This is the third part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!
Windows management
As I stated in the previous part, Windows management is enabled by default. However, there is one you will need to enable which is Automatic Enrollment. This requires and Azure AD Premium license which is included in the EMS and M365 Dev setup.
To enable this, select Devices in the left side menu. Then navigate to Windows, then Windows Enrollment. Select the “Automatic Enrollment” option.
Make sure to set the “MDM user scope” to All then click save. You can leave everything else set to default.
That’s about it! We are now ready to start setting things up for your lab!
Guided scenarios
As I said, we will take some shortcuts in this tutorial to get you going, therefor we will use the Guided Scenarios found on the landing page of Microsoft Intune (just click Home in the left side menu).
Click start under “Deploy Windows 10 and later in cloud configuration” and the wizard for setting up a basic Windows Autopilot configuration will kick-off.
On the first screen, read through the information and then click Next.
On the Basics tab, leave “Apply device name template” set to default, but add a Resource Name Prefix such as Win10 to help you visually identify that this is for Windows. Then click Next.
On the Apps tab, leave everything to default, this will install Microsoft Teams and Microsoft Edge, but not the full M365 Apps suite (this can be added later on if needed). Click Next.
Since we already created a device group, select “Choose an existing group” and add the device group you created earlier. Click Next.
On the last page you will be able to review your settings under “Configurations to be made“. When you are happy with your options, select “Deploy” and wait for the process to finish.
You have now taken a real shortcut to get going with basic settings for your Windows devices.
You can of course build further on this, but as part of this tutorial we will leave it at this.
Preparing a Windows device
So next step is to prepare your Windows device for Windows Autopilot. The easiest way to do this to export the Hardware ID using PowerShell. Don’t be alarmed, you don’t need to be a code monkey or script kiddie to run this, it’s rows that you need.
Depending on what state your device is in, you can either run this from an elevated PowerShell prompt when you are in a Windows session which is up and running. In my example down below, I will run this from a Virtual Machine in Hyper-V during the OOBE setup. To create a Windows 10 VM in Hyper-V, you can follow this guide from Microsoft.
If you are using Hyper-V, make sure to enable the TPM feature in Settings on the virtual machine. We will need this for Bitlocker.
Once you reach the start of the OOBE, stop at selecting language.
Press SHIFT and F10 (you might need FN as well depending on your keyboard) to launch a command prompt. Then type powershell and hit enter to start PowerShell.
Next, we will run three lines of PowerShell commands. You can find more information about it on Microsoft Docs.
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutoPilotInfo -Online
Run the lines in the PowerShell windows. You can copy-paste by going to Clipboard > Type Clipboard text in the Hyper-V session.
You will be asked to press Y for yes a few times during the process to install the script.
When you have ran the “Get-WindowsAutoPilotInfo -Online” line, it will install a few modules and then you will be asked to sign in using your Microsoft account. Use the account you have signed into Intune with (it has the required access as Global Admin, but a user with the Intune Admin role will be sufficient in the long run).
When you run this the first time you will be asked for consent for using this, scroll down and press Accept.
Once you have accepted, the process of gathering the Hardware ID will start automatically, but don’t close the session until it has finished. This will take up to a few minutes. Once you can confirm that the script has finished successfully, turn of the computer or reset Windows if you are doing this from an already up and running Windows client (you will lose all data).
Head back over to Microsoft Intune to confirm that the computer was successfully imported by navigating to Devices > Windows > Windows Enrollment and select Devices.
This is the section where all your imported Windows Autopilot devices will be listed, and you can see if a Deployment profile has been assigned to the device.
Once the Deployment profile has been a assigned to the device, you will see that the Profile status is set to “Assigned“. This usually takes about 10-15 minutes and you can’t do more than just wait. If you click on the machine you can see some more information, such as what profile is assigned.
Enroll your device
Now it’s just the fun part left. Enroll your device!
Just simply start your computer or virtual machine again and follow in the on-screen instructions. Once you have selected language, keyboard locale and network (if physical device) you will end up on a screen saying, “Welcome to [your company name]” and you will be asked to sign in.
Sign in using the account we created earlier and just follow the flow. If this is the first time you sign in with this user, you will be asked to setup MFA and change the password.
The enrollment typically takes between 20-30 minutes depending on how many applications are being assigned. You can follow the progress on the screen. You can expand each section to track progress.
At one point in the process, you will be asked to sign in again, this is to set the user affinity and configure the “Account setup“.
Ending notes
We have now successfully setup an extremely basic Windows configuration that you can play around with. If you go to Devices > Windows > Windows Devices you will see all your enrolled devices and information about them. You can also perform remote actions on them, which I encourage to try!
Since this is an isolated lab environment, try stuff out. You can’t really break anything and worst-case scenario you will have to re-install the Windows client.
Play around. Have fun.
In the next part we will dig into iOS management!
Leave a Reply