Microsoft Autopilot powered with Workspace ONE UEM

 



Summary

When you think of Autopilot most think of Microsoft and their MDM, InTune. However, Workspace ONE is a great MDM platform and here is yet another reason why.

Autopilot can be used with Windows devices and in conjunction with OOBE or Out-of-the-Box-Experience. The main benefit from this is being able to drop-ship devices to end users directly and save time for admins. Additionally, you are able to join devices to Entra ID or AD On premise directly, Auto-enroll into an Workspace ONE or another MDM, create & assign devices to configurations groups based on a device's profile, and customize the OOBE content for your organization.


With changes to Workspace ONE and Entra ID recently, some menu items are in new locations. Below is a step by step guide on configuring Autopilot to work with Workspace ONE.


Please note that you will need to integrate directory services with UEM and/or Access in some manor to have users authenticate properly. We will not cover that in this guide as it is documented.

Pre-Requirements

  • Connection to the Internet
  • Workspace ONE UEM Admin Account
  • Microsoft Entra AD Premium P1 or P2 or Premium trial subscription for automatic MDM enrollment and custom company branding
    • Licensing requirements can be found in more detail here
  • Microsoft Entra AD Admin Account to configure integration with Workspace ONE UEM
  • Admin Access to the InTune admin center
  • Entra ID & Workspace ONE must be integrated

Branding

  1. Start by setting up your company branding. This part of the work is optional but will be a configuration item most organizations will want to customize.
  2. Navigate to https://entra.microsoft.com, under Identity -> User Experience you will find Company Branding.
  3. Edit your sign-in experience based on your criteria.

Device Registration

Next steps are registering those devices inside the Windows Autopilot portal that resides in the InTune admin center. You can work with re-sellers or OEMs to have purchased devices added into your Autopilot portal automatically. This process can be done manually as well and I will show you how below.

  1. Start by logging into the computer you want to add to Autopilot and then run powershell as an admin
  2. You can run the following commands to get the serial number & hardware hash:
  • Install-Script -Name Get-WindowsAutoPilotInfo
  • Note - Ensure you can run scripts on your machines. To do so look into setting the execution policy
  • Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\temp\Winautopilot.csv
3. The step above will provide an output file that can be uploaded into the Autopilot portal inside of Intune. Below is an example of where to upload that file.

4. The portal lets you know if the csv is formatted properly.



AutoPilot Profile

Now we have our devices appearing in the device list and will now be ready to go through the AutoPilot functions. Before we continue, lets ensure we have a profile created & edited to fit your needs. There is a default profile you can use or create your own, for this example I used the default profile.


1. Start with the basics and edit your profile name , description, and if you want to convert all the targeted devices to autopilot.
2. Edit the Out-of-box Experience (OOBE) to your current needs:
  • Deployment Mode - Deployment mode controls if a user needs to provide credentials in order to provision the device. User-Driven: Devices are associated with the user enrolling the device and user credentials are required to provision the device. Self-Deploying (preview): Devices are not associated with the user enrolling the device and user credentials are not required to provision the device
  • Join to Microsoft Entra ID - Microsoft Entra joined: Cloud-only without an on-premises Windows Server Active Directory
  • Microsoft Software License Terms - Specify whether to show the EULA to users
  • Privacy Settings - Specify whether to show privacy settings to users
  • Hide change account options - Options to change account and start over with a different account appear, respectively, during initial device setup on the company sign-in page, and on the domain error page. To hide these options, you must configure company branding in Microsoft Entra ID (requires Windows 10, 1809 or later, or Windows 11.)
  • User account type - Specify whether users are administrators or standard users on the device.  Note that this setting does not apply to Global Administrator or Company Administrator accounts. These accounts cannot be standard users because they have access to all administrative features in Microsoft Entra ID.
  • Allow pre-provisioned deployment - Enable pressing Windows key 5 times to run OOBE without user authentication to enroll device and provision all system-context apps and settings. User-context apps and settings will be delivered when the user signs in.
  • Language (Region) - Specify the language and region that will be used
  • Automatically configure keyboard - If true, skip the keyboard selection page if Language is set
  • Apple device name template - Create a naming template to add names to your devices during enrollment.
3. Lastly, be sure to assign groups and exclude groups. You can have multiple profiles to serve multiple needs in your environment.

Workspace ONE UEM & Entra ID Integration

This is where the use case determines how you integrate. There are several ways to have your users authenticate to Workspace ONE. For this example we will integrate with UEM.

  1. Logging into Workspace ONE, navigate to Groups & Settings > All Settings > System > Enterprise Integration
  2. Open Directory Services and scroll down to the Advanced Options
  3. Enable "Use Azure AD for Identity Services"
  4. Copy/ Save/ Open a new tab and travel to Entra ID as we will need to enter these into the Mobility App
  5. Open the Entra ID admin portal - Navigate to Identity > Settings > Mobility or you can search for Mobility (MDM and WIP) at the top
  7. Choose Add Application
  8. Select AirWatch by VMware then select Review and create

  9. After choosing the permission review you will be redirected and required to sign in with your admin account for Entra ID.
  10. Review and Accept.
  11. Next you will need to match the URLs from Workspace ONE UEM we located earlier.
  12. Please be sure to match up your URLs correctly, I have seen this misconfigured from time to time. Additionally, I have scoped my configuration to all users as I do not intend to use another 3rd Party MDM at this time.  

At this time it is ready to give this a go and show off the power of Autopilot. 


Below is a video of the Autopilot function with Workspace ONE. Please understand there are some menu items that can be altered or removed completely. For this demo you will see a first time set up for the end user. Here is what you are seeing:

  1. Selecting a Country
  2. Selecting a keyboard
  3. Adding a 2nd keyboard
  4. Checking for updates
  5. Acceptance of the license agreement
  6. Sign into your Entra ID account
  7. Privacy settings are next (location and ads)
  8. Windows will check for updates at this time
  9. Windows Hello will require set up at this time
    1. This can be blocked at the registry level in the OS
    2. Workspace ONE also has profiles to remove this feature after enrollment
  10. If you do not have Microsoft Authenticator configured for the account, this will be required at this time also
  11. Once finished you will be brought to the desktop with Workspace ONE installed and enrolled
    1. If you are using different authentication methods your experience may vary
  12. This is where you can show your onboarding experience to see apps installing.





Comments

Post a Comment