biggest capabilities is gives that you can directly ship an end-user a Windows 10 device and as soon as it is powered on, it will show the user a customised login screen during OOBE requesting the user to enter their credentials. Once successfully authenticated the result is that the device will be joined to Azure AD, automatically enrolled into Workspace ONE and all the user’s apps and configurations are automatically installed.
There are a few steps to getting this configured and my obvious implication here is that you have integrated Microsoft Azure AD with VMware Workspace ONE. I won’t be going into detail about how to integrate Workspace ONE UEM and Azure AD to enable the general OOBE capabilities as this is already well documented, however below I will cover off the steps and requirements to configure Autopilot and how to assign the Autopilot profiles out to a device to get the best outcome for your end users.
- The devices need access to the internet.
- The devices need to have Windows 10 Professional, Enterprise or Education – version 1703 or later.
- Azure AD Premium P1 or P2.
- Azure AD integrated with Workspace ONE UEM or other MDM (boo).
- Users must have permission to join devices to Azure AD
- Check this in your Azure Portal at Azure Active Directory -> Devices -> Device Settings and allow everyone, no-one or a specific group. You can also configure adding other administrator accounts to device during Azure AD join here as well.
- Install the Get-WindowsAutoPilotInfo script by opening a Powershell session as an administrator.
- Run the install command Install-Script -Name Get-WindowsAutoPilotInfo
- If we look at the .ps1 file from the gallery site above we can see the parameters we need to output to file. Because we’re only running this against the local VM we don’t need more parameters. The script can also be run remotely using Group Policy or WMI. To get the current device info:
Get-WindowsAutoPilotInfo.ps1 -OutputFile C:tempwin10vm.csv
- We now have a file we can upload to the Microsoft 365 Portal.
- In the same devices area, select Autopilot Deployment and Create New Profile
- Select the settings you want in the Profile:
- Skip privacy settings accepts the default settings on behalf of the users.
- Disabling local admin will not create any local admins on the device. Be careful as in my testing if my enrolled user wasn’t an admin I ended up with a device I had no permissions on!
- Skip EULA also accepts on the end user’s behalf.
- Select Create and you now have an Autopilot profile.
- The last thing we need to do is assign this Autopilot profile to one of your devices in the Console. Select your device in the list and then in the Autopilot Deployment dropdown apply your newly created profile.
This is as simple as opening a Command Prompt (as an administrator) and running sysprep using the commands:
- Skipping multiple steps that require end-user interaction.
- Microsoft Autopilot enforcing Azure AD join (notice there’s no option for a user to choose if its a Work or School device?).
- Customised Sign-In experience with company information.
- Automated Enrollment into Workspace ONE UEM.
- Workspace ONE UEM enforcing Windows Hello.
- Workspace ONE UEM deploying multiple user and device profiles (Windows 10 Configuration Service Providers) to remotely configure and manage the device.
- Workspace ONE UEM automatically deploying and configuring Native Win32 Apps and Microsoft Store Apps over-the-air.