Planning an Intune Autopilot Deployment

Imaging, deploying, and delivering devices to new employees is an age-old chore for IT departments made more complex by today’s modern distributed workforces. When planning an Intune Autopilot Deployment, there are several factors to consider. Microsoft Autopilot’s zero-touch, automated hardware deployment system is designed to work seamlessly alongside Microsoft Intune. Conjointly, these should enable the IT team to simplify device deployment and a detailed management strategy for all of the organization’s hardware.

Successful Intune Autopilot deployment essentially involves connecting both these software. Autopilot will let you register devices in Intune directly when used to purchase new hardware. With Autopilot, end users should be able to unbox their new devices, log into their Microsoft account and have a fully set-up device. Thus, Autopilot streamlines the enrollment of devices in Intune. Essentially, you can get the new device to the end-users without pre-OS and applications to build or maintain without compromising the management of every state of a Windows device’s lifespan.

If you are to take full advantage of the benefits of this collection of technologies to set up and pre-configure new devices for immediate productive use, you are going to need a solid plan. In this article, we dive into the different considerations as you plan an Intune Autopilot deployment. At the tail end, we highlight some of the challenges you are likely to encounter as you seek successful deployment.

What we will cover:

• Licensing Requirements For Intune Auto Pilot Deployment
• Networking Requirements
• Registering Devices to Windows Autopilot
• Assigning a Deployment Profile
• Assigning Settings and Applications
• Deploying to Devices
• Common Challenges with Intune Autopilot Deployments

Licensing Requirements for Intune Autopilot Deployment

Right out of the gate, it is important to point out that Autopilot comes as part of Azure AD Premium P1. This means that it doesn’t need to be licensed separately. Still, seeing as the plan is to use Intune, you are mandated to get an Intune user license too. There is normally some confusion settling on the right Microsoft Licensing. As such, here are a few options to consider.

Microsoft 365 Business Premium

If you are managing devices at a business with less than 300 desktops or laptop users, then Microsoft 365 Business Premium is the right license to have for Intune Autopilot deployment. While fairly limited in scalability, this license is significantly feature-rich and features both Azure AD Premium P1, Intune, and Microsoft Defender for Business, among others.

Microsoft 365 Enterprise E3

If the organization has more than 300 users, then Microsoft 365 Enterprise E3 is the best license. While you might be required to couple it with Microsoft 365 E5, the standard offering does come with everything you’d require for successful Intune Autopilot deployment.

Azure Ad Premium P1 and Microsoft Intune

Finally, if you are working with a tight budget, it still could be possible to get successfully leverage Microsoft Intune Autopilot by getting just the Azure Active Directory Premium P1 and Microsoft Intune license. With these, you get just the right amount of device management and security to help with both auto-enrollment and MDM.

Networking Requirements

Windows Autopilot is reliant on many internet-based services. Access to these services is paramount if the Autopilot is to function effectively. As such, in planning for the Intune Autopilot deployment, you’ve got to make plans for the following conditions.

For starters, you’ve got to ensure DNS name resolution for internet DNS names. Further, you’ve got to allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP).

In a situation where you’ve got more restrictive internet access or authentication is required before internet access, you’re going to need additional configurations.

Once a network connection is established, the device should now be able to contact the Windows Autopilot Deployment Service.

Having discussed the prerequisites, it’s now time to walk through the basic Autopilot deployment process to inform your Intune Autopilot deployment planning.

Specifically, there are four main steps to successful Intune Autopilot deployment. These include:

• Registering the Devices
• Assigning a Deployment Profile
• Assigning Settings and Applications
• Deploying to Devices

Registering Devices to Windows Autopilot

Registering your devices involves collecting unique hardware information from the devices. This hardware hash is then uploaded into the Microsoft Endpoint Manager admin center, in this case, the Intune portal.

For new hardware purchases, the vendor can automatically upload this hardware information on the behalf of the organization through the Microsoft Partner Portal. Alternatively, the vendor can provide the organization with a list of devices with the required hardware information in a CSV file in their Intune portal.

For existing devices, you’ll need access to tools like configuration managers or a live agent to help put this data in a CSV format and upload it to your Intune portal.

Assigning an Intune Autopilot Deployment Profile

Now that you’ve got the device registered, the next step you’ve got to plan for is the assigning of a deployment profile.

To start with, keep in mind that the deployment profile is simply meant to provide the device with options on how to behave during autopilot. Typically, the choice you’ve got to make is what deployment mode to use. The first option is the user-driven mode. In this mode, the outbox experience prompts the user to sign in with their Azure ID credentials. The device will then be configured for that specific account. Note that this is the most common deployment mode that you’d be using in autopilot and will typically always be used in the normal end-user devices.

The second deployment mode is self-deploying. In this mode, there’s no need for the user to sign in. Instead, the device will automatically run through the other box and configure based on settings and applications that have been assigned to the device object. This mode is ideal for situations in which a device is shared.

Assigning Settings and Applications

Right off the bat, it is important to note that assigning settings and applications is not strictly required for a successful Autopilot deployment. Still, you are probably going to need to configure some settings and applications on the devices in question.

So what kinds of settings are available for configuration in Intune?

Note that most of the settings you’ll configure in Intune will need to be done using configuration profiles. The latter allows you to change a wide range of setting on the device. It wouldn’t be too far-fetched to think of configuration profiles as similar to a group policy object in an on-premise environment.

Examples of what you could do with configuration profiles include changing the operating system version with an additional upgrade, managing one drive setting, or even doing certificate enrollment.

In addition to the standard configuration profiles that Intune has, you also have a section devoted to Windows. You want to ensure that you update those settings to those that let you control how and when the devices get both monthly quality updates and semi-annual feature updates.

Endpoint Security in Intune

Intune also comes with a section for comparing endpoint security settings. This lets you manage things around Windows Defender, disk encryption, and Windows Defender Firewall.

After creating the drive settings, it is time to create the application that users need. You want to start by creating applications that are going to be needed by the majority of the end users. This is pretty much what you’d do with the traditional Windows deployment. You do the same thing with Intune as you would which would be to create base apps like Microsoft Office, web browsers, and other core business applications.

Note that Intune has support for win32 apps so the majority of your apps can be deployed using scripts in much the same way you would deploy them with configuration managers.

Deploying to Devices

The next step is deploying the settings, policies, and applications to the device. Again, the way that the assignments are handled in Intune is using Azure Active Directory groups. If you are familiar with configuration manager, think of assignments and Azure ID groups in Intune as being similar to collections and deployments.

Ahead of time, consider whether you will need new groups to be created to which you can assign the object. Keep in mind that your environment is likely going to contain hundreds or even thousands of Azure ID groups thus ensure that you have a consistent naming scheme in place.

Common Challenges with Intune Autopilot Deployments

Engineers and end users will often report challenges with Intune Autopilot deployment. Fortunately, these can often be resolved by configuration changes. Some of the challenges experienced include:

Device Profile Failing to Auto login

Both Windows 10 and Windows 11 users report having issues logging into their Kiosk device profiles. What often happens is that after the Autopilot completes the provisioning, the device remains on the sign-in screen prompting for credentials. To resolve this issue, you’ll need the kiosk user credentials at hand as you’ll be prompted to manually enter these.

Autopilot Profile Not Applied After Reimaging to an Older OS Version

In a situation where you enroll a device with Windows Update KB5017380 or KB5017383 on Windows 10 or 11 respectively then you reimage to an older OS version, typically the Autopilot profile won’t be applied. You’ll typically get a fix pending message on the screen of the Autopilot device.

Need Assistance with your Intune Autopilot Deployment?

Agile IT can support Intune Autopilot deployments across companies of any size and complexity with a focus on security, compliance, and productivity. To find out how you can best prepare, screquest a no-obligation consultation with a cloud advisor today.