This article provides an overview of Microsoft Intune and Windows Autopilot for modern device deployment.

On this page:

Introduction

Deploying new Windows devices to an organization has traditionally been a time-consuming and labor-intensive process. IT administrators often spend hours setting up each machine, installing necessary software, and configuring settings. Microsoft Windows Autopilot, in conjunction with Microsoft Intune, revolutionizes this process by enabling a cloud-first, zero-touch deployment experience.

This powerful combination allows organizations to ship devices directly to end-users, who can then complete the setup with minimal IT intervention. This document explores the core concepts, benefits, and integration strategies of using Intune with Windows Autopilot.

What is Windows Autopilot?

Windows Autopilot is a collection of technologies used to set up new Windows devices in an enterprise environment. It simplifies the deployment and management of Windows devices by automating the setup process. Instead of IT manually configuring each device, Autopilot leverages cloud-based services to deliver a personalized device experience right out of the box.

Key characteristics include:

  • Zero-Touch Deployment: Devices arrive ready for users to power on and connect to the internet.
  • Cloud-Managed: Configuration and policy deployment are managed through cloud services like Intune.
  • User-Centric: End-users can complete the setup process using their organizational credentials.
  • Windows as a Service: Fits seamlessly into the modern Windows lifecycle.

Benefits of Autopilot

Adopting Windows Autopilot offers significant advantages for IT departments and end-users alike:

  • Reduced IT Overhead: Dramatically cuts down on the time and resources required for device setup and imaging.
  • Faster Deployment: New devices can be provisioned and ready for use in a fraction of the time.
  • Improved User Experience: End-users receive a personalized, out-of-the-box experience without IT involvement for initial setup.
  • Enhanced Security: Devices can be immediately enrolled in security policies and compliance checks, reducing the window of vulnerability.
  • Scalability: Easily scales to deploy hundreds or thousands of devices without a proportional increase in IT effort.
  • Simplified Device Refresh: Autopilot Reset and other features make refreshing devices much more efficient.

Integrating Autopilot with Intune

Microsoft Intune, a cloud-based service for mobile device management (MDM) and mobile application management (MAM), is the primary management platform for Windows Autopilot deployments. Intune plays a crucial role in defining the deployment profiles, policies, and applications that will be applied to devices during the Autopilot setup.

The integration allows you to:

  • Assign Autopilot Deployment Profiles: Control the user experience during setup, such as whether to show or hide privacy settings, require specific authentication methods, or enroll in Kiosk mode.
  • Deploy Configuration Policies: Apply security settings, Wi-Fi profiles, VPN configurations, and other device configurations.
  • Deploy Applications: Automatically install essential line-of-business and Microsoft Store apps.
  • Enforce Compliance Policies: Ensure devices meet organizational security standards before being fully provisioned.

Prerequisites for Integration:

  • An active Microsoft Intune subscription.
  • Windows 10 version 1703 or later installed on devices.
  • Internet connectivity for devices.
  • Devices registered with Windows Autopilot.

Key Autopilot Deployment Modes

Windows Autopilot supports several deployment scenarios, each tailored to different organizational needs. These modes are configured within Intune.

User-Driven Autopilot

This is the most common scenario. The end-user receives the device, powers it on, connects to a network, and signs in with their Azure AD credentials. Autopilot then takes over to configure the device according to the assigned profile.

User Experience: Similar to a traditional setup but with cloud-driven configuration.

Autopilot Reset

Allows IT to quickly reset and redeploy devices that are already in use, returning them to a known, corporate state. This is ideal for device refreshes or when preparing a device for a new user.

User Experience: The device is reset and configured with the original profile.

Pre-Provisioned Autopilot

This mode is for IT to prepare devices before they are shipped to end-users. A technician or IT staff member can perform the initial setup and configuration, which is then completed automatically. This is useful for devices that require pre-installed applications or specific configurations before reaching the user.

User Experience: The device is almost fully configured, requiring only the end-user to sign in.

Autopilot Self-Deploying Mode

This is the most automated mode, designed for dedicated devices (e.g., digital signage, shared kiosks). The device boots up, connects to the network, and automatically enrolls and configures itself without any user interaction.

User Experience: Zero user interaction required. The device appears with the assigned profile applied.

Intune Configuration Steps

Setting up Windows Autopilot with Intune involves several key steps:

  1. Register Devices: Obtain hardware hashes from devices and upload them to the Windows Autopilot deployment service. This can be done by the OEM, reseller, or manually.
  2. Create an Autopilot Deployment Profile: In the Intune portal, create a profile that defines the user experience, privacy settings, device name, enrollment type, and other configurations.
  3. Assign the Profile: Assign the created Autopilot deployment profile to user groups or device groups.
  4. Configure Enrollment Status Page (ESP): The ESP provides visibility into the device provisioning process. Configure it to show or hide app and policy installation status, and define actions if installation fails.
  5. Create Configuration and Compliance Policies: Define settings, security configurations, and compliance rules that will be enforced on enrolled devices.
  6. Deploy Applications: Select and assign applications that should be installed during the Autopilot provisioning.

A visual representation of the Autopilot flow:

Windows Autopilot Deployment Flow Diagram

Note: The image above is a placeholder and would typically show a diagram illustrating device registration, profile assignment, user sign-in, and Intune policy application.

Device Enrollment Manager (DEM) Role

For scenarios where more than 50 devices need to be enrolled per user (which is the default limit for Azure AD user enrollment), the Device Enrollment Manager (DEM) role can be utilized. A DEM account can enroll an unlimited number of devices. This account is assigned to a user in Azure AD, and that user then logs into the device during the Autopilot provisioning process to enroll it.

Considerations for DEM:

  • DEM accounts are typically service accounts and should be secured appropriately.
  • They should not be assigned any specific user licenses beyond what's needed for enrollment.
  • This role is often used in conjunction with the Pre-Provisioned Autopilot mode for mass device preparation.

Real-World Scenario

Imagine a company, "Innovate Solutions," onboarding 100 new employees. Instead of IT spending days imaging and configuring laptops, they do the following:

  1. Device Procurement: Innovate Solutions orders laptops from a vendor that supports Windows Autopilot.
  2. Hardware Hash Collection: The vendor or Innovate Solutions' IT team collects the hardware hashes of each laptop.
  3. Autopilot Registration: These hashes are uploaded to the Windows Autopilot service.
  4. Intune Configuration: IT creates an Autopilot Deployment Profile in Intune that specifies:
    • The device name format.
    • To hide privacy settings.
    • To automatically enroll in Azure AD Joined.
    • To skip the local admin password page.
  5. Profile Assignment: The profile is assigned to the "New Hires" Azure AD group.
  6. App & Policy Deployment: Essential apps (e.g., Microsoft 365, Slack) and security policies are configured in Intune and assigned to the "New Hires" group.
  7. Device Shipment: Laptops are shipped directly to the new employees' homes.
  8. End-User Experience: Upon receiving the laptop, the new employee powers it on, connects to Wi-Fi, and signs in with their company credentials. The device automatically enrolls in Intune, applies all policies, and installs necessary applications, ready for productive work within minutes.

This process transforms what was once a significant IT burden into a seamless experience for both IT and the end-user.

Conclusion

Microsoft Intune and Windows Autopilot represent a powerful partnership for modern device management. By embracing this cloud-native approach, organizations can achieve significant efficiencies in device deployment, reduce IT workload, and provide an exceptional user experience. The ability to deliver a pre-configured, secure, and personalized device experience straight out of the box is a game-changer for businesses of all sizes.

As Windows continues to evolve with a "Windows as a Service" model, Autopilot and Intune are fundamental to leveraging these advancements effectively, ensuring that devices are always up-to-date, secure, and ready for the demands of today's workforce.