Enrolling a Windows device

We now have everything in place and can enroll our first Windows device into Intune using Autopilot. This recipe will run through the different options for adding the hardware hash into Autopilot and then provisioning a new machine.

Getting ready

For this recipe, you will need a Windows machine capable of running Windows 11. This can include a virtual machine (VM) that we will be using, but it has to haveTrusted Platform Module (TPM) enabled to pass the prerequisites for Windows 11. The machine will be wiped during the process, so please ensure there is no data on it.

To add devices, you will also need the get-windowsautopilotinfo PowerShell script: https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo.

Once you have a machine ready, follow the steps to build it.

How to do it…

The first thing we need to do is add the device to the Autopilot service. We have a few options available for this.

Requesting from your hardware vendor

You can speak to your hardware supplier and ask them to add your devices to your tenant (you will need to provide them with the appropriate permissions).

JSON injection within the operating system

Another option is to inject the JSON directly into an ISO with which to build devices (known as offline enrollment). To do this, follow these steps:

1. Install and import the WindowsAutopilotIntune module:

   Install-Module WindowsAutopilotIntune
   import-module WindowsAutopilotIntune

2. Then, run the following command to output the JSON (watch for the encoding – it is important):

   Get-AutopilotProfile ConvertTo-AutopilotConfigurationJSON | Set-Content -Encoding Ascii "c:\temp\AutopilotConfigurationFile.json"

3. Then, you need to add this JSON file to your build image in c:\windows\provisioning\autopilot\path.

   You can also use a tool such as OSD Cloud to do this for you: https://www.osdcloud.com/.

   If you go down the offline route, you will also need to amend the dynamic rule on your Autopilot devices to the following:

   (device.devicePhysicalIDs -any (_ -contains "[ZTDid]")) -or (device.enrollmentProfileName -eq "PROFILENAME")

   Here, PROFILENAME is from your JSON export.

This covers using JSON injection to provision your devices. Now, we can look at further options.

CSV import

For existing devices, you can grab the hardware hash from the machines, export it to a CSV file, and then import that into Autopilot:

1. On your devices, run this command:

   Get-WindowsAutoPilotInfo.ps1 -OutputFile c:\mydevice.csv

2. Once you have your CSV, navigate to Devices, then Enrollment. Select Windows and then click on Devices.
3. Click on Import.
4. Select your CSV and click Import.

This covers exporting a CSV from your device and importing it directly into the console as a further provisioning option.

Online enrollment

The other option is to skip the CSV output and import directly on the device. This can be on a current machine or during OOBEL

1. Launch an elevated Command Prompt (Shift + F10 during OOBE).
2. Set the script’s execution:

   Set-ExecutionPolicy Unrestricted

3. Install the script:

   Install-script get-windowsautopilotinfo

4. Run the script with the -online parameter:

   get-windowsautopilotinfo.ps1 -online

   It will install some additional modules before prompting for credentials. Enter them into the standard Microsoft Online sign-in screen and click Next.

5. Consent to the permissions (you will need appropriate permissions within Azure/Entra to configure application registrations) and click Accept.

   The script will now grab and import your device details:

Figure 4.10 – Enrollment complete

After enrolling our devices into the tenant, let us learn how to build the Windows operating system and configure it.

Building the device

This recipe will run through how we can build the devices we have enrolled into Autopilot using our configured ESP and settings:

1. In the portal, you should see your device under Devices | Enroll Devices | Devices with the profile set to Assigned.

   We can now continue with the build.

2. If you ran the previous command during OOBE, within the PowerShell window, type the following:

   C:\windows\system32\sysprep\sysprep.exe

   Keep the default values and click OK:

Figure 4.11 – System preparation

If you enrolled with another method, you need to rebuild the device from a Windows ISO.

3. Your machine should detect that Autopilot has been enrolled and take you to a Microsoft 365 login screen. Enter your user details and click Next. Enter your password and click Sign in.

   You may briefly see a screen that says Please wait while we set up your device.

   At this point, the ESP we configured earlier will run:

Figure 4.12 – ESP screen

4. Once completed, as we have previously configured Windows Hello, you will be prompted to configure it. Click OK.

   After completion, you will be sent to the desktop, where you will see that your previous OneDrive policy has worked and that the app has automatically signed in:

Figure 4.13 – Windows 11 start screen

Congratulations – you have configured and enrolled your first Windows device into Intune and Autopilot!

There’s more…

As mentioned earlier, a device can also be pre-provisioned, which pre-installs any device-targeted apps as well as applies any policies at the device level. This can be useful for quicker deployments where some larger apps are required, or for users on lower bandwidth connections.

It is worth remembering that if you pre-provision a device and an application is updated, it will update itself when the user logs in, so keep an eye on how long devices are left before being deployed.

Important note

This requires TPM attestation, so it cannot be tested on a virtual machine.

Follow these steps to pre-provision a device:

1. To pre-provision a machine, after adding it to Autopilot, on the login screen, press the Windows key five times; this will take you to the following screen. Click Pre-provision with Windows Autopilot and then Next:

Figure 4.14 – The pre-provision menu

The device will check for updates.

2. When you are presented with the following screen, click Next:

Figure 4.15 – Pre-provision check

You will now see the same ESP screen as before.

3. Once you have done this, click Reseal:

Figure 4.16 – Reseal

With that, we have enrolled our first device into Autopilot and also learned how to use pre-provisioning to pre-configure devices for our users.