Configure Windows Auto Pilot | User Driven Mode

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys hope you're all doing well welcome back to our channel and in this video we are going to talk about the process that needs to be followed to configure windows autopilot and the method that we are going to talk about will be user driven mode now if you're watching the series from the beginning in the last video we have discussed about the theoretical part related to windows autopilot and how exactly it works whereas the core agenda of this video will be knowing what are the prerequisites required for windows autopilot how to configure windows autopilot settings from endpoint manager portal what is the purpose behind creating different windows autopilot profiles and how to manually onboard machines to windows autopilot and as i've said before the method that we are going to cover will be windows autopilot user driven mode in a nutshell there are five different methods which are available but this video is scoped for windows autopilot user driven mode now this is something which i have stated in our last video that step number one from windows autopilot user experience perspective would always be getting the machine joined to azure active directory it doesn't matter which mode you choose the machine will get registered to azure active directory so you have to make sure that the users for which you are scoping windows autopilot experience they must be allowed to get the machine joined to azure active directory now the question comes what exactly needs to be done in that case for that you should log on to portal.azure.com then go to azure active directory click on devices and then click on device setting and make sure the users for which you have scoped windows autopilot experience they have the permission to join the devices to azure active directory this is the first prerequisite that you have to keep in mind the second one is that since the device is getting azure ad joined and if you have enabled automatic enrollment the devices will get onboarded to enter so make sure all the device compliance policies or device configuration policy or any feature that is moreover related to intune for which you have created different policies the respective user should be in scope so what do i mean by this that let's say i have a gpo created that should exist on a machine which is getting windows autopilot enrolled or windows autopilot onboarded then i have to make sure before the user tries to sign it on that particular device the gpu policy should be in a scope for that particular user these are certain prerequisites which you have to keep in mind and they are extremely helpful because the movement user will land up to the base or to the home screen of the machine they will have all the policies in place now there is one more thing which is very important from endpoint protection perspective and that is you should get in tune linked with wd atp if by any chance you have both the services enabled in your tenant the question comes how to do that for that you have to go to security center dot windows dot com or your md atp portal then go to settings then go to advanced feature and make sure that this particular switch is turned on this actually integrates in tune with md atp this is just step number one which you have to do for intune and md atp integration apart from this there are different configuration and there are n number of settings that can be customized now the next step is to get the devices onboarded for windows autopilot experience now there are two ways of getting this process done the first one will be done by your oem providers now what do i mean by this that this is the article that i'm going to share in the description section and i would recommend each one of you to go through this article because it has most of the details that you will find helpful in a nutshell your partner or your oem provider can get the machine onboarded or the hardware id or the hash value of some of the details which are required for a machine to be known by a specific instance of endpoint.microsoft.com is something that can be pushed by an oem provider so this article lists all those methods as well as do check out this list which says participants device resellers and participants device manufacturer these are basically the oem providers which are supported for this particular feature but let's say that this is the process that you can do for all the machines that you are going to procure in future the question comes what you should do for those machines which already exist in your enterprise okay so for that i'm going to show you a manual method wherein you can get a csv file created and then you can upload that file to endpoint.microsoft.com and then you can reset a specific pc so that next time when that machine gets booted the user should experience windows autopilot experience okay so in a nutshell let me create a use case or a scenario for this that let's say i'm an it admin and i got a machine shipped and the respective details are still not onboarded to endpoint.microsoft.com which is the endpoint manager portal so what i will do the question comes what i should do to get that machine onboarded to in tune so this is my windows 10 pc on which i'm going to run certain commands now the list of commands that you have that i have copied in fact here is the same commands which are listed on this particular article so that's why i'm saying that make sure you read this article because it has most of the details in terms of what kind of information is captured what is the purpose behind capturing a specific set of information okay so there is a specific script required and as you can see this is that particular command so i'm going to copy this command and i'm going to run it here it'll take a couple of seconds once it is completed i'll resume the video so now the installation of the script is completed and as you can see i i got three different prompts which i have to approve okay now once this command is completed which says install hyphen script hyphen name get windows autopilot info make sure that there is no restriction in terms of execution policy because this is something which requires admin access and that's the reason why you can follow this process as admin and that's exactly what i have done now if you pay attention to the next two commands which are listed here it's basically saying that you have to set a location and name it name that folder as hw id and then just run this particular script and get me the output in the file named as autopilot hw id dot csv so i'll come back to my powershell and i will run this particular command and as you can see all the details are now captured now the next step is to get this file uploaded to endpoint.microsoft.com which is the endpoint monitor portal but before i do that let's just see whether there is any file created with the same name or not so as you can see a new folder is created over here and this is the file which i have to upload so i'll copy this file and i'll now open my browser where i'm going to upload this particular file so this is my browser where i have signed in with my global admin credential to endpoint.microsoft.com and now i'm going to click on devices and then i'm going to click on windows and now i'm going to click on windows enrollment and then i'll click on devices as you can see i'm getting this message here which says manage windows autopilot devices now i'll click on this and i'll get my csv uploaded over here so as of now these are two different csvs which i have uploaded for different machines but all you have to do is you have to import the csv which you have captured by running those commands so that the endpoint manager portal or you can make it more relatable that endpoint manager instance of your tenant should be aware about that particular device now once this particular information is uploaded to endpoint monitor portal all you have to do is you have to go back to this particular machine and then click on start and then just type reset what you can do is you can just reset this pc make sure you select the option of erase everything get everything removed from this particular device so that the out of the box experience profile also gets reset on this particular device now the question comes that once this particular machine is reset everything is gone from this particular machine in fact the out of the box experience profile is also reset next time the machine will get restarted in that particular scenario the user will experience something like this now this is something which i have shown you in my previous video as well but the fact is that from getting transitioned to a factory state device to this particular stage wherein now the user is getting custom branding of concepts work there are a lot more settings which you have to do on portal itself okay so let's come back to portal once and see what all configuration has to be done or how we should create profiles at this particular stage we have just onboarded the hardware details of a specific machine now the next step is to go ahead and create a profile okay now in order to create a profile you have to click on this option which says deployment profile and then click on create profile you can name it as let's say windows autopilot and then i'm going to click on next now as you can see that this particular console is actually giving you the option to customize everything which is more overrated to out of the box experience the first option that i'm getting is deployment mode which says user driven or self deploying as i've said the scope of this video is user driven mode so i'll keep the first option selected now the next option is join to azure ads you can choose whether it is azure adi joined or hybrid azure id joint now there is a lot more configuration that has to be done for hybrid azure ready joint and this is something which will be covered in a different video altogether for this particular video keep it as your ad joint now the next thing is whether you want the users to accept microsoft license terms or not the next one is moreover related to the privacy settings then you have account options and then this is the most important option that you should you know go ahead and configure and that is what kind of privilege you want the users to have on that particular device so in my case i have mentioned that with whichever account a windows autopilot device is getting provisioned make sure user gets the standard permission he or she should not get administrator privilege on that particular machine now this is a very specific feature which is moreover related to windows autopilot and again there will be a different video for this as of now this branding or the option name is being changed from white glove to pre-provisioning it's there in the documentation i'm not sure why it has not been updated here but don't worry there will be a separate video altogether for windows autopilot pre-provisioning for the current method you can just keep it as no then you have language region selection and then you have the option which is automatically configure keyboard you can set that set it to yes then whether you want a device name template to be applied or not now if i say yes i can actually choose a combination of randomly generated numbers or the serial key of the device itself and if you will read this text you'll come to know how exactly it is done okay so i'm not going to enable this for my instance and i'll click on no and then i'll click on next now as you can see you can you are getting the option of defining the scope if you want you can get the machines on board at first get the matter to a specific group then choose that particular group here in my case since this is a lab environment i will already have a profile created and that has been scoped to all the devices so now from this particular console if you click on next that's all you'll get a summary of the profile that you have created that's at the moment you will click on create a respective profile will be created so for my tenant or for this particular demo i have already created a profile and the settings are almost same whichever we have discussed it's user driven as you really join and here when it comes to name i'm saying give it a name something like cowork and then the serial number of that particular device this is the small change that i have done and this is the same process that you can also do if you want the device name to be more over relative with the serial number itself okay so now once these two steps are completed the next one is enrollment status page which is the most important setting but before i go ahead and just show you what all options can be customized i would just like to give you a brief uh overview of what is enrollment status page so once the user is logged in with the appropriate username and password and in the meanwhile everything is getting configured what kind of message should be shown to the user that means customization in terms of the information that has to be displayed to a specific user is something that you will customize for enrollment status page okay so i'll close this and i'll close this as well and then i'll click on this option which is enrollment status page now apart from configuring automatic enrollment deployment profile and devices even if you will not configure this option it will default to the profile which comes out of the box or the default profile itself which exists over here but if you want you can customize this as well so i thought of just showing you guys all the settings which exist here which can be customized okay so as you can see the purpose of enrollment status page is already mentioned over here which says the enrollment statement space will appear during the initial device setup or during the first user sign-in now the question comes what an all can be customized so let's say the provisioning or the onboarding gets started but for some reason you have deployed multiple applications or the kind of configuration that you have sent to the device during the first enrollment is going to take more than 60 minutes in that kind of scenario what should be the user experience right whether there should be a custom message that should be shown to the user or not whether the users are allowed to collect logs about the installation errors or not or whether you should block device use until all the profiles or apps are configured or installed as expected so you can also review all these options which are listed over here this is something which will help you to customize the enrollment status page and overall experience of the user itself in the meanwhile the device is getting enrolled or onboarded to windows autopilot so these are all the settings that you have to do from configuration perspective the next step is to go ahead and sign in to the respective device altogether so now as you can see that i am getting the custom branding which i have enabled for my particular tenant and now all i have to do is i have to sign in with one of my user for my directory all of my user are scoped to get the machine azure ad registered or joined as well as all the intune policies are common for all the users so at this particular stage the moment i will click on next this machine will get azure 80 joined it's asking for my password again and once the device is azure joined the next step is by default this device will get onboarded to intune because i have in tune automatic enrollment enabled as well right and this is you know a time consuming process that will take a couple of minutes so i'll just pause this video and we'll resume once it has done okay so it's completed now so as you can see that this particular page that i'm getting as of now is the enrollment status page okay where in all the configuration all the deployments all the restrictions are getting applied to this particular device and once everything is completed i will be landed to the home screen of this particular machine so this was all about knowing how windows autopilot works let's talk about a quick recap of what all we have discussed okay so the first step is to make sure that all the device settings are in place users are allowed to access or register or join azure 80 devices the next step is to make sure that you have allowed automatic enrollment and that is something which can be checked from here itself that whether the users are scoped for automatic enrollment or not or whether the mdm part is enabled for users or not so as you can see it's set to all for my particular directory then make sure that you have on board with the device that means capturing the hardware hash and getting it uploaded here now this method is moreover referred to the devices or you can use this method for those devices which already exist in your environment that means in a layman term you can actually have a script created so that it can go ahead and capture this detail from all the devices and then you can just manually upload that particular csv to this particular section altogether and then all you have to make sure you have a deployment profile created that should reach that particular device from the configuration which is moreover related to configuration compliance you have to make sure the user which has been scoped for windows autopilot must exist or must be scoped in all the policies just to give you an example that let's say you created certain policies all you have to make sure that the user who is trying to sign in should be in scope for this particular policy so in my case as you can see all the policies that i have created all of my users are in scope so in the meanwhile the machine is getting onboarded to entune all the settings and all the policies are also getting applied and lastly this is something which i've shown before as well make sure you have the integration done between in md atp and in tune so that you can enable all the settings which are moreover related to endpoint protection now i will be sharing an article in the description section as well with which you can refer to the process that needs to be followed to onboard a machine to md atp through intune so this was all about knowing how exactly the user driven method works in windows autopilot let's talk about a quick summary of what all we have discussed in this particular video we have discussed about the prerequisites how to configure windows autopilot how to create windows autopilot profiles how to onboard machines manually to endpoint.microsoft.com which is the endpoint manager portal now practically it's not possible to cover each and every method but in our next video i'm going to talk about all the key aspects that you have to keep in mind and the other methods which we have to cover thank you so much thanks for spending your time on this particular video if you think that this channel is helping you to learn anything new please feel free to share this video with your technical community thank you so much thanks for your time bye

Info

Channel: Concepts Work

Views: 11,708

Rating: undefined out of 5

Keywords: Microsoft Endpoint manager, Windows Auto Pilot, Microsoft Intune, Microsoft Intune MDM, Windows

Id: Tix41ktI-wQ

Channel Id: undefined

Length: 21min 24sec (1284 seconds)

Published: Sun Oct 11 2020