Up close and personal with Windows AutoPilot

Lots of exciting new technologies and solutions are coming out of Redmond these days. One of these new technologies is Windows AutoPilot and it may revolutionize how devices are set up and deployed. To learn more about AutoPilot I decided to get up close and personal with someone who knows a lot about this new technology. What follows is my recent interview with Gerry Hampson, senior consultant with the Ergo Group, one of the most successful IT services companies in Ireland. Gerry speaks to us from his base in Dublin, Ireland.

MITCH: We’re talking today with Gerry Hampson, who has co-authored a book on System Center Configuration Manager and was first awarded MVP for Enterprise Mobility in 2015 for his community work. Gerry, thank you for taking some time out for us from your busy schedule. I’m really interested in this new feature called Windows AutoPilot that Microsoft describes as “a collection of technologies used to set up and preconfigure new devices, getting them ready for productive use,” but that definition sounds like it was created by someone in Microsoft’s marketing department. Can you put it into words that an IT pro can actually understand?

Windows autopilot

GERRY: Happy to speak with you, Mitch, and delighted to get a chance to talk about this super-cool technology. Yes, the official Microsoft description seems very marketing-focused. Windows AutoPilot can be described as the Microsoft equivalent of Apple’s Device Enrollment Program (DEP), for those of you familiar with managing Apple devices in the corporate world. The idea is that a user can take delivery of their new Windows 10 device straight from the vendor and the device will pretty much provision itself in a matter of minutes without the user having to complete many of the annoying setup screens that we associate with the Windows Out of Box Experience.

MITCH: What’s the need-case here? Why should a customer be interested in Windows AutoPilot as opposed to other ways of preparing new devices for users?

GERRY: Traditional Windows deployment involves taking delivery of devices from the vendor and reimaging them with the corporate image using tools like System Center Configuration Manager or Microsoft Deployment Toolkit. There is a strong argument to suggest that this is a waste of valuable resources. The device already has a fully functional operating system, so why does it have to be re-imaged? With the advances in Windows 10, provisioning is becoming a practical alternative to traditional OSD. AutoPilot will play an important role in that scenario.

MITCH: What sort of businesses or organizations could benefit most from using Windows AutoPilot?

GERRY: The organizations that will benefit most are those that have already bought into the concept of modern management. Traditional management typically leverages technologies such as Active Directory, Group Policy, and SCCM to provide deep manageability and security. Modern management is a more simplified approach using cloud-based solutions like Microsoft Enterprise Mobility + Security (EMS), which includes Azure AD Premium and Intune. It’s complemented by cloud services like Azure Information Protection, Office 365, and Microsoft Store for Business. Windows 10 offers the flexibility to exist in both scenarios and can also be deployed in a mixed environment.

Modern management is useful when you don’t particularly care too much about the device. It’s all about the data and access to corporate resources. For remote users who primarily use Office 365, the modern management scenario is ideal. Access to corporate resources is managed and controlled by Azure AD and Intune conditional access, and data is protected by Azure Information Protection policies. Devices can still be managed to a high standard using Windows 10 Configuration Service Providers (CSPs), although these are a subset of what can be managed using traditional group policy objects (GPOs).

MITCH: Are there any customers who would probably not find much use for a solution like AutoPilot?

GERRY: Customers who have no appetite to avail themselves of cloud services aren’t really suitable for AutoPilot or the wider modern management story. These customers typically utilize an Active Directory infrastructure, Group Policy, and SCCM and wish for all resources to be strictly on premises.

Microsoft is developing processes to assist customers who currently don’t utilize any cloud services but are interested in a shift to modern management. Co-management is a new concept that allows Windows 10 devices to be managed by Intune MDM and the SCCM agent at the same time. It will provide a mechanism for organizations to migrate workloads to modern management in a controlled phased manner.

MITCH: Can you describe at a very high level how AutoPilot works and how you use it?

GERRY: Firstly, there are some prerequisites:

  • Devices must be pre-installed with Windows 10, version 1703 or later.
  • Devices must have access to the Internet.
  • Azure AD Premium P1 or P2 licenses.
  • Microsoft Intune or other MDM services to manage your devices.
  • Azure AD configured for Intune autoenrollment. (Note that Windows Autopilot is not supported on Intune hybrid at this time, although it “may” work.)

Then the high-level steps to deliver Windows AutoPilot are as follows:

  • Hardware ID. This step involves harvesting hardware information from your Windows 10 devices and uploading this information to your tenant in advance. This hardware information includes the device serial number, the Windows Product ID and the hardware hash in CSV format. At the moment this is quite a manual process. However, from early 2018 the main vendors will provide this information for you.
  • Add devices to tenant. Upload the CSV file generated in the previous step to add the device to the tenant. We must do this in the Microsoft Store for Business (even though we can create AutoPilot deployment profiles in the Intune portal, we cannot add devices at this time. If we want to use Intune profiles we must add devices to the MSfB and sync to Intune).
  • Create and assign AutoPilot deployment profile (in MSfB or Intune). The deployment profile contains setting such as “skip privacy settings,” “skip EULA,” and “disable local admin account creation.”
  • Windows 10 configuration via CSP (optional). Configure Windows 10 settings and deploy to the AutoPilot devices.
  • Software deployment (optional). Add corporate applications to Intune and deploy to devices.
  • User turns on device and signs in. As soon as the device is online, even before the user enters their Azure AD credentials, Windows AutoPilot deployment service recognizes that the device belongs to your organization and delivers a personalized and customized setup experience based on the profile assigned to the device. All the user must do is:
  1. Select a language.
  2. Connect to a network (WiFi perhaps) to get Internet access.
  3. Enter their corporate credentials.

Many of the steps that require a user to make a decision do not appear, such as choosing between a personal and work device and privacy settings.

When the user signs in, the device is joined to Azure AD and enrolled in Intune. Corporate policies, settings, and apps will then be pushed to the device. You can even upgrade from W10 Professional to Enterprise during the process. The IT admin doesn’t have to physically touch the device during the process.

MITCH: In your own experience with AutoPilot has it ever failed to work as expected? Is it as robust a solution would like to have us believe or is it still shaky in some aspects?

GERRY: It is a very robust solution, Mitch, and it has always worked for me. I had a couple of frustrating problems during testing, but they turned out to be a combination of my lack of understanding and gaps in the official documentation.

First, the user ended up being a local administrator on the devices, contrary to my deployment profile. This led me to believe that the profile was not being applied correctly. However, I was using an Azure AD global administrator account to test. It seems that a global admin account will always become local administrator on the device. Regular users will not become local administrators.

Second, all the AutoPilot documentation and videos that I’d seen showed a customized sign-in screen like the one in the screenshot below. However, in my testing, I didn’t get that screen. I only saw the standard Microsoft screen, so I incorrectly assumed that my deployment profile was not being applied. I since learned that the customization was not an AutoPilot feature and that the customization came from an independent configuration of branding in the Azure Portal.

windows autopilot

MITCH: In today’s Age of the Cloud it seems that Microsoft, like other software vendors, is constantly improving and evolving their products and services. What do you still see lacking in Windows AutoPilot that you’d like to see Microsoft add to it in terms of functionality?

GERRY: Currently, the AutoPilot process allows you to join the devices to Azure AD and automatically enroll with Intune (or another MDM solution). I’d like to see this extended to include traditional management and allow the user to join an Active Directory domain during OOBE.

MITCH: What’s the best way for someone to learn more about AutoPilot and how to use it?

GERRY: The official Microsoft documentation is a good starting point. Also, many MVPs, including myself, have blogged about their experiences in configuring and testing AutoPilot. Everything that I’ve read so far has been positive.

MITCH: Any other insights you’d like to add for us concerning AutoPilot?

GERRY: Co-management is one of the most important and exciting announcements from Redmond in recent years and it is now a reality in SCCM. It will allow organizations to migrate workloads to modern management using a phased approach. Much development is expected in co-management and AutoPilot and I’m looking forward to seeing how the two technologies will be integrated to provide the best possible user experience

MITCH: Gerry, thanks again for sharing your time and expertise with us.

GERRY: You’re welcome, Mitch. I really enjoyed our little chat.

3 thoughts on “Up close and personal with Windows AutoPilot”

  1. So no integration with on-premise AD yet? It looks great, but there should be a solution which does not rely on Azure. Maybe Dynamic Provisioning is still the way to for those companies who want some of these benefits, but with integration into legacy on-premise management services.

  2. 6 months later on than the date on this article and it’s still an absolute pain to use. Importing a csv all looks OK, but the devices don’t always appear in AAD. When they do it can take hours. Same with deleting anything in AAD/Intune; I’ve left it overnight deleting one machine from. ONE machine…this is hardly Enterprise ready. And still no hybrid on-prem/AAD? Reminds me of that Blackadder sketch “Here’s a purse of money’s…which I’m not going to give you”. I’ll check back in 2019.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top