This article will describe how to set up multiple Hybrid Join Autopilot profiles.
- Customer coming from ConfigMgr device management & application deployment
- Migrated to Hybrid Joined Intune MDM managed devices
- They have a device naming policy for different branches in the organisation
- All the prerequisites are for Autopilot Hybrid join are met (https://docs.microsoft.com/en-us/intune/enrollment/windows-autopilot-hybrid)
- Deploying a Windows Autopilot hybrid-join user-driven profile for every device naming convention
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, re purpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that’s easy and simple. You can find more info on Windows Autopilot here: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot
1. Creating dynamic groups based to populate the different Windows Autopilot Profiles
We have four different device naming conventions. LTLOK-, PCLOK-, LTZB- and PCZB-. What we will do later on in this guide is when we upload the hardware hashes to the Windows Autopilot service, we’ll use Group Tag’s while uploading them. That way we can populate our four dynamic groups automatically.
This is how the dynamic groups are made up:
2. Creating domain join profiles
Next thing we’ll have to do is creating 4 different domain join profiles. Here we also give the naming convention with it.
This is how the domain join profiles will look like:
The W10 – Domain Join Profile LTLOK will get assigned to the dynamic group M365_Autopilot_LTLOK. Every device we’ll upload with the Group Tag LTLOK will automatically get in the dynamic group. And automatically will get the right domain join profile assigned.
The W10 – Domain Join Profile LTZB will get assigned to the dynamic group M365_Autopilot_LTZB. Every device we’ll upload with the Group Tag LTZB will automatically get in the dynamic group. And automatically will get the right domain join profile assigned.
The W10 – Domain Join Profile PCLOK will get assigned to the dynamic group M365_Autopilot_PCLOK. Every device we’ll upload with the Group Tag PCLOK will automatically get in the dynamic group. And automatically will get the right domain join profile assigned.
The W10 – Domain Join Profile PCZB will get assigned to the dynamic group M365_Autopilot_PCZB. Every device we’ll upload with the Group Tag PCZB will automatically get in the dynamic group. And automatically will get the right domain join profile assigned.
3. Creating hybrid join skip user status page profile
There are still some issues with the user status page in Hybrid Joined Windows Autopilot profile. You can workaround that with the following configuration profile:
OMA-URI: ‘./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage’
Data type: Boolean
We’ll assign this group to all our dynamic groups. We want this profile to get applied to every hybrid join device.
4. Creating the Windows Autopilot profiles
Off course we’ll also need 4 different Windows Autopilot profiles, each for every naming convention. We’ll also assign these 4 profiles to our 4 dynamic groups from step 1.
This is how each of the profiles looks like:
4. Enrolling new devices
Now I’ll explain the enrolling process for new devices. Either way you can work together with your vendor and ask them to upload your Windows Autopilot device hashes into the Windows Autopilot service (with the correct Group Tag for the devices). Most of the time there will be a cost together with this service your vendor provides for you. You can also do this yourself with Nickolaj Andersen his PowerShell script: Upload-WindowsAutopilotDeviceInfo.
This process is explained step by step in my previous blog post (Single App Kiosk with Windows Autopilot). But I’ll go over it again briefly.
We’ll boot the machine (Windows v1809 or greater). Once we’ve choosen the language and keyboard layout, we’ll press F10 to open a command prompt. In that command prompt, we’ll open Powershell. First thing to do is set the executionpolicy right (Set-Executionpolicy -Scope Process -Executionpolicy Unrestricted). Next to do is downloading the script from Nickolaj Andersen (Install-Script -Name Upload-WindowsAutopilotDeviceInfo). This will ask you a few things, make sure you choose ‘Yes’ or ‘Yes for All’. And last thing to do is running the script with the following syntax: ‘Upload-WindowsAutopilotDeviceInfo.ps1 -TenantName “switchtomodern.be” -GroupTag “LTZB” -Verbose’.
You’ll choose here in the GroupTag field which naming convention you’ll want for the device you are enrolling.
So I’ll explain this method further. The device hash will get uploaded in the Windows Autopilot service with the corresponding GroupTag you provided. After 15 – 30 mins the device will get in the dynamic group we created in step 1. Once it is in the dynamic group, it will get a) the correct configuration profiles assigned and b) the correct Windows Autopilot deployment profile assigned.
Then you’ll only just have to wait for the right profile to be assigned in the Windows Autopilot Devices blade.
More articles on Windows Autopilot: