Autopilot

Introduction

Windows Autopilot is a cloud-based offering from Microsoft that automates the setup of new Windows 10/11 devices to prepare them for production use. The Windows 10/11 devices do not need to be reinstalled, Windows Autopilot uses the existing image on the devices. Relution supports automatic enrollment via Windows Autopilot and so Windows 10/11 devices can be quickly and easily inventoried in Relution via this path.

Requirements for using Windows Autopilot

Currently only possible using your own Relution server

Windows Autopilot can be used with Windows 10/11-Professional, -Enterprise or -Education from version 1709. An Azure instance with an Azure Active Directory (AAD) and Azure AD Premium P2 subscription is required. For setup in Azure, user must have the Global Administrator role. An internet connection must be available when the Windows 10/11 devices go live.

License Requirements →

How it works when starting up Windows 10/11 devices

When starting the Out Of The Box Experience (OOBE) of the Windows 10/11 devices, if there is an existing network connection, the system automatically detects that it should be configured via Windows Autopilot. The devices submit their ID to Microsoft and check if it has been registered in Autopilot for an Azure AD environment. Then, the user must log in to the Microsoft login page with their credentials. The sign-in will enroll them in Relution and create a user account for the Azure AD user on the devices.

Benefits of Windows Autopilot

The goal of Windows Autopilot is to avoid the cumbersome task of individually loading new Windows 10/11 devices with an internally created image. Instead, the devices should transform themselves into pre-configured devices as independently as possible. This minimizes the effort required for image creation and reduces the time required for physical registration and provisioning of the devices. Azure only needs to be set up once for this, and auto-enrollment works until the defined validity date of the secret client key expires (see below). s

Linking Azure AD and Relution

In the Relution portal, under Settings > Organization > Azure Active Directory, you will find instructions to help you set up and link Azure AD and Relution.

Relution portal Settings showing Azure Active Directory setup guide and linking instructions

Adding the MDM application

First, create a new MDM application in Azure and complete it with the details from the Relution guide.

Azure portal showing new On-Premises MDM application creation for Windows Autopilot enrollment

Add the domain of the corresponding Relution server in Azure AD under names of custom domains. This may take some time to complete. For more information, see the Microsoft documentation.

Microsoft Documentation →

Azure AD custom domain name configuration page for adding Relution server domain

Under Mobility (MDM and MAM), the desired MDM application is then added and activated:

Azure AD Mobility MDM and MAM section showing On-Premises MDM Application tile to add

  1. Select the tile On-Premises MDM Application at the bottom right.
  2. Assign a name.
  3. Click on Add.

Azure MDM application configuration showing MDM User Area and Terms of Use URL fields

Now the new MDM application is configured with the information of the Relution guide from step:

  1. Select All for MDM User Area (all user can perform Autopilot enrollment).
  2. Enter the URL to the MDM Terms of Use from Relution:
https://serverurl/api/v1/devices/windows/termsOfUse

Microsoft will request this URL before each enrollment, no web page will be accessed

  1. Enter the MDM discovery URL:
https://serverurl
  1. Click on Save.

Azure MDM application settings with All users scope and MDM discovery URL configured

Making the MDM application settings

After the new MDM application is created, the on-premises MDM application settings can be made in Azure. Here, it is mandatory that the following details are transferred from Azure to the Relution guide in step 2:

  1. Application ID (Client).
  2. Directory ID (client).
  3. Value of the `secret client key.

Azure On-Premises MDM application settings showing Application ID, Directory ID and secret client key

Now, in the on-premises MDM application settings in Azure, click Application ID URI to edit.

Azure MDM application overview page with Application ID URI edit link highlighted

Then, enter the corresponding server URL in the following view for Application ID URI.

Azure Application ID URI input field for entering Relution server URL

Next, add a Secret Client Key (Client Secret) under Certificates & Secrets:

  1. Click on New secret client key in tab Secret client keys.
  2. In the dialogue box, Add secret client key enter a description and the validity.
  3. Click Add.

When the validity period expires, there is no longer a connection and Relution cannot communicate with Azure. In this case, a new secret client key must be created for the application in Azure and re-transmitted to Relution.

Azure Certificates and Secrets tab showing new secret client key dialog with description and validity fields

After that, the listing under tab secret client keys will show the new entry.

The associated Value is only displayed once now and it is mandatory to copy and transfer it to Relution.

Configuring API permissions

In step 3 of the Relution instructions, the API permissions are now configured:

Relution portal step 3 showing Azure API permissions configuration required for Autopilot

New permissions may need to be added here later, if new features are added by Microsoft for Windows Autopilot in the future.

The following settings need to be made in Azure:

  1. Under API Permissions > Configured Permissions, click Add Permission.
  2. Select Microsoft Graph under Microsoft APIs in the Request API Permissions dialogue box.

Azure Request API Permissions dialog showing Microsoft Graph selected under Microsoft APIs

  1. In the next step, select the tile Application permissions.

Azure Microsoft Graph permissions type selection with Application permissions tile highlighted

  1. Select User.Read.All for User.

Azure API permissions User section with User.Read.All application permission selected

  1. Select Group.Read.All for `Group.

Azure API permissions Group section with Group.Read.All application permission selected

  1. Select Device.ReadWrite.All for Device and confirm the selection with Add Permissions !

Azure API permissions Device section with Device.ReadWrite.All application permission selected

For the newly added API permissions, an exclamation mark is initially displayed as status. Administrators have to agree here once, so that Microsoft Graph finally receives the permissions. Afterwards, the status is displayed with a green check mark for Granted and the permissions are granted.

Azure configured API permissions showing granted status with green checkmarks for all permissions

Defining the redirection URI

Step 4 of the Relution guide configures the redirection URI in Azure:

Relution portal step 4 showing redirect URI configuration instructions for Azure Authentication

  1. Under Authentication, click Add Platform.
  2. In the Configure Platform dialogue box, the tile Web should be selected.

Azure Configure Platform dialog with Web platform tile selected for redirect URI setup

  1. In the next step, under Web, one should enter the server URL at Add redirection URI.
  2. Uncheck the ID tokens checkbox.
  3. Click on Save.

Azure Web platform redirect URI field with Relution server URL entered and ID tokens unchecked

Review the Azure default settings and complete the setup

Under Devices > Device Settings, the following items must be configured:

  • All users are allowed to mount devices in Azure AD.
  • All users are allowed to register their devices to Azure AD.
  • Maximum number of devices per user should be respected.

Azure Device Settings showing all users allowed to join devices and register to Azure AD

This completes the setup in Azure.

Selecting the Relution service options and completing the setup

In the Relution instructions, in step 5, you can still optionally choose whether Azure AD users and Azure AD groups should be synchronized with Relution:

Relution Autopilot setup step 5 showing Azure AD user and group sync options before saving

Clicking Save completes the setup and linking of Azure AD in Relution.

Adding Windows 10/11 devices

These steps replace the steps previously required in the Microsoft Store for Business.

New devices can be procured and registered via a partner. In this way, the devices are automatically stored in the Intune portal and in Azure AD and do not have to be entered manually.

Already enrolled devices can be added manually to the Entra Portal. You will need a CSV-file for this, which can be created with a Powershell-Script. After that, the file needs to be uploaded to the Intune Portal. https://intune.microsoft.com

The file can be created with this Powershell-Script:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv

Powershell needs to be executed as administrator.

In the Azure Portal you have to switch to Devices > Search for Enrollment and select it > Scroll down on the right window > select Devices. Hit the Import button and upload the file.

Preparation of the Out Of The Box Experience (OOBE) at Microsoft

A profile must now be created.

To do this, switch back to the function finder. Click on Devices on the left > Enter ‘Registration’ in the search > Scroll all the way down on the right > Click on ‘Deployment profiles’.

  1. Click Create profile.
  2. Select Windows PC.
  3. Enter a name.
  4. Click Next.
  5. Click Next.
  6. Select Add groups or Add all devices.
  7. Click Next.
  8. Click Create.

The devices are now connected to the profile.

Synchronize stored Windows 10/11 devices in Relution

Under Devices > Auto Enrollment, the Windows 10/11 devices are added to Relution via the Synchronize button. The devices must not be enrolled at this time.

Only when Windows 10/11 device appear in the overview, an automatic enrollment via Windows Autopilot can be performed.

Automatic enrollment of Windows 10/11 devices in Relution

After resetting the devices or during initial startup, the network connection is established in the OOBE. Once this is done, the devices communicate with Azure and download the Autopilot profile.

The log in screen for the Microsoft account then appears. After users enter their credentials, communication with Relution takes place. The Terms of Use endpoint is called first, and then enrollment in Relution takes place.

If the users are enrolled in Relution and there are auto-enrollments for the devices, the enrollments are performed. Then the Windows 10/11 devices appear in the device inventory of the corresponding Relution organization and can be further configured via Windows policy configurations and actions.

Please do not delete the account on the device with which the device was registered.