Windows Autopilot and Pre-Provisioned deployment

 Windows Autopilot offers several deployment scenarios, including pre-provisioning. This allows to respond to some use cases such as: 

  • Provide a workstation prepared via Windows Autopilot and then send it to low bandwidth sites for example. 
But also to provide the end user, a ready-to-use experience by relieving them of sometimes tedious provisioning tasks.

In the following, I will detail all the prerequisites as well as the steps to pre-provision a workstation with Microsoft Intune and Windows Autopilot.

Prerequisites

Device :

  • Microsoft Intune tenant with MDM authority "Set to Intune"
    • Windows Autopilot User Driven AAD or HAAD join devices
  • Windows 10 1903 and above (Enterprise, Pro and Education)
  • Physical devices with TPM 2.0 with device attestation (check your hardware compatibility)
    • Virtual machines are not supported

Network :

  • Wired ethernet connection 
  • TPM attestation validation process requires access to the URLs below :
    • *.microsoftaik.azure.net
    • Intel: https://ekop.intel.com/ekcertservice
    • Qualcomm: https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
    • AMD: https://ftpm.amd.com/pki/aia
(For more information, see this article Windows Autopilot networking requirements | Microsoft Learn)

It is also possible to use the Wlan connection of your computer to make the provioning,

to do this, you must:

  • Open a PowerShell prompt : Shift +F10
  • Enter this command line : Start ms-availablenetworks:
  • Select your wlan networkenter your credentials and connect

Pre-provisioning configuration

  • Go to endpoint.microsoft.com
  • Select Devices / Enroll devices / Windows Enrollment / Deployment Profiles
  • Open an existing profile 
  • Enable pre-provisioned deployment option and click Review+Save

Technical flow

The next step is to prepare the user computer before sending it. Below are the details of the actions to be carried out:
  • Import HWID file in Microsoft Intune
  • Apply the deployment profile allowing pre-provisioning on the device. As soon as the profile is Assigned, start the device

  • In fist page on OOBE modepress Windows key 5 times on a keyboard to display the menu to launch the pre-provisioning. Select Pre-Provision with Windows Autopilot and click Next

  • Check your Pre-Provisioning information's and click Next

  • Your computer is provisioning by Windows Autopilot service

  • After this action, your device is setup, please click Reseal

User flow

Once the pre-provisioning steps have been completed by the IT department, the user receives the computer and only has to perform the following steps:
  • Start the computer
  • Connect the computer to the Internet
  • Enter your Azure AD username and password

  • Windows Autopilot starts Step 3 of the ESP. this allows you to add the different configuration, application and security elements related to the user.
    • Steps 1 and 2 appear in green because they have already been played during pre-provisioning

Once the account preparation step is complete, the user can use their computer.


Comments

Popular posts from this blog

Windows 11 security check with Powershell

How to reset computer in OOBE mode

Windows Autopilot error code 801c03ed