Automate Enrollment of Windows 10 and Windows 11 devices, using Windows Autopilot
Though MDM provides various bulk enrollment methods, it still is a cumbersome task for the administrators or the device users to manually activate the device, before actually using it. Windows Autopilot lets you configure the initial device setup, by choosing to skip all of the initial setup steps or a few of them, effectively making it the Windows equivalent of Apple Device Enrollment Program.
In the on-premises Windows Autopilot configuration, the end user can add the domain in the Appid Uri field only if that particular domain is verified in the azure environment. Refer here to know more.
- Windows Azure Enrollment must be configured.
- Windows endpoints to be managed must be running Windows 10 (Creator Update 1703 release), or Windows 11
Steps for configuring Windows Autopilot
- Step #1: Create an AutoPilot profile
- Step #2: Obtain device details for AutoPilot deployment
- Step #3: Upload device details and associate profile
- Step #3.1(Optional): Branding the device activation screen
- Step #4: Assign users to enrolled devices
Step #1: Create an AutoPilot profile
The first step is to create an AutoPilot profile, which will be associated to the devices. To create the profile, follow the steps given below
- Go to this link and login if need be. You can also go to Windows Store for Business and click on Manage from the top menu and select Devices. Click on AutoPilot deployment and select Create new profile
- Provide a name for the profile. The following settings cannot be configured, as they are restricted by default:
- Cortana, OneDrive and OEM registration setup
- Work or school setup
- Sign-in experience with company brand
Step #2: Obtain device details
You need to obtain device details, which is then to be uploaded as explained in Step #3. This data is usually available with the resellers or if you want to add details yourself, you can obtain this data as explained below:
- Download the zip file given here, on a Windows machine and expand its contents.
- Now open Command Prompt as an Administrator, on the expanded folder and run the following script after providing relevant data for the requested parameters, as explained in the table below. This script can obtain device details, only if present in the same domain.
|common-username||The user name associated with the IT administrator account, present in all the machines|
|password||The password associated with the IT administrator account, specified previously.|
|machineName1,machineName2,...||The names of the machines, you want to manage using MDM.|
|outputFileName||Name of the file, where the device/machine details are to be saved.|
powershell -ExecutionPolicy bypass .\Get-DeviceDetails.ps1 -username <common-username> -password <password> -hostNameList <machineName1,machineName2,...> -outputFile <outputFileName>
Step #3: Upload device details
The next step is to upload the device details and associate the profile created in Step #2. To do that, follow the steps given below:
- Click on the Add devices link and upload the CSV file, containing the device details created in Step #1.
- Once uploaded, you are prompted to name the device list uploaded to proceed with device addition. You can verify it has been added by clicking on Refresh my list.
- After the devices are added, you can choose to associate the profile to all the devices or selected devices using the checkbox(es) present.
- After selecting the devices, click on the AutoPilot deployment link and select the profile created.
- On successful association, you will see the profile name listed under the Profile column.
Step #3.1 (Optional): Branding the device activation screen
In addition to skipping the initial setup screens, you can also choose to optionally personalize the device activation screens to display the organization name and/or logo. To do that, follow the below given steps:
- Go to this link and login, if need be. You can also go to Azure portal, click on Azure Active Directory and select Company Branding. Click on the Configure dialog box as shown on the image below.
- Now configure details such as the organization logo and the background color for the sign in screen etc., Once done, click on Save. You can also choose to configure the sign in screen for different languages by clicking on New Language option, which is shown on selecting Company Branding.
- You can also display the organization name on the sign in screen. To do that, go to this link or navigate to Azure Active Directory and select Properties. Provide the organization name under Name, for it to be displayed on the sign in screen. Once done, click on Save.
Step #4: Assign Users
The devices can either be enrolled by the users themselves or enrolled by the Admin and then assign it to the corresponding user. Now, you need to assign users to these enrolled device, to complete enrollment. Additionally, you can also add devices to multiple groups to automate the distribution of apps, profiles and documents to devices. To do that, follow the steps given below:
- On the MDM server, click on Enrollment from the top menu and select Windows Azure Enrollment (AutoPilot), from the left pane.
- Here all the devices enrolled via Azure enrollment but yet to be assigned users are listed.
- You can assign users on a device-to-device basis, by clicking on the Assign User option present under Action. If the users themselves have enrolled the device, you need to select Same User for the option Assign to or New User, if it was enrolled by the Admin. You can also assign users in bulk, by click on the Assign Users button, present above the table and uploading a CSV file, based on the specifications given here.
Sample CSV Format
- The fields Serial Number, User Name, Email Address and Group Name are mandatory. All the other fields are optional. Ensure the specified group name is already created in the MDM server. If values are not provided, default values will be taken.
- The default values for various non-mandatory fields are:
Domain Name -- MDM
Owned By -- Corporate
- If multiple groups are specified, the group names must be separated with a slash (/)
- The first line of the CSV is the column header and the columns can be in any order.
- Blank column values should be comma separated.
- If the column value contains comma, it should be specified within quotes.
Click here to know more about the ports required for managing mobile devices.
What happens on the device?
During device activation, you need to configure Wi-Fi settings, region and Keyboard settings after which the device will show the following screen:
The device restarts, after which the user is prompted to specify AD credentials. Once done, the device gets enrolled with MDM, after which users are to be assigned to the enrolled devices as explained here.