What is Windows Autopilot
It is a suite of technologies designed to simplify the setup and
configuration of new Windows devices, preparing them for immediate productivity. This
tool is versatile, capable of deploying both Windows PCs and HoloLens 2 units.
Prerequisites
The following are requirements for running Windows Autopilot Device Testing Lab in Azure.
- Valid
Azure Subscription (Pay-as-you-go, Visual Studio Enterprise, CSP etc)
- M365
Tenant with Valid Intune License to use Windows Autopilot functionality.
- Azure
Subscription Owner\Contributor Access
- M365
Tenant Global Administrator Access
Azure Requirements
- The Host operating(Azure VM) system must be Windows Server 2016 or later
- Deploy a Dv3 and Ev3 series Windows Server VM in Azure that supports nested virtualization
- Azure Host VM should have enough CPU & memory to run the guest VMs
Creating Azure VM
Open https://portal.azure.com/ search for Virtual Machines
On the Virtual machines page (Home > Virtual Machine), click Create button to create a virtual machine.
The VM creation page contains multiple tabs, and each tab contains a couple of sections.
- First, we need to select the desired subscription where we want our Virtual Machine.
- Next, we need to select a resource group or create new one.
- Further, we need to provide a name to our virtual machine.
- Next, we need to add the region where we want our virtual machine to be.
- Availability options we will select as No Infrastructure redundancy required, Because it’s not a critical server
- Security type we will select as Standard, because we need vTPM support inside our guest VM
- Select windows VM image type, I have selected Windows Server 2022 Datacenter Azure Edition image.
- Now, we need to select machine size, i have selected the machine size as D8s_V3.
- We need to run multiple guest VMs in Azure VM Host, so it is recommended that we should use Premium SSD disk. Therefore, we are using Premium SSD, rest of the settings in disk tab can be default.
Click Next.
- Now, we need to add a network and a subnet where our VM will reside.
- We can create Virtual Network by clicking on Create new or proceed with the current selection.in our case we are proceeding with the current selection.
- Delete Public IP and NIC when VM is deleted is an optional selection.
Rest of the settings can be leave as default
Deployment is in Progress , status will appear in your screen.
- Once the VM is ready, we can access the VM using RDP client as mentioned in the below steps.
- Copy the public IP address from VM Dashboard
- Open RDP Client and paste the public IP or you can click connect button from VM dashboard
Now add credentials and click Connect, you will be redirected to the VM.
Install Hyper-V Role:
Once we login , we can install Hyper-V role using Server Manager console.
Open Server Manger click on Add roles and features.
Click on Next
Installation Type select Role-based or feature-based installation.
Select the Server and Click Next
Now select the Hyper-V role which we want to install.
Click on Add Feature so all the features required by the Hyper-V role are installed.
click on next and keep all settings as default, and go ahead with the installation of the Hyper-V role
After installing the Hyper-V role and rebooting the server, it is necessary to install the DHCP role in order to automatically assign IP addresses to our VMs as needed.
Install-WindowsFeature -Name DHCP –IncludeManagementToolsWhen Azure VM comes back, RDP into it, open PowerShell as an administrator and run commands below to configure the HyperV network.$switchName =
"InternalNAT"
New-VMSwitch
-Name $switchName -SwitchType Internal
New-NetNat
–Name $switchName –InternalIPInterfaceAddressPrefix “192.168.0.0/24”
$ifIndex =
(Get-NetAdapter | ? {$_.name -like "*$switchName)"}).ifIndex
New-NetIPAddress
-IPAddress 192.168.0.1 -InterfaceIndex $ifIndex -PrefixLength 24
Commands above will create a HyperV internal switch, set nat rule and gateway for that switch. Please make sure all commands ran without errors
Set-DhcpServerV4OptionValue -Router 192.168.0.1 -DnsServer 168.63.129.16
Restart-service dhcpserver
Commands above will create DHCP scope for Hyper-V NAT, assign gateway IP, DNS IP for that scope.
Restart the DHCP service using the below command
Restart-service dhcpserver
Create VM in Azure Host VM
In the New Virtual Machine Wizard window, on the
Before You Begin page, click Next.
On the Specify Name and Location page, type the new virtual machine’s name in the Name box. In this example, the VM name is Windows 11.
If you need to change the location for the new VM, put a check on the Store the virtual machine in a different location box, then browse or enter the path in the Location box. If the folder path you specify does not exist, the wizard will create it.Generation 2 – Supports only 64-bit guest operating
systems and this generation also has UEFI-based firmware.
On the Assign Memory page, specify how much memory to assign the VM.
On the Configure Networking page, select the network adapter you would like to attach to this VM.
Next, on the Connect Virtual Hard Disk page, you have the option to:
- Create a virtual hard disk – This option creates a new virtual hard disk (VHD) and lets you customize the name, location, and size. The new VHD will be empty, and you will have to install an operating system afterwards.
- Use an existing virtual hard disk – This option lets you choose an existing VHD (if you have one) that you want to be attached to the VM instead of creating a new one.
- Attach a virtual hard disk later – Choose this option if you want to skip this step and continue creating the VM without a VHD. You can still create a new or attach an existing VHD after you’ve created the VM.
Finally, on the Completing the New Virtual Machine Wizard page, review the new VM’s settings and click Finish
Now, let us go to the settings of the VM we created and change the vCPU
Here we are adding 3vCPU
VM, Windows 11 OS installation is progressing. Once the OS installation is completed, we will do the Autopilot Provisioning on this Test VM.
Creating Windows Autopilot Dynamic Device Group
Now Let’s create a Device Group and Assign Windows Autopilot deployment profile to that Group.- Open https://Intune.microsoft.com
- Select Groups then new group.
- In new Group, configure the following properties: Group type: Select Security.
- Group name and Group description: Enter a name and description for your group.
- Microsoft Entra roles can be assigned to the group: Select No, Microsoft Entra roles aren't assigned to this group.
- Membership type: Choose how devices become members of this group. Select Dynamic Device.
Dynamic device members: Select Add dynamic query > Add expression.
Create rules using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group.
When creating expressions:
To create a group that includes all of your Autopilot devices, enter:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))
Save your
expressions. Select Create.
Create Windows Autopilot deployment profiles.
Open https://Intune.microsoft.com choose Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile > Windows PC On the Basics page, type a Name and optional Description.To ensure that all devices in the designated groups are automatically registered to Autopilot, enable the "Convert all targeted devices to Autopilot" setting to Yes.
Devices that are corporate-owned and not already on Autopilot within the assigned groups will register with the Autopilot deployment service. Please note that personally owned devices will not be registered to Autopilot.
Allow 48 hours for the registration process to complete. If a device is unenrolled and reset, Autopilot will re-enroll it.
Please be aware that selecting the option to Convert all targeted devices to Autopilot does not automatically change existing Microsoft Entra hybrid devices in the assigned group(s) into Microsoft Entra devices. This setting simply enrolls the devices in the assigned group(s) into the Autopilot service.
Select Next.
On the Out-of-box experience (OOBE) page, for Deployment mode, choose one of these two options:
User-driven: Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.
Self-deploying: Devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to enroll the device. When a device has no user associated with it, user-based compliance policies don't apply to it. When self-deploying mode is used, only compliance policies targeting the device are applied.
Configure the following options:
Microsoft Software License Terms: Choose whether or not to show the EULA to users.
Privacy settings: Choose whether or not to show privacy settings to users.
Language (Region): Choose the language to use for the device. This option is available in all Deployment modes.
Automatically configure keyboard: If a Language (Region) is selected, choose Yes to skip the keyboard selection page. This option is available in all Deployment modes.
Note: Language and keyboard settings requires ethernet connectivity. Wi-fi connectivity isn't supported because of the requirement to choose a language, locale, and keyboard to make that Wi-fi connection.
Apply device name template (requires Microsoft Entra join type): Choose Yes to create a template to use when naming a device during enrollment. In our case we are following LAB-PC%RAND:3%
Select Next and select the Autopilot LAB Device Dynamic group which we created earlier.
Review the Settings and Select Create.
Importing LAB VM Device Hash to Windows Autopilot
In Our Case the Device is already installed with Windows 11 OS,
While OOBE is running, you can start uploading the hardware hash by opening a command prompt.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PowerShell.exe -ExecutionPolicy Bypass
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutopilotInfo -Online
You're prompted to sign in. An account with the Intune Administrator role is sufficient or you can use Global Admin account as well.
Once authentication is successful device hash is uploaded to Intune
After you confirm the details of the uploaded device hash, run a sync in the Intune Portal Select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program) > Sync. After the device appears in your device list, and an Autopilot profile is assigned, restarting the device causes OOBE to run through the Windows Autopilot provisioning process.
Optionally ,We will assign user account to this device.
Ready to go! We have successfully accessed our Lab VM.
We will enter the user account password and choose sign-inNow Windows Autopilot is doing its Magic. We have Enabled Virtual TPM for this device ,so we need to complete the Windows Hello setup. We will configure PIN option, Biometric is not supported for VMs
All Set ,Now we Successfully Logged in to our Lab VM
Now will make sure Device Name Template is applied as expected.
Conclusion:
To test Windows Autopilot without physical hardware, consider using an Azure VM with Nested Virtualization to create a lab environment and test all the capabilities of Windows Autopilot and Intune.
0 Comments