Deploying Windows 10 with Intune Auto MDM Enrollment

Deploying Windows 10 with Intune Auto MDM Enrollment  

Part 1:

Introduction

Ok so the brief is simple, in true “Challenge Aneka” fashion (without the pink jump suit and any lycra!)....

"Wouldn't it be great if A user receives a new laptop, they start it up and it is automatically configured in front of their eyes with all their applications installed and email setup…”

N.B. This blog pre-supposes that you already have an Azure implementation and have licences for Microsoft Intune

Now in days of Yore the first response of any decent IT tecchie (is it tecchie or techy ?) would be saying “ok so we need an image”....

Apparently though the world has moved on, and Microsoft’s ethos is now that since most new machines come with a preinstalled image of sorts it is frankly daft to overwrite that with another one when actually all you really need to do is a bit of configuration and install some applications.

Software installation doesn’t really take that long to do anymore and in fact it’s really the configuration and registration of these products that takes the time.

One of the big frustrations I have in this regard is that software vendors don’t approach things in the same way. You have products like Microsoft Office 365 which requires a login to their cloud and a licence is assigned to that login. You have Adobe Acrobat who for one version of the software the user needs an adobe ID and password (which bears no relation to anything else for example active directory) and for another version, a licence key is all that is needed and various other people do things in various other ways. Wouldn’t it be great if you could pull all this information together upfront and deploy it in a package and better yet from "the cloud".

Enter Microsoft Autopilot....

I’m not 100% sure what Microsoft’s final ambition is with their Autopilot technology but what they say is basically what the brief of this project was, the “Challenge Aneka” statement at the top of the page!

So I’ve dug out my pink lycra, jumped in my beach buggy, let’s see where this takes us…..

Deploying Machines Using Autopilot

So according to Microsoft all of this is possible with AutoPilot & an MDM like Intune or it’s SME standalone equivalent, Windows Configuration designer. It is also possible to link this to other MDM systems but this hasn't been tested in this blog.

As with all things Microsoft related there are many combinations of ways of utilising their technology and one way doesn’t preclude the use of the other way, which is great as it affords you the most flexibility.

For the purposes of this blog we will be walking through and using Autopilot with Intune, Microsoft’s cloud based MDM solution.

Autopilot, seems to have been designed for large computer vendors who can harvest the information required to identify a device, disable a few things like the licence agreement and then can pass the device off to Intune or another MDM to do the rest, though it’s of course possible for IT tech’s to do this too, which is lucky since that’s what I’m doing!

There’s almost certainly plans to do more things with AutoPilot as detailed in several publications and Microsoft’s new approach to, specifically, it’s cloud based product line seems to be more evolutionary than you might find, understandably from its non-cloud products.

This is great news for Microsoft as it means it can get it’s technology out much quicker if at first limited and then add enhancements on as they become ready. Some might say it's been doing this for years with it's operating systems but that's a cheap shot and not one that'll get any air time in this blog !

It also allows the customer, us the IT tech’s to have a hand in the development process by having access to insider programs and the like.

New functionality for Autopilot is certainly on the cards for example from http://www.poweronplatforms.com/windows-autopilot-new-era/ a few tantalising if vague areas of improvement / development seem to be on the cards.

“Support for traditional AD joining of devices
Assign a device to specific user for much friendlier and personal experience
Specify the computer (or host) name of Autopilot devices
Apply Multifactor Authentication for increased security and better identifying the end user
Fully automated device setup, aimed at frontline and kiosk devices”

So it’s far from a done deal when it comes to AutoPilot, I think we can safely assume there will be some exciting developments ahead.

Currently though I have to admit the offering is a little underwhelming with the “options” being split in two.

The default non-options which are already disabled (and can't be enabled) specify that;

• The skip Cortana, OneDrive and any OEM registration,pages of windows setup are skipped,
• Automatically sets up the machine with a workplace connection (well when I say automatically, it prompts the user for them)
• Allows for some company branding to be used (though I've not actually got to the bottom of what that means).

The actual configurable options (and when I say configurable I mean you can turn them on or off), are;

• The ability to skip the privacy settings,
• Disable the creation of a local admin account
• Skip the EULA page of windows setup,

Once this minimal set of options is configured Autopilot simply hands the machine off to the pre-configured MDM solution which in our case is Intune.

The Rub

The rub with Autopilot is that in order to use it you have to harvest some information from the machine(s) you want to Autopilot, specifically, A serial number which can be obtained usually from the outside of the box or printed on the device itself but also a product ID and a hardware hash.

The latter two can’t be done unless you’re in a windows operating system as they're obtained by running a couple of PowerShell commands, which means you have to setup the device you want to setup, gather the information and then reset the machine, which forgive me, IS BONKERS !

What would be great would be some sort of way of getting the information without having to set the machine up, luckily there is!

Obtaining Device Information for Powershell using "Audit Mode"

You can get to this mode by first booting as normal and then once you get to a setup screen pressing ctrl+Shift+F3. The machine will then reboot into audit or sysprep mode.

From here you can run the following from an elevated powershell prompt;

Set-ExecutionPolicy Unrestricted

Save-Script -Name

Get-WindowsAutoPilotInfo -Path <path>

Install-Script -Name

Get-WindowsAutoPilotInfo

<path>\Get-WindowsAutoPilotInfo.ps1 -ComputerName <<computername>> -OutputFile <path>\MyComputer.csv -append

Once you’ve harvested the information you end up with a CSV file in the following format;

Device Serial Number,Windows Product ID,Hardware Hash

<<device serial>>,<<windows product ID>>, <<Hardware Hash>>

Alternatively the Get-WindowsAutoPilotInfo.ps1 script could be saved to a USB stick using the first two commands of the above.

Then all you need is a self elevating powershell script to get all the information for you and output the CSV file to the stick making it truly portable... Here's mine;

# Self-elevate the script if required
if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
 if ([int](Get-CimInstance -Class Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber) -ge 6000) {
  $CommandLine = "-File `"" + $MyInvocation.MyCommand.Path + "`" " + $MyInvocation.UnboundArguments
  Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine
  Exit
 }
}
  Set-ExecutionPolicy Unrestricted
    Install-Script -Name Get-WindowsAutoPilotInfo -Force
    e:\Get-WindowsAutoPilotInfo.ps1 -ComputerName $env:COMPUTERNAME -OutputFile e:\Autopilotinfo.csv -append

You do need to have copied the WindowsPowershell folder from a Windows\System32 folder to the stick too.

Uploading Autopilot device information to Windows Store for Business

I'm assuming of course that you have a Windows Store for Business / Education account already.

Once you've got your CSV file with all your devices in you then upload it to your Windows Store for Business.

To do this navigate a web browser to https://businessstore.microsoft.com/en-gb/store

From the home page click on the Manage option,  select Devices from the left hand side, the click 'Add Devices'. From here select the CSV file you created and if the format is correct your machines are added to the Devices list.

In order for anything to work though, you have to create an Autopilot deployment profile and assign it to each / all the machines in the list but tbh there aren’t a whole lot of options in here anyway as discussed previously.

Creating an Autopilot Profile

To create a profile, you simply click the Autopilot deployment option and select 'Create New Profile' from the drop down. Give the profile a name and then click create (you can turn off the optional items if you like).

Once that’s done you then have to assign it to the devices you want to assign it to.
To do this put a tick / check in each box next to the machine(s) you want to assign the profile to and then click the Autopilot deployment option and this time click the "Apply <<profile name>>" option.

That's basically it! Now the devices can be rebooted from their Audit mode using the sysprep dialog box and windows setup can then proceed. The user is prompted for some initial keyboard and language information and then prompted for their Microsoft / workplace username and password. Once that is entered, Autopilot identifies and authenticates the device, joins it to Azure AD and enrols it in Intune where the configuration and app deployment magic can happen.