Whiteclove Autopilot deployment and enrollment

Steps for Deploying Whiteclove User-driven Autopilot

  • Setup Windows User-driven Autopilot Deployment for Whiteclove Setup A Company With Three Departments
  •  Import Hardware hash or Device ID into Intune
  • Create 3 Dynamic Device Groups in Intune
  • Servicedesk Preprovisions Whiteclove Autopilot Device
  • Submit Device to End User

Setup Windows User-Driven Autopilot Deployment for Whiteclove Setup

When carrying out  whiteclove user-driven autopilot deployment, make sure that the Allow Pre-Provisioned Deployment should be set to Yes.

The setup should look like this;

  • Within the Microsoft Endpoint Manager, click Devices>>>Windows>>>Windows Enrollment>>>click Create Profile, click the drop down arrow and click on Windows PC
  • Name (Whiteclove Hybrid Joined Autopilot Profile); Description(This device will be joined to AD and Azure AD.), Convert All Targeted Devices to Autopilot(Yes)>>>click NEXT. 
  •  Deployment Mode (User-Driven)Join to Azure AD As (Hybrid Azure AD Joined); Skip AD Connectivity Check (Preview)(No); Microsoft Software License Terms (Hide); Privacy Settings (Hide); Hide Change Account Options (Hide); User Account Type (Standard); Allow Pre-Provisioned Deployment (Yes); Language (Region)(Operating System Default); Automatically Configure Keyboard (Yes); Apply Device Name Template (No); assign the profile to a desired dynamic group and click click Review and Save.
  • Note: For Azure AD Joined  setup, change the Join to Azure AD As to Azure AD Joined.

Import Hardware Hash/ Device ID Into Intune

Importing device ID for new devices into Intune can be done by two main groups; the OEM or vendor and the Intune Administrator. For convenience some companies allow OEM or hardware vendors to upload device IDs after they have registered with Microsoft and approved by the organization. 

Before running the Powershell script to obtain the device ID make sure the device has not been or is not connected to the Internet otherwise it may download and store a blank deviceID. If you find out that the device ID hash is blank, then run this Command Prompt as administrator to set the device back to Out-Of-Body-Experience (OOBE); C:\Windows\system32>sysprep /generalize /oobe

Note: According to Microsoft, for Windows 10 or 11 devices you can sysprep them up to 1001 times.

1. Intune Administrators can run this Powershell script as administrator to obtain device ID from a single device;

PS C:\Windows\system32>New-Item -Type Directory -Path “C:\HWID”

PS C:\Windows\system32>Set-Location -Path “C:\HWID”

PS C:\HWID>Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted

PS C:\HWID>Install-Script -Name Get-WindowsAutoPilotInfo

PS C:\HWID>Get-WindowsAutoPilotInfo.ps1 -OutputFile AutopilotHWID.csv

2. When you reset the device, at the OOBE sign-in page, if you are able to get CMD to come up using Shift+F10, then you can run this script to upload the hardware hash value of the device automatically into Intune;

C:\Windows\system32>PowerShell.exe -ExecutionPolicy Bypass

PS C:\Windows\system32>Install-Script -name Get-WindowsAutopilotInfo -Force

PS C:\Windows\system32>Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned

PS C:\Windows\system32>Get-WindowsAutoPilotInfo -Online

3. To obtain device ID for bulk devices through SCCM;

Make sure Community Hub is enabled and Console Extensions for WebView2 have been installed in SCCM. You can verify or enable Community Hub by navigating to navigating to SCCM>>>Administration>>>Updates and Servicing>>>Features>>>right-click on Community Hub and click on Turn On. To install Console Extensions for WebView2, navigate to SCCM>>>Administration>>>Updates and Servicing>>>Console Extensions>>>right-click on WebView2 Extension and click on Install.

Once Community Hub and WebView2 Console Extension have been enabled and installed, then navigate to SCCM>>>Assets and Compliance>>>Device Collections>>> identify the device collection you want to obtain the device IDs from>>>right-click on the device collection and select Start CMPivot.

Once in the CMPivot page, click on the Query tab and then click on the Community Hub icon at the far-right; on the right-side of the Favorite icon (the star icon).  A search area should pop up and you search for Get Autopilot CSV Info script, click on it to select it and then click Run Query to produce a CSV file of hardware hash or device ID values for the devices in that collection.

Once the CSV file with the hardware hash values has been obtained then you can upload the hardware hash into Intune to be registered as Intune managed and Azure AD joined devices using two main methods; Intune or Microsoft Store for Business (MSfB).

a. Intune Method; With the Intune method, navigate to Microsoft Endpoint Manager>>>Devices>>>Windows>>>Windows Enrollment>>> Devices>>>click on Import and then navigate to select the CSV file with the hardware hash values and then click on Import. According to Microsoft, it takes about 15 minutes for each hardware hash value to be registered in Azure AD/Intune; this means that bulk import could take longer.

b. Microsoft Store for Business Method; With this method, navigate to Microsoft Store for Business/Microsoft Store for Education >>>click on Manage>>>click on Devices>>>click on Add Devices>>>navigate to select the CSV file with the hardware hash and click on Import.  Once the devices have been registered in  Microsoft Store for Business/Microsoft Store for Education, click Add and then search for the desired dynamic or assigned (static) Windows autopilot group to add the devices to (Microsoft recommends that device uploads should be done in the Intune Portal). 

Note: According to Microsoft, Microsoft Store for Business/Microsoft Store for Education will be retired in the first quarter of 2023 and will be replaced by Windows Package Manager. 

To create separate dynamic device groups for three (3) departments, three main customizable properties can be used; Group Tag (associated with OrderID field in a CSV file), Purchase Order (associated with PurchaseOrderId field in a CSV file) and Device Category. Unfortunately, Device Category cannot be seen from the Microsoft Endpoint Manager>>>Devices>>>Windows>>>Windows Enrollment>>> Devices area;  it can only be seen ones a device has been added to a group. Group Tag and Purchase Order which are associated with OrderID and PurchaseOrderId in a CSV,  are part of the fields in the Microsoft Endpoint Manager>>>Devices>>>Windows>>>Windows Enrollment>>> Devices area. You can easily edit, the Group Tag or OrderID and so it is better to use that property for dynamic groups. The CSV file should like this; 

Device Serial Number,Windows Product ID,Hardware Hash,Order ID

1234-1234-1234-1234-1234-1234-12,,T0GqAwEAHAAAAAoAAQDuQgA….,HR

1234-4123-1234-1234-1234-1234-12,,T0GqAwEAHQgAAAAAAoAAQDu….,HR

1234-ABCD-1234-1234-1234-1234-12,,AAAAAAoAAQDuT0GqAwEAHQg….,IT

1234-4123-DFGH-1234-1234-1234-12,,wEAHQgAAAAT0GqAAAoAAQDu….,IT

1234-4123-1234-IJKL-1234-1234-12,,qAwEAHT0GQgAAAAAAoAAQDu….,Finance

1234-WXYZ-1234-1234-1234-1234-12,,T0GqAwEAAAAAAoAAHQgAQDu….,Finance

 The format above will fail if imported into Intune; for reasons I am not sure of. Once the CSV file is edited and items are added, then instead of comma-separated items, create a new Excel sheet and place the headers and their respective values in cells and then save the document as CSV (Comma delimited) document; once this is done then you can import it into Intune with no error messages. When the device has been imported in Intune, navigate to Microsoft Endpoint Manager>>>Devices>>>Windows>>>Windows Enrollment>>> Devices, select one of the imported devices and assign it to a desired user; make sure to add the “Friendly name” for each assigned user, which will be presented during the autopilot enrollment process. 

Note: Once a device is imported into Intune, it is registered and a device object is created in Azure AD. During the hybrid Azure AD join windows autopilot process, another device object is created which causes duplicate device names but different device objects to be created (Join Type; Azure AD Registered and Hybrid Azure AD Joined); this is by design according to Microsoft. However, the one with the Join TypeHybrid Azure AD Joined is the one that is constantly updated in Intune. The other device object with Join Type; Azure AD Registered is no more updated in Intune once the duplicate object has been created. 

Note: For hybrid Azure AD joined Windows autopilot, if you add information in the Device Name area for the device, it is not going to be permanent; once you reboot the computer it will use the prefix and random characters script indicated in the Domain Join configuration profile. 

Note: If you want to leverage Group Policies (GPOs) that apply to specific departmental Organizational units (OUs), you can create them as sub-OUs under the main OU where Intune places devices once they have been enrolled, example, OU=Intune, OU=Windows, OU=Laptops, OU=Computers, OU=SkoaNow, DC=Local. You can create sub-OUs under the Intune OU; which is synced to Azure AD using AD Connect. For the three departments in this scenario, you can create 3 Computer Organization Units in AD (Required for Hybrid Environments Only). 

Note: For an enterprise environment, to make things convenient, the OEM/hardware vendor can upload the devices in Intune without the Group Tag information. Once the devices are in Intune, the Intune Administrator can navigate to Microsoft Endpoint Manager>>>   Devices >>>   Windows>>>Windows Enrollment>>> Devices and then assign each device to the desired user and also assign desired Group Tag/Department information so that the device is joined to the correct dynamic group. 

 

Create 3 Dynamic Device Groups

Create 3 dynamic device groups for each department; one each for IT, HR, and Finance.

  • Within the Microsoft Endpoint Manager, click Groups>>>click New Group.
  • Group Type (Security); Group Name(HR), Group Description(This group is for HR devices)>>>Membership Type (Dynamic device)
  •  Under Dynamic Device Members; click Add Dynamic Query>>>click Add Express. In the script area, (device.devicePhysicalIds -any (_ -eq “[OrderID]:HR”))>>>click Create.
  • Do the same for IT; (device.devicePhysicalIds -any (_ -eq “[OrderID]:IT”)) and Finance; (device.devicePhysicalIds -any (_ -eq “[OrderID]:Finance”)).
  •  Make sure to assign the Hybrid Azure AD Join Deployment profile, Domain Join Configuration profile to all the dynamic device groups that will be created. Also, remember to assign the department-specific policies and configuration profiles to the desired dynamic device groups. 

Servicedesk Preprovisions The Whiteclove Autopilot Device

  • For Whiteclove hybrid Azure AD join Windows autopilot device pre-provisioning to work, the Servicedesk technician needs to connect the device to LAN via an ethernet cable or wire.
  • Press the Windows key five (5) times to bring up the What would you like to do? screen; select Windows Autopilot Provisioning and click Continue. 
  • Once you click Continue, it will take you to the Windows Autopilot Configuration screen; where the do Organization domain name (skoanowtechnologies.com), the assigned Deployment Profile (Whiteclove Hybrid Joined Autopilot Profile) and the Assigned User (John.Doe@skoanowtechnologies.com). The Windows Autopilot Configuration screen also includes a QR code; which can be scanned to retrieve device information for asset management. Click Provision begin the pre-provisioning process.
  •  If pre-provisioning process is successful, then the Windows Autopilot Configuration screen will display with Green background. It will also display information including; Organization,  Deployment Profile, Assigned User and Elapsed Time. Now click on Reseal to complete the preprovisioning process and make the device ready for the user to log in to complete the process. Clicking on Reseal will shutdown the computer.
  • If the preprovisioning process fails for some reason, then the Windows Autopilot Configuration screen will display with Red background. Troubleshooting will need to be done to resolve the issues and then the preprovisioning process can be done again until it is successful. 

Submit Device To End User

Once the pre-provisioning process has been completed successfully, the device can be made available to the user to log in and complete the enrollment process.

  • When the end user receives the preprovisioned device, direct the user to connect the device to the company’s LAN via an ethernet cable; for whiteclove hybrid Azure AD joined windows autopilot, the device must be connected to the Domain controller via a LAN connection to allow for authentication of the user’s credentials using Active Directory. 
  • The user can now turn on the device which will then display the Is This The Right Keyboard Layout? screen; make sure US or desired language is selected and click Yes. 
  • On the Want To Add A Second Keyboard Layout? screen, click Skip to start configuration the selected end user preferences. 
  • When the configuration of the selected preferences completes, then the end user will be brought to the Welcome page. On the Welcome page, it will display something like “Hi John! Welcome to SkoaNow Technologies”. In the Password area on the Welcome page, the end user can enter the Active Directory password to create a local profile and complete the setup process by displaying the All Set! screen.
  • While logged into the computer, in the Programs and Features area, the user should see that all applications that were assigned to dynamic device groups have installed successfully. Applications, configuration profiles and policies that were assigned to dynamic user groups will start to install in the background once the user is logged in. 
  • The user is all set to start using the computer!