Easily set up devices with Windows Autopilot

Deborah Jepson

How to accelerate your Intune deployment

In today’s hybrid world, employees and students need to collaborate, work from anywhere, and securely access and connect to important school or work resources. Subsequently, IT Admins are challenged with managing the multitude of different devices that can access these resources – as they need to protect the organisation’s data, manage end user access, and support users from wherever they work.

Here at AspiraCloud, we recommend Microsoft Intune to address these challenges. Microsoft Intune is a cloud-based unified endpoint management platform that empowers IT to manage, assess, and protect apps and devices. But what if you have hundreds of devices?

In his latest blog, Matt Dunkin, COO here at AspiraCloud, introduces us to Windows Autopilot, another powerful solution that supports rapid Intune deployment. He also reveals some useful Intune script that you can apply to set up new devices and get your team up to speed as efficiently as possible.

Read on:

When joining devices to Microsoft Intune, we have tried and tested various approaches. More recently, we needed to add 150 Windows devices to Intune. We have found that the easiest and most future proof way is to add these devices to Windows Autopilot.

What is Windows Autopilot?

Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.

How to add your devices to Windows Autopilot

The fastest method to add your devices to Windows Autopilot is to boot from a Windows 11 USB stick, reinstall Windows, connect to the internet through a wired or wireless connection and then press Shift F10 for a Command prompt. From here, we run a batch file which calls PowerShell and runs the commands we need to Autopilot the devices.

The batch file simply contains:

  • PowerShell.exe -ExecutionPolicy ByPass -Command ./AutoPilot.ps1

To automate as much as possible, we can authenticate to Microsoft Intune using an Enterprise Application – so this must be created first. There are plenty of examples of this already out there. We work for different customers, so we set the tenant ID, App ID and secret as variables at the beginning of the script.

When we work with schools, we typically standardise schools using four main profiles: Student Shared; Student 1to1; Staff Shared and Staff 1to1. We also use GroupTags to set the profile with dynamic groups on those tags for assigning policies and apps.

However, one of our education customers wanted to be able to distinguish between different departments and rooms – so we effectively extended the script to include the ability to add devices to Entra ID Groups. When running the script, it now prompts for the device type, followed by the room/department selection.

The group membership change requires its own connection to Entra ID but leverages the same Enterprise Application.

The full Powershell script is:

$tenantID = “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”
$appid = ” xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx “
$secret = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
$groupTag =  @(“Pupil-1to1″,”Staff-1to1″,”Pupil-Shared”,”Staff-Shared”) | Out-GridView -Title “Select a Device Type” -OutputMode Single
$groups = @(” Device Group – Room 123″,” Device Group – Room 125″,”Dev”,” Device Group – English”,”Device Group – Maths”,” Device Group – SEN”) | Out-GridView -Title “Select Groups” -OutputMode Multiple
$SecretPass = ConvertTo-SecureString -String $Secret -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid, $secretpass
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force | Out-Null
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -name Get-WindowsAutopilotInfo -Force
Install-module Microsoft.Graph.Identity.DirectoryManagement -force
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Connect-MgGraph -TenantId $tenantID -ClientSecretCredential $cred
Set-Location “C:\Program Files\WindowsPowerShell\Scripts”
.\Get-WindowsAutopilotInfo -Online -TenantID $tenantid -appid $appid -appsecret $secret -GroupTag $groupTag -Assign:$true
if($groups.Count -gt 0) {
       $session = New-CimSession
    $serialNumber = (Get-CimInstance -CimSession $session -Class Win32_BIOS).SerialNumber
    $device = Get-MgDevice -Filter “DisplayName eq ‘$($serialNumber)'”
    $groups | ForEach-Object {
        $group = Get-MgGroup -Filter “DisplayName eq ‘$($_)'”
        New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $device.Id
    }
}
Sleep 300
Restart-Computer -Force

This PowerShell script can be run on a device at any point before resetting or reinstalling Windows, as well as during the install. It is possible to login to Windows as an admin, run the script and simply reset Windows and then let Autopilot lead the device through the out of the box (OOTB) experience. This always takes longer than simply diving straight into a reinstall.

Note of caution:

Reinstalling Windows on devices which were shipped with Windows Home will revert to Windows Home if previously upgraded using a MAK key or otherwise. The workaround solution for this is to either do a reset instead or be prepared with a MAK key for your organisation. Sometimes, the first indication is when the OOBE asks for the Computer Name instead of a login. Shift F10 and “SLUI 3” helps in this situation. Windows Home does not support Intune join.

It’s not uncommon for us to travel with Wifi drivers for certain brands of laptops which don’t ship with the drivers built into Windows. It is possible to install these drivers from the USB stick using the same Shift F10 method.

Autopiloting your device management

To summarise, we use this script to minimise the human interaction with the devices during a Windows Autopilot join and Windows 11 Upgrade. Next time, the devices can even be reset remotely.

To complete the devices and pre-install apps, we use a “build” account where we login to Windows and leave the device to configure itself.

We are endpoint device management experts. If you would like to discuss your Endpoint management challenges or need support with planning or deploying Intune or Autopilot in your organisation, simply get in touch.