Autopilot

Introduction

Windows Autopilot is a cloud-based offering from Microsoft that automates the setup of new Windows 10/11 devices to prepare them for production use. The Windows 10/11 devices do not need to be reinstalled, Windows Autopilot uses the existing image on the devices. Relution supports automatic enrollment via Windows Autopilot and so Windows 10/11 devices can be quickly and easily inventoried in Relution via this path.

Requirements for using Windows Autopilot

Windows Autopilot can be used with Windows 10/11-Professional, -Enterprise or -Education from version 1709. An Azure instance with an Azure Active Directory (AAD) and Azure AD Premium P2 subscription is required. For setup in Azure, user must have the Global Administrator role. An internet connection must be available when the Windows 10/11 devices go live.

License Requirements →

How it works when starting up Windows 10/11 devices

When starting the Out Of The Box Experience (OOBE) of the Windows 10/11 devices, if there is an existing network connection, the system automatically detects that it should be configured via Windows Autopilot. The devices submit their ID to Microsoft and check if it has been registered in Autopilot for an Azure AD environment. Then, the user must log in to the Microsoft login page with their credentials. The sign-in will enroll them in Relution and create a user account for the Azure AD user on the devices.

Benefits of Windows Autopilot

The goal of Windows Autopilot is to avoid the cumbersome task of individually loading new Windows 10/11 devices with an internally created image. Instead, the devices should transform themselves into pre-configured devices as independently as possible. This minimizes the effort required for image creation and reduces the time required for physical registration and provisioning of the devices. Azure only needs to be set up once for this, and auto-enrollment works until the defined validity date of the secret client key expires (see below). s

Linking Azure AD and Relution

In the Relution portal, under Settings > Organization > Azure Active Directory, you will find instructions to help you set up and link Azure AD and Relution.

Adding the MDM application

First, create a new MDM application in Azure and complete it with the details from the Relution guide.

Add the domain of the corresponding Relution server in Azure AD under names of custom domains. This may take some time to complete. For more information, see the Microsoft documentation.

Microsoft Documentation →

Under Mobility (MDM and MAM), the desired MDM application is then added and activated:

Select the tile On-Premises MDM Application at the bottom right.
Assign a name.
Click on Add.

Now the new MDM application is configured with the information of the Relution guide from step:

Select All for MDM User Area (all user can perform Autopilot enrollment).
Enter the URL to the MDM Terms of Use from Relution:

https://serverurl/api/v1/devices/windows/termsOfUse

💡

Microsoft will request this URL before each enrollment, no web page will be accessed

In URL for MDM determination, enter the server URL from Relution.
Click on Save.

Making the MDM application settings

After the new MDM application is created, the on-premises MDM application settings can be made in Azure. Here, it is mandatory that the following details are transferred from Azure to the Relution guide in step 2:

Application ID (Client).
Directory ID (client).
Value of the `secret client key.

Now, in the on-premises MDM application settings in Azure, click Application ID URI to edit.

Then, enter the corresponding server URL in the following view for Application ID URI.

Next, add a Secret Client Key (Client Secret) under Certificates & Secrets:

Click on New secret client key in tab Secret client keys.
In the dialogue box, Add secret client key enter a description and the validity.
Click Add.

💡

When the validity period expires, there is no longer a connection and Relution cannot communicate with Azure. In this case, a new `secret client key` must be created for the application in Azure and re-transmitted to Relution.

After that, the listing under tab secret client keys will show the new entry.

💡

The associated `Value` is only displayed once now and it is mandatory to copy and transfer it to Relution.

Configuring API permissions

In step 3 of the Relution instructions, the API permissions are now configured:

💡

New permissions may need to be added here later, if new features are added by Microsoft for Windows Autopilot in the future.

The following settings need to be made in Azure:

Under API Permissions > Configured Permissions, click Add Permission.
Select Microsoft Graph under Microsoft APIs in the Request API Permissions dialogue box.

In the next step, select the tile Application permissions.

Select User.Read.All for User.

Select Group.ReadWrite.All for `Group.

Select Device.ReadWrite.All for Device and confirm the selection with Add Permissions !

For the newly added API permissions, an exclamation mark is initially displayed as status. Administrators have to agree here once, so that Microsoft Graph finally receives the permissions. Afterwards, the status is displayed with a green check mark for Granted and the permissions are granted.

Defining the redirection URI

Step 4 of the Relution guide configures the redirection URI in Azure:

Under Authentication, click Add Platform.
In the Configure Platform dialogue box, the tile Web should be selected.

In the next step, under Web, one should enter the server URL at Add redirection URI.
Uncheck the ID tokens checkbox.
Click on Save.

Review the Azure default settings and complete the setup

Under Devices > Device Settings, the following items must be configured:

All users are allowed to mount devices in Azure AD.
All users are allowed to register their devices to Azure AD.
Maximum number of devices per user should be respected.

This completes the setup in Azure.

Selecting the Relution service options and completing the setup

In the Relution instructions, in step 5, you can still optionally choose whether Azure AD users and Azure AD groups should be synchronized with Relution:

Clicking Save completes the setup and linking of Azure AD in Relution.

Adding Windows 10/11 devices to Microsoft Store for Business and Azure AD

An account is required to use the Microsoft Store for Business.

💡

Microsoft Store for Business will be shut down in the first quarter of 2023. Relution will provide its own solution for this in the future.

New devices can be procured and registered through a partner. Via this route, the devices are automatically deposited in the Microsoft Store for Business and in Azure AD and do not have to be manually entered themselves.

Devices that have already been put into operation can also be added manually. This requires a CSV file that is created on the devices via Powershell script. Then, the CSV file is uploaded via Add Devices and the added devices have to be reset.

The devices will then appear in the device list and must be associated with a configured profile.

Preparation of the Out Of The Box Experience (OOBE) at Microsoft

In the Microsoft Store for Business, profiles can now be applied to added devices.

Under Settings and tab Distribute, click Add Management Tool and select the MDM application by name.
Click Enable (if not already enabled).

💡

If there are other applications in the list, they must be disabled.

Then select Create new profile under Devices > Autopilot deployment.

Now one need to specify the following for the new Autopilot deployment profile:

Assign a name.
Skip privacy settings is optional.
Disable creation of local administrator account on the device is optional (if the checkbox is selected, a standard user account will be created, otherwise an administrator account).
Skip Microsoft software license terms is optional.
Confirm the entries with Create.

Now created profiles can be applied to devices.

Synchronize stored Windows 10/11 devices in Relution

Under Devices > Auto Enrollment, the Windows 10/11 devices are added to Relution via the Synchronize button. The devices must not be enrolled at this time.

💡

Only when Windows 10/11 device appear in the overview, an automatic enrollment via Windows Autopilot can be performed.

Automatic enrollment of Windows 10/11 devices in Relution

After resetting the devices or during initial startup, the network connection is established in the OOBE. Once this is done, the devices communicate with Azure and download the Autopilot profile.

The log in screen for the Microsoft account then appears. After users enter their credentials, communication with Relution takes place. The Terms of Use endpoint is called first, and then enrollment in Relution takes place.

If the users are enrolled in Relution and there are auto-enrollments for the devices, the enrollments are performed. Then the Windows 10/11 devices appear in the device inventory of the corresponding Relution organization and can be further configured via Windows policy configurations and actions.

💡

Please do not delete the account on the device with which the device was registered.

Autopilot

Introduction #

Requirements for using Windows Autopilot #

How it works when starting up Windows 10/11 devices #

Benefits of Windows Autopilot #

Linking Azure AD and Relution #

Adding the MDM application #

Making the MDM application settings #

Configuring API permissions #

Defining the redirection URI #

Review the Azure default settings and complete the setup #

Selecting the Relution service options and completing the setup #

Adding Windows 10/11 devices to Microsoft Store for Business and Azure AD #

Preparation of the Out Of The Box Experience (OOBE) at Microsoft #

Synchronize stored Windows 10/11 devices in Relution #

Automatic enrollment of Windows 10/11 devices in Relution #