I think this video gives better guidance on how this should be done in production. It may not answer your specific question, but take a look and let me know !
Windows Autopilot with Microsoft Intune in the real world
th-cam.com/video/X2S0I84fTcU/w-d-xo.html
@@theCMC Thank you. Will have a look!
@@theCMC Did have a look on it. But it unfortunately doesn't show how you should do it in bulk. For instance I want to ship the new device directly to the user. How do I export/import this?
Great video! When managing multiple businesses under the one tenant would you recommend multiple Autopilot Device Groups or still just the single group?
I guess I am also try to understand if there is even any benefit to having multiple Autopilot profiles or just one profile that references one group just so that Autopilot basically does it’s thing then you would target every thing else based on otherwise defined device or user groups. For example I might use the same group I use for Autopilot to deploy Office Apps because 100% of our devices will need office apps.
@@MorganDaly Unless there's a setting within the Autopilot profile that would differ between organisations or groups, I don't see a reason to have multiple.
I have learned so much from this video, thank you very much. I do have a question, I have to prevision 450 laptops, do I need to run the powershell script that you described on all 450 laptops? If yes that means I have to touch all 450?
Thanks
MW
That depends.
If they are new (and at the OOBE) and your OEM like Dell, Lenovo etc, or your Reseller did not load them into Autopilot for you (see th-cam.com/video/X2S0I84fTcU/w-d-xo.html )
Then yes, you need to run that command (or a command like it) on all devices. At that stage it may be easier to use the CSV collection method on each device, rather than logging in to each with -online
If the devices are managed via ConfigMgr or Intune - then it’s a different answer. Let me know here or on Twitter @dean_ellerby
I am a retired Army pilot turned geek. Our church will have 900-1000 students in school next year. Because I must come off as a geek, the church has asked me if I would be willing to take on the task. For free mind you.
Our laptops showed up with no indication of already being provisioned.
We do have Intune/Azure AD/Office 365 for the users.
My thought was to use Autopilot to load as much as possible before a student touches it.
Office, Email, Winzip, and Antivirus.
In your demo you logged onto the internet rather than saving as a csv file, at what point did you connect the pc to wifi?
Any words of wisdom would be greatly appreciated.
Thanks
Mike
@@mwinn2009 retailers should in theory have a list of computers you bought from them in a csv file so that you can load them into endpoint manager.
Try asking them
Not sure why I keep getting this 'Add-AutopilotImportedDevice' is not recognized as the name of a cmdlet,
Hey Dean. First of all, thank you for your detailed explanation on this and on other videos. I have a question related to the expression that you used at the 9:40 of the video. It's not working for me. Do you know if Microsoft did some change on the expression? Thank you!
Sorry for the delay - yes, they removed the -Contains option. It's now -StartsWith
@@DeanEllerbyMVP Thanks for responding and for attention. I was able to use -StartsWith. This expression is more comprehensive, it took all tenant computers, not only for the news. Thank you!
Hey Great Video Dean - you mention some resources related to the device strings. Is there a link to that somewhere?
same question here
@@timberkraij4343 I think this video is part of his Udemy course, which does have a "Resources" folder, so whilst you get it for free on YT you won't get the resources he mentions.
@@kevinjackson5191 already figured it out and it's running smoothly across my customers, still thanks for the heads up
Hey, at 22:02 you said that it's not the ideal way to use Autopilot for device enrollment. Can you show us what is the ideal way to use this? Thanks.
First - 100,000 points for adding the timestamp for me!
Second - apologies, this clip is from my Udemy course which gives more detail in a previous/surrounding lecture.
By "not ideal" I mean that this doesn't scale. It is meant for small-scale and lab work.
I made a video which describes how Autopilot is often used in "the real world", perhaps that will add context?
Here it is: th-cam.com/video/X2S0I84fTcU/w-d-xo.html
What's the difference between Execution Policy Bypass and Execution Policy Unrestricted?
Thank you very much!
If we turn on () this autopilot device without internet, what will happen ?
It depends. If the device has never been switched on with internet connectivity, then it will begin the account creation process as if it is not an AP device. It will ask you for internet access during the process.
If it has been previously connected, it will probably have downloaded the profile already and begin the AP process, which will require internet access :-)
Thanks!@@theCMC
Hello. Thank again for the video. After signing in I am not seeing the “Setting up for work or school” screen where app are being installed etc. Do you know what this might be the case?
I believe there is an ongoing issue with the Enrolment Status Page being shown, especially when the ESP is being targetted dynamically to a group.
All good. I found it. You have to configure it in devices and enrolment settings.
Thanks for the reply. I have enabled it so hopefully that issue is not a thing anymore. Now if you could do a video about removing the crap from a PC with Intune that would probably be the most popular :) Love your work. Thanks.
Not seeing the effect of user assignment. For example it not saying “Hello Morgan” and simply asking for my password.
Problem:
1. I deploy LAPS and it works fine.
2. Try to deploy Autopilot using a VM
in my LAPS policy i did not config an Administrator username.
in my Autopilot policy i set the user as a standard user, i deployed 3 apps:
a) Microsoft Store app (new) 7zip 22
b) Microsoft Store app (new) Foxit PDF reader
c) Microsoft 365 Apps (win 10 and later)
I used a testuser1 account with a M365 business pre lic.
7zip & Foxit did not get deployed.
everything else seems to be working fine until I try to remove "OneDrive for Business"
it ask for admin credentials, so i lookup the password for the administrator in Azure, but that password did not work.
(then i remember, I just install windows & then login with an azure ad user, i have not created any local user)
I then check computer-management->users, all 5 users are disabled.
Administrator, DefaultAccount, defaultuser0, Guest, WDAGUtilityAccount
Q1: So, LAPS does not auto enable the local Administrator account?
Q2: How does one enable the local Admin account without the Azure Global Admin?
Q3: Why did the Store Apps not deployed?
Hey Dean,
do you have an explanation why in one tenant the email address of the assigned used is pre-filled, so I only need to fill in the password, but in another I need to fill in the email and password?
Only the password is much easier for the user and also you know which laptop is which.
Also I notice since today that we don't receive the consent on behalf of'your organization anymore.
Hope to hear from you!
That’s interesting! I thought the feature to pre-assign a user had been temporarily disabled. Perhaps it’s been disabled for new tenants only? Is the tenant that pre-fills the email address an older tenant?
UPDATE!
It seems this feature is being re-instated, so it may just take a few days to appear on the other tenant. See here:
support.microsoft.com/en-us/topic/july-26-2022-kb5015878-os-builds-19042-1865-19043-1865-and-19044-1865-preview-549f5551-fcc5-4fee-8811-c5df12e04d40
Do you plan on making a video on Hybrid deployment? For devices which an organization's IT receives the device prior to the user?
Do you mean autopilot where the device joins AD + Azure AD ?
Hello, When our users sign into their devices they do not get the useful UI that appears 27:43 and instead immediately dumps them straight onto the desktop with no apps / policies applied etc. how do you get this to appear before the PC lets the end user start using the machine?
I've found the option, it's called "Enrollment Status Page" on the same screen as where "Deployment profiles" is when selecting "Enroll devices" in Microsoft Intune admin center.
Sorry - didn’t see your original question. Yes - that’s an ESP.
Im a bit confused here. If a device is shipped to the customer directly. How can we go through that powershell info gathering for each device?
Exactly! You cannot, and should not try. Take a look at this video which explains it in real world terms
Windows Autopilot with Microsoft Intune in the real world
th-cam.com/video/X2S0I84fTcU/w-d-xo.html
@@theCMC I did but it's still about virtual machines and running the powershell script from the command. (which in my case doesnt seem to support powershell). So I added the VM now by importing the generated CSV file and it says it's successfully (i can see the device) but then I assign the device to my created profile and... nothing happens ^^
Does your course go through a Hybrid setup?
The Udemy course? No. The Udemy course is focused on Cloud Only devices.
I created a Hybrid playlist on the channel that might be helpful instead!
th-cam.com/play/PLPf4hn8koDW49ESNDQaAktu44HcZCHfb7.html
Awesome video
i'm having an issue though with my VMs, when i run install-script get-windowsautopilotinfo the first install page is ok but the 2nd fails
The first “page”?
@@theCMC Yeah sorry looking at too much PS today brain cooked.
I get prompted twice after the Install-Script command, first about trusting the repository which is fine, then i get a NuGet prompt and no matter what i do it fails so i never really get the save the Get-WindowsAutoPilotInfo script, what's what im trying to fix atm in my test lab
@@WilliamButtel interesting.
@@WilliamButtel check this for answers later :-) twitter.com/the_cmcommunity/status/1515326966311923712?s=21&t=l-5hV1HfPgqe8KRK5lMbEQ
Check TLS and SSL / internet connection.
www.alitajran.com/unable-to-install-nuget-provider-for-powershell/
Would be quite useful if the video's creator comments were updated to show the URLs for the various screens in contemporary places - it's just not matching to the Azure layout in mid-2024.
Agreed - the interface is now quite different. The concepts are the same, however.
I can't update a video, only recreate - we're waiting for some expected updates to Autopilot to be released before we create the new version :-)
Is there a linux autopilot deployment ?
Our company is discussing intune projects and we need all domain joined devices to be intune managed with autopilot enabled, all new devices will be joined in Azure AD. Could you please suggest an enrollment method for on-premises domain join devices (300 devices)?
Sure. If you update the ADMX for Windows 10, you’ll have a policy that will allow automated enrolment. Simples.
@@theCMC yes but this is HAAD Join right ? , Can we unbind the device from domain and add this to AAD join without wipe ?
Thanks
Aha, no. There is no supported way to do that. I think I made a video of a possible way… I’ll take a look
Found it. Domain Join to Cloud Only (AADJ) Migration without Wipe and Load!!
th-cam.com/video/ByKFxF7PlPQ/w-d-xo.html
@deanellerby, I wanted to reach out and ask you directly but I couldn't find your contact information. My question is: is there any further content you have on Windows Autopilot? Like a deeper dive in the set up and configuration. I've already completed Mastering Window Autopilot with Intune but I need more info. Would you ever be willing to schedule a zoom meeting or chat outside youtube to discuss my inquiries?
Hey -
You can reach out to me on LinkedIn www.linkedin.com/in/deanellerby/ preferably, or Twitter @dean_ellerby
:-)
What is the proper way to scale up in an organization?
This:
Windows Autopilot with Microsoft Intune in the real world
th-cam.com/video/X2S0I84fTcU/w-d-xo.html
How long does it take for the device to deploy to the autopilot devices normally?
Between 20 mins and 45 mins depending on the number of apps. It can be more, though.
@@theCMC cool thank you, just to be clear im referring to the power shell command to connect to the tenant when it says ‘waiting for 1 to 1 to be imported’
Oh, I see. Less than a minute to be imported, and then up to an hour to appear in the dynamic groups.
Oh, I see. Less than a minute to be imported, and then up to an hour to appear in the dynamic groups.
@@theCMC I am getting a 640 storage error when I try it on any device?
So I've been using your option to register devices to Autopilot in our company (with -Online option) but you say it's not ideal, but don't talk about any other options? Is that in another video?
It depends on the state of the devices. If they are Hyrbid AD joined or managed by ConfigMgr, then it would be possible to convert them to Autopilot devices without collecting the hash.
If they are new devices, it would be best to have the vendor or distributor register the devices on your behalf.
@@theCMC no my issue is that devices are Azure AD joined only and issued to users already. I’ve been using PS script to get a hash and import on devices that I’ve got access to. But there are lot of devices out that I can’t physically put my hands on (we’re international company) of users that barely come to the office. And even if I’ve got access I can’t asked user to log out from a domain and log back in to register them to MDM. Yes, I can ask them to add device to MDM only but then they can also take it off which is not ideal. It would be nice if MS came with the option for Azure AD devices already in use to add them to Intune without users intervention. :)
@@tomex if the devices are already Azure AD joined, you do not need to capture the Autopilot Hardware Hash info - it’s simply a case of targeting these devices via a group and ensuring “Convert all target devices to autopilot” is set.
You do still need to get the devices to reset and go through the Out of Box Experience / Autopilot process, but atleast you don’t need to physically touch the device or run that command at all.
@@theCMC Thanks Dean for your reply. Yes, portal is set up to convert all devices to autopilot when joined through OOBE. So you're right, I might be doing the same job twice by collecting HW Hash (just to be on the safe side). I've found a script where you can initiate enrolment by modifying a registry and run task scheduler to run it. In this case you might not need to reset device, but just need to check that I can push settings via Intune afterwards.
Azure. 🛑 saying Azzzzzur’e. It’s not French. I love your videos though 🙏🏽
:-) It's blue, though, right?
very basic, no TS
@9:31 - (device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))
I see you use the common "d" in ZTDID, would that also work?
Did I mentioned I REALLY DISLIKE WINDOWS?!?!?!? I REALY DO... WATCHING THIS VIDEO REMINDEDED WHY I USE APPLE PRODUCTS..
When signing in to the tenant, what level of access does the account need? Does it have to be a Global Admin account?
Global Admin is required, unfortunately…!
@@theCMC the first time, yes (to accept the permissions). Then, for other laptops, the rest of the IT staff needs to be global admin, or fewer permissions are sufficient?