Windows Autopilot user-driven mode
Applies to: Windows 10, version 1809 or later
Windows Autopilot user-driven mode lets you configure new Windows 10 devices to automatically transform them from their factory state to a ready-to-use state. This process doesn't require that IT personnel touch the device.
The process is simple so that anyone can complete it. Devices can be shipped or distributed to the end user directly with simple instructions:
- Unbox the device, plug it in, and turn it on.
- Choose a language (only required when multiple languages are installed), locale, and keyboard.
- Connect it to a wireless or wired network with internet access. If using wireless, the user must establish the Wi-Fi link.
- Specify your e-mail address and password for your organization account.
The rest of the process is automated, as the device:
- Joins the organization.
- Enrolls in Intune (or another MDM service)
- Is configured as defined by the organization.
Any additional prompts during the Out-of-Box Experience (OOBE) can be suppressed; see Configuring Autopilot Profiles for options that are available.
Windows Autopilot user-driven mode supports Azure Active Directory and Hybrid Azure Active Directory joined devices. For more information about these two join options, see What is a device identity.
The process flow completed during the user-driven process are as follows:
- After connecting to a network, the device downloads a Windows Autopilot profile. The profile defines the settings used for the device. For example, define the prompts suppressed during OOBE.
- Windows 10 checks for critical OOBE updates. If updates are available, they're automatically installed (rebooting if necessary).
- The user is prompted for Azure Active Directory credentials. This customized user experience shows the Azure AD tenant name, logo, and sign-in text.
- The device joins Azure Active Directory or Active Directory, depending on the Windows Autopilot profile settings.
- The device enrolls in Intune (or other configured MDM services). Depending on your organizational needs, this enrollment occurs:
- during the Azure Active Directory join process using MDM auto-enrollment
- or before the Active Directory join process.
- If configured, the enrollment status page (ESP) will be displayed.
- After the device configuration tasks complete, the user is signed into Windows 10 using the credentials they previously provided. (If the device reboots during the device ESP process, the user must reenter their credentials as these details aren't persisted across reboots.)
- After sign-in, the enrollment status page displays for user-targeted configuration tasks.
If any issues are found during this process, see the Windows Autopilot Troubleshooting documentation.
For more information on the available join options, see the following sections:
- Azure Active Directory join is available if devices don't need to be joined to an on-prem Active Directory domain.
- Hybrid Azure Active Directory join is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
User-driven mode for Azure Active Directory join
To complete a user-driven deployment using Windows Autopilot, follow these preparation steps:
- Make sure that the users who will be performing user-driven mode deployments can join devices to Azure Active Directory. For more information, see Configure device settings in the Azure Active Directory documentation.
- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and doesn't need to be selected.
- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.
For each device that will be deployed using user-driven deployment, these additional steps are needed:
- Make sure that the device has been added to Windows Autopilot. Adding a device to Windows Autopilot can be done in two ways:
- Automatically by an OEM or partner at the time the device is purchased
- Manual harvesting as described in Adding devices to Windows Autopilot.
- Ensure an Autopilot profile has been assigned to the device:
- If using Intune and Azure Active Directory dynamic device groups, this assignment can be done automatically.
- If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
- If using other methods (for example, Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
User-driven mode for hybrid Azure Active Directory join
Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment, you can join devices to your on-premises domain. To join the devices, you must configure Autopilot devices to be hybrid-joined to Azure Active Directory (Azure AD).
To perform a user-driven hybrid Azure AD joined deployment using Windows Autopilot:
- The device must be running Windows 10, version 1809 or later.
- A Windows Autopilot profile for user-driven mode must be created and
- Hybrid Azure AD joined must be specified as the selected option under Join to Azure AD as in the Autopilot profile.
- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
- If using Intune, create and assign a Domain Join profile. A Domain Join configuration profile includes on-premises Active Directory domain information
- The device must have access to an Active Directory domain controller. It must be connected to the organization's network. It must be able to resolve the DNS records for the AD domain and the AD domain controller. It must be able to communicate with the domain controller to authenticate the user.
- The device must be able to access the Internet, following the documented Windows Autopilot network requirements.
- The Intune Connector for Active Directory must be installed.
- Note: The Intune Connector will perform an on-prem AD join. Therefore, users don't need on-prem AD-join permission. This assumes the Connector is configured to perform this action on the user's behalf.
- If using Proxy, WPAD Proxy settings option must be enabled and configured.
Azure AD device join: The hybrid Azure AD join process uses the system context to perform device Azure AD join. It's not affected by user-based Azure AD join permission settings. All users can join devices to Azure AD by default.
User-driven mode for hybrid Azure Active Directory join with VPN support
Devices joined to Active Directory require connectivity to an Active Directory domain controller for many activities. These activities include user sign-in (validating the user's credentials) and Group Policy application. As a result, the Windows Autopilot user-driven Hybrid Azure AD Join process would validate that the device is able to contact an Active Directory domain controller by pinging that domain controller.
With the addition of VPN support for this scenario, you can configure the Hybrid Azure AD Join process to skip the connectivity check. This doesn't eliminate the need for communicating with an Active Directory domain controller. Instead, to allow connection to the organization's network, Intune delivers the needed VPN configuration before the user attempts to sign in to Windows.
The following additional requirements apply for Hybrid Azure AD Join with VPN support:
- A supported version of Windows 10:
- Windows 10 1903 + December 10 Cumulative update (KB4530684, OS build 18362.535) or higher
- Windows 10 1909 + December 10 Cumulative update (KB4530684, OS build 18363.535) or higher
- Windows 10 2004 or later
- Enable the new “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile.
- A VPN configuration that:
- can be deployed with Intune and lets the user manually establish a VPN connection from the Windows logon screen, or
- one that automatically establishes a VPN connection as needed.
The specific VPN configuration required depends on the VPN software and authentication being used. For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself and any specific connection information, for example: VPN endpoint host names) via Intune Management Extensions. Consult your VPN provider's documentation for configuration details specific to that provider.
The VPN requirements aren't specific to Windows Autopilot. For example, if you have already implemented a VPN configuration to enable remote password resets, where a user needs to log on to Windows with a new password when not on the organization's network, that same configuration can be used with Windows Autopilot. Once the user has signed in to cache their credentials, subsequent log-on attempts don't need connectivity since the cached credentials can be used.
In cases where certificate authentication is required by the VPN software, the needed machine certificate should also be deployed via Intune. This deployment can be done using the Intune certificate enrollment capabilities, targeting the certificate profiles to the device.
User certificates aren't supported because they can't be deployed until the user logs in. Also, because they aren't installed until after the user signs in, non-Microsoft UWP VPN plug-ins delivered from the Windows Store aren't supported.
Before you attempt a hybrid Azure AD Join using VPN, it's important to confirm that a user-driven Hybrid Azure AD Join process can be performed on the organization's network. This confirmation simplifies troubleshooting by making sure the core process works before adding the additional VPN configuration required.
Next, validate that the VPN configuration (Win32 app, certs, and any other requirements) can be deployed using Intune to an existing device that has already been hybrid Azure AD joined. For example, some VPN clients create a per-machine VPN connection as part of the installation process. So, you can validate the configuration using steps like these:
- From PowerShell, verify that at least one per-machine VPN connection has been created using the "Get-VpnConnection -AllUserConnection" command.
- Attempt to manually start the VPN connection using the command: RASDIAL.EXE "ConnectionName"
- Log out and verify that the "VPN connection" icon can be seen on the Windows logon page.
- Move the device off the corporate network and try to establish the connection using the icon on the Windows logon page. Sign into an account that doesn't have cached credentials.
For VPN configurations that automatically connect, the validation steps may be different.
Always On VPN can be used for this scenario. For more information, see the Deploy Always On VPN documentation. Note that Intune can't yet deploy the needed per-machine VPN profile.
To validate the process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. You can manually install the update during OOBE by first downloading the latest cumulative from https://catalog.update.microsoft.com. Follow these steps:
- Press Shift-F10 to open a command prompt.
- Insert a USB key containing the downloaded update.
- Install the update using the command (substituting the real file name): WUSA.EXE
- Reboot the computer using the command: shutdown.exe /r /t 0
Or, you can start Windows Update to install the latest updates:
- Press Shift-F10 to open a command prompt.
- Run the command "start ms-settings:"
- Navigate to the "Update & Security" node and check for updates.
- Reboot after the updates are installed.