In his blog post today we will see How we can perform Autopilot for Windows 11 devices. It is applicable for any new device which is only Azure AD joined. Now, when we talk about Windows 11 we have certain pre-requisites that we need to complete first.
Since I will be using a Hyper V so I have to complete these pre-reqs manually, but if you have a new physical device, you may need not do it. Just a small check is fine.
Windows 11 Pre-requisites
1. Minimum Virtual processor should be more than or equal to 2. I am using 4 for my Hyper-v.
2. Memory should be more than or equal to 4 GB. I am using around 8 GB.
3. Your device should have the TPM Enabled. This is very important for Windows 11 devices.
Once, we have all these above pre-reqs set, prepare your Windows 11 Hyper-v.
But, before moving onto setting up Windows 11 for Autopilot, lets also make sure we have all the pre-reqs set for Windows Autopilot.
Pre-requisites for Windows Autopilot.
1. Go to the Intune portal Devices > Windows > Windows Enrollment > Automatic Enrollment and make sure everything is set properly like below:
2. Let us next move on to Devices > Windows > Windows Enrollment > Windows Autopilot Deployment Program > Deployment Profiles. Make sure you have a Autopilot Deployment profile created. I have a very simple one created like below:
3. Create a Dynamic group where you would want all your apps, policies, configurations to be deployed to Autopilot Devices. I have created one with ZTD id. You can create with your own requirements, maybe with Group tag which was used during importing devices with Hardware Hash.
The query I am using for the group is -
(device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))
NOTE: Here we will be importing hardware hash online without csv so I am just trying to keep things simple.
4. The next one is optional but I would like to go with it so create one default Enrollment Status Page. Go to Devices > Windows > Windows Enrollment > Enrollment Status Page
I have very simple settings for test purposes, you might want some proper standard settings in your Production environment
5. Have a User with Intune Administrator role who will help to upload the Hardware Hash and then also assign user with Intune E3/E5 license who will enroll the device to Intune.
Apart from the above settings if you have any particular security apps, baselines or any configuration profiles like bitlocker and others you may want to deploy to Windows Autopilot group which we created earlier. Apart from this I think we are all set and ready now to prepare our Windows 11 Hyper-v.
In this blog I am skipping all the basic steps of that you need to go through for creating a Hyper-v VM. I feel we all are aware of this and even if you are not you just need to follow the instructions.
Make sure you have proper internet connection and above pre-requisites all set.
So, when we boot-up and start the Hyper-v it goes through the basic steps of setting windows and we will wait until the below step completes
Registering the Windows 11 to Autopilot Service
Once the windows installation is completed it takes some time to setup and then we have OOBE screen in front of us
When we have this screen press shift+F10(shift + fn + f10) on Hyper-V to bring command prompt
From command prompt, we will try to enter PowerShell where we will execute the commands to Import Hardware Hash to Intune.
The commands which we want to run here one by one are as follows:
PowerShell.exe -ExecutionPolicy Bypass Install-Script -name Get-WindowsAutopilotInfo -Force Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned Get-WindowsAutopilotInfo -Online
Once you have entered the above command it will ask for your Intune Administrator ID. Please enter the same to register the device to Autopilot service.
After you enter your credentials, you can see that your company logo appears in the password entry dialog box. Enter your password here.
Then if your organisation has enabled MFA, approve that using Authenticator app.
Then lets wait for the import to proceed and complete.
When it is completed, you will find the below screen in your PowerShell. Mark the serial number of devices here:
Lets cross verify it within the Intune console, go to Endpoint manager Devices > Windows > Windows Enrollment > Windows Autopilot Deployment Program > Windows Autopilot Devices
We can see that the device is successfully registered now to Windows Autopilot. Lets now proceed with the OOBE and End-User Experience
Windows 11 OOBE and End-User Experience
We will have to close the command prompt now and procced with OOBE. Type Exit and hit enter until you exit the command prompt screen
Select your country and Press Yes
Select keyboard and the press Yes
Windows will be starting to check for Updates
Enter the user credentials whom you have assigned the Intune license.
On the password entry dialog page you see your organisation logo proving that you are on the right track.
Once the above steps are done and you have clicked on Sign in device will be starting to configure
You will see the Enrollment status page like below:
Once these settings are completed you will notice a small green tick below each
and then you will be presented with next screen for Privacy setting. Click on Next and then Accept to move ahead.
Windows will check for nay updates again and then move ahead
That’s it the Autopilot Process is complete now, you will be presented with Welcome message and then some time will be taken to complete the basic setup for your login.
Since I have this Configuration Profile deployed for Interactive Logon Screen message for User, I was able to see this message before login.
Then I tried to login using my company credentials.
Note: After this I noticed that ESP page reappeared again and it was waiting for few things to be completed. What I did to fix it change this simple setting under ESP, it is by default set to Yes:-
When I changed the above settings to No, Desktop was presented to me:
Now, we need to verify few things lets go to Settings and check Work and School account as well as Device serial number
Looks all good, lets find the device in Intune now
That proves that we have successfully completed the Windows 11 Autopilot.
Now what happens if something goes sideways and you need to troubleshoot.
If you see something like the above screen then you need to expand it and see where exactly the autopilot failed. There could be different reasons. More things will be cleared when you click and check MDM diagnostics log.
You also get a link to export these logs which will be helpful to see and find out where exactly the failure occurred. Unfortunately, I don’t have the screenshot from my end for these but I think that’s pretty easy process.
Ok, so that’s all from my end this time. I Will Be Back…😎with some new content and new things. Cheers🍻
This was very helpful and time saving...worked perfectly. Thank you.