Uploaded by Mohamed Laïchour


Windows Autopilot
Thursday, March 26, 2020
2:33 PM
- Adding devices to Windows Autopilot
○ Before using autopilot, devices must be registred with the service
 OEM registration
□ Device is registred by the manufacturer before being delivered to the
organization. In order to do so, permissions must be granted by the Azure AD
global administrator of the organization
□ Process
a) OEM emails link to their customer.
b) Customer with global administrator privileges in Microsoft Store for
Business (MSfB) clicks the link once they receive it from the OEM
c) Customer selects the Yes checkbox, followed by the Accept button
 Reseller
□ Resellers can register devices as long as they are part of the CSP program
□ Same process as OEM registration applies
○ Automatic registration of existing devices
 Devices enrolled in MDM can be automatically registred with autopilot
 In the existing devices scenario, pre-registration will not be required
○ Manual registration
 Hardware ID must be captured and uploaded to autopilot service
 Since it requires booting into windows 10, it is used only for testing
○ Collecting hardware IDs
 Sccm
□ Hardware IDs can be retrieved using a report
 Hardware general -> Windows Autopilot Device Information
 Export the report to a csv file
□ Csv header should contain serial number, Windows product ID, hardware hash,
group tag, and assigned user
 Powershell
□ a PowerShell script called Get-WindowsAutoPilotInfo.ps1 has been published to
the PowerShell Gallery website.
□ To install the script from powershell, run
md c:\\HWID
Set-Location c:\\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
□ The script can be run remotely as long as wmi traffic is allowed
□ Devices should not connect to internet before capturing ID, otherwise a blank
profile will be applied and will require restarting into oobe
○ Uploading hardware IDs
 Can be uploaded with different means
 With an API, doesn't support profile assignment
□ Intune (recommended)
a) In the Microsoft Endpoint Manager admin center, choose Devices >
Windows > Windows enrollment > Devices (under Windows Autopilot
Deployment Program > Import.
b) Under Add Windows Autopilot devices, browse to a CSV file listing the
devices that you want to add.
c) Choose Import
Modern Desktop Administrator Page 1
c) Choose Import
d) After import is complete, choose Devices > Windows > Windows
enrollment > Devices (under Windows Autopilot Deployment Program >
□ Partner center (for csp)
a) Select Customers from the Partner Center menu and then select the
customer whose devices you want to manage.
b) On the customer's detail page, select Devices.
c) Under Apply profiles to devices select Add devices.
d) Enter a name for the device list and then select Browse to upload the
customer's list (in .csv file format) to Partner Center.
e) Upload the .csv file and then select Save.
□ Microsoft 365 Business & Office 365 Admin. (for smb)
a) Go to the admin center at https://admin.microsoft.com.
b) On the left navigation pane, choose Devices > AutoPilot.
c) On the AutoPilot page, click or tap Start guide.
d) On the Upload .csv file with list of devices page, browse to a location
where you have the prepared .CSV file
e) On the Assign a profile page, you can either pick an existing profile or
create a new one.
f) Choose Next.
g) Choose Close.
□ Microsoft Store for Business. (if already used for apps and settings)
a) Sign in to Microsoft Store for Business or Microsoft Store for Education.
b) Click Manage, and then click Devices.
c) Click Add devices, navigate to the *.csv file and select it.
d) Type a name for a new Autopilot deployment group, or choose one from
the list, and then click Add.
- Creating profiles
○ Intune
In the Microsoft Endpoint Manager admin center,
choose Devices > Windows > Windows enrollment > Deployment Profiles > Create
□ Basics
 Name
 Description
 Convert all targeted devices to autopilot yes/no (All corporate owned,
non-Autopilot devices in assigned groups will register with the Autopilot
deployment service.)
□ Out-of-box experience
 Deployment mode user-driven/self-deploying
 Join azure AD as (choose azure ad joined)
 EULA show/hide
 Privacy settings show/hide
 Hide change account options show/hide
 User account type administrator/standard
 Allow white glove oobe yes/no
 Apply device name template yes/no
 Language (region) -> only available on self-deployment mode
Automatically configure keyboard -> only available on self-deployment
Modern Desktop Administrator Page 2
 Automatically configure keyboard -> only available on self-deployment
□ Scope tags: optional, used for RBAC in intune
□ Assignments
 Assign to : choose "selected groups"
 Add groups to include and exclude
□ Review + create : click create
○ Profile settings
 Skip Cortana, OneDrive and OEM registration setup pages
 Automatically setup for work or school
 Sign in experience with company branding
 Skip privacy settings
 Disable local admin account creation on the device (user settings up device will be a
local admin)
 Skip End User License Agreement (EULA)
 Disable Windows consumer features (MS store apps)
- Troubleshooting
○ Troubleshooting Autopilot Device Import
 Clicking Import after selecting CSV does nothing, '400' error appears in network trace
with error body "Cannot convert the literal '[DEVICEHASH]' to the expected type
□ This error points to the device hash being incorrectly formatted.
□ Test the hash with powershell:
 [System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64Stri
□ How to correct the hash:
Does decoding the hash fail?
Yes: Are the last two characters "="?
Yes: Replace both "=" with a single "A" character, then try again
No: Add another "=" character at the end, then try again
No: That hash is valid
○ Troubleshooting Autopilot OOBE issues
 Use event viewer for Windows 10 version 1803 and above
□ For versions earlier to 1903: Application and Services Logs –> Microsoft –>
Windows –> Provisioning-Diagnostics-Provider –> AutoPilot
□ For version 1903 and above: Application and Services Logs –> Microsoft –>
Windows –> ModernDeployment-Diagnostics-Provider –> AutoPilot
 Check profile settings for version 1709 and above
□ Available in registry: HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics
 ETW tracing can be used to capture detailed information from Autopilot and related
○ Troubleshooting Azure AD Join issues
 Users must be allowed to join devices
 A user may reach maximum number of devices to join
 Device object should not be deleted. In case it is deleted, device hash has to be
deleted and re-imported
 Error code 801C0003 will typically be reported on an error page titled "Something
went wrong"
○ Troubleshooting Intune enrollment issues
 Error code 80180018 will typically be reported on an error page titled "Something
went wrong"
 If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with
an administrator account to see why and reset manually,"
Modern Desktop Administrator Page 3
an administrator account to see why and reset manually,"
○ Profile download
 If device hash has not been registered or profile hasn't been created, a blank profile
will be applied
 To remove a blank profile
□ On version 1803 or earlier, enter oobe by running sysprep /generalize /oobe
□ On version 1809 and later, you can retrieve a new profile by rebooting the PC
 If you need to reboot a computer during OOBE:
□ Press Shift-F10 to open a command prompt.
Enter shutdown /r /t 0 to restart immediately, or shutdown /s /t 0 to shutdown
Modern Desktop Administrator Page 4