Windows AutoPilot: Let’s get started

**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.

**NOTE: All of the command line entries in this article are performed in PowerShell. To differentiate between the PowerShell cmdlets and Command Line Interpreter commands, the PowerShell cmdlets are in blue, and the Commands are in black.

In 2007 I started teaching Windows Desktop Deployment, and I have had a hand in it ever since. There have been so many changes in the past fourteen years, but since the introduction of the .wim file with Windows Vista, there has been no quantum shift in desktop deployment like this one.

IntuneFirst, let’s define it. Windows Autopilot is a feature that allows you to do zero-touch deployment (ZTD) to workstations from the cloud. Before you get too excited, that is a bit of an obfuscation. It allows you to do ZTD without being touched by the IT guys, and light-touch for end users. When I used to discuss ZTD from Config Manager, I used to describe how, using wake-on LAN (WOL) technology, my deployment server could turn on your computer, install (or upgrade) an operating system and all of the applications, and be ready for the end user without anyone ever touching it.

With Autopilot we cannot quite do that. For one thing, doing that to computers connected to the internal corporate network is easy, but reaching out and searching for a network interface with a particular MAC address on every network in the world would be… challenging at best.

So let’s look at what Autopilot does do:

Unless you are building PCs from scratch (which was once quite popular, but is something that large corporations seldom do) then your PC came with Windows on it. If you bought it as a corporate device, it came with Windows 10 Professional. (**Note: If you bought it as a personal device with Windows 10 Home there will be issues with this). Great… your end-user turns on their computer, and they are asked 1) what language they speak, and 2) to connect to the Internet.

One of the first things that every Windows computer does when connecting to the Internet for the first time, it calls out to Microsoft to see if it is an Autopilot registered device. That is to say, it is registered to your company, and will be managed thusly. If it is not a corporate device, then the user continues on their merry way. But if it is… then magical things start to happen.

Autopilot might start by upgrading the Windows 10 SKU from Windows 10 Pro to Windows 10 Enterprise. It will probably join your computer to Azure Active Directory. If your organization is still using a Hybrid Azure AD Joined (HAADJ) model, it will also join the PC to the Active Directory Domain. Of course, that means that Group Policy Objects will start applying… but even if your company is strictly an Azure AD organization, Intune Configuration Profiles will be applied, configuring all matter of settings.

Autopilot can be configured to deploy applications to the PC… and not only Modern Apps from the Windows Store (or Windows Store for Business), but also Win32 apps that the IT department packaged.

All of this can happen in one of several ways:

  1. The user logs on right away, and while he works, the policies are applied, the applications are deployed, and they become available as they become available;
  2. The user cannot start using the computer until all of the policies and applications are finished deploying; or
  3. A hybrid of both, where the mandatory apps and policies finish, and the user can start working… while the magic continues to work in the background.

But how does it know??

That is a great question, and I thank you for asking it. Intune (part of Microsoft Endpoint Management) knows because your hardware vendor uploaded the hardware hash for the device into Intune for you. If they did not, then they sent you a list of those hashes, and you imported them into Intune. If they did not provide you a list, then you can still get the hashes yourself. Here’s how:

1) Open a Windows PowerShell  console as Administrator on the device.

2) Type the following: Install-Script –Name Get-WindowsAutoPilotInfo

This will download and install the script from the Internet. There will be several questions for which you will be required to provide answers – Yes, add the script to the default path. Yes, allow PowerShellGet to install and import the NuGet provider. Yes, you are sure you want to install the scripts from ‘PSGallery’.

3) Navigate to an empty directory where you can write a file (I’ll use c:\HID).

4) Type Get-WindowsAutoPilotInfo –OutputFile c:\HID\hardwarehash.csv

The reply will look like this:

image

One you’ve got that hash file, you can look into it to see what it looks like… but it won’t be pretty. Here is the hash for my demo machine (with two characters changes so that you don’t try to take over my device):

Device Serial Number,Windows Product ID,Hardware Hash

8941-1366-6215-3505-2679-5528-51,,T0EUAgEAHAAAAAoAigNhSgAACgDEA2FK6782KOwCC
QUCABAACQABAAIAAgAAAAAABQAZAAMAAAAAAAAAAAgAAAAAAABAAAEAAwMAEQBHZ
W51aW5lSW50ZWwABAA0AEludGVsKFIpIFhlb24oUikgQ1BVIEU1LTI2MjAgdjQgQCAyLjEwR0h
6AAAAAAAAAAYAEAAqAAAAAAAAAAMA/wEHABAAfFZpcnR1YWwgSER8CAAeAAAAAAAAHd
i57Q8MAAAAVgBNAEIAVQBTAAAACQAQAP///////////////xsACAD/////CgAJAAMBAcUKCwAuA
AAAAAAGACAAAACGkT7pjvzM+2keKYNyvIpDTlEqaNk4J5MaH6XJpcrJdAwAFADDWLSpNJtBQ
IwnnowONT5xDgAlADg5NDEtMTM2Ni02MjE1LTM1MDUtMjY3OS01NTI4LTUxAA8AHQBBbW
VyaWNhbiBNZWdhdHJlbmRzIEluYy4AEAAaAE1pY3Jvc29mdTBDb3Jwb3JhdGlvbgARABQAVmly
dHVhbCBNYWNoaW5lABcACAA3LjAAHAARAHxWaXJ0dWFsIEhEdAAdABYAAAAAAAAAAAAA
AAAAAAAAAAEBHgBGAE0AaQBjAHIAbwBzAG8AZgB0AHwATQBpAGMAfgBvAHMAbwBmAH
QAIABIAHkAcABlAHIALQBWACAAVgBpAGQAZQBvAENTJADcuaTgqPVdSmgei7mTplBFRUZkA
1m4hqtgpicfmaYPSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
…with a bunch more As.

So we have the file, but what do we do with it? Simple… Follow these steps to import your hash file into Autopilot:

  1. In your Microsoft Endpoint Manager portal, click Devices. In the Devices | Overview navigation bar, click Enroll devices.
  2. In the Enroll devices | Windows enrollment screen, click Devices.
  3. In the Windows Autopilot devices screen, click Import in the top menu.
  4. In the Add Windows Autopilot devices sidebar, navigate to your file.
  5. Verify that the formatting results shows a green checkmark, and then click Import.

imageIt will take a couple of minutes for the device to import, but when it does, you will see it listed.

imageSo that is how we are going to register a single device for Autopilot. If you have devices that are already domain joined, you can run the following script to run it for remote systems in your environment. Please remember you need to have permission on a machine to run the script; also, make sure you run it in a PowerShell: Administrator console.

Install-script -name Get-WindowsAutoPilotInfo

 

Get-ADComputer -filter * | powershell -ExecutionPolicy Unrestricted Get-WindowsAutoPilotInfo.ps1 -credential Domainname\<accountname>

As you can see, you do not have to do this one computer at a time. You can import dozens or hundreds of hashes in a single CSV file… but that might be for another article.

So we now know how to import devices into Autopilot. In the next few days, I will  write up some of what you can do with it, and show you how to create Deployment Profiles to help to customize the Windows Autopilot provisioning experience.

**Thanks to my colleague Leslie Falor for her help and suggestions with this article!

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s