1. Home
  2. Knowledge Base
  3. SureMDM
  4. How to get Windows Devices Business-Ready with Windows Autopilot and SureMDM
  1. Home
  2. Knowledge Base
  3. Windows Management
  4. How to get Windows Devices Business-Ready with Windows Autopilot and SureMDM
Searching...

How to get Windows Devices Business-Ready with Windows Autopilot and SureMDM

Contents

Windows Autopilot provides a new approach to IT Pros with options to pre-register Windows devices with an organization, pre-configure them and make them business-ready within minutes of unboxing.

The only intervention required from the user is to connect to a network and verify his/her credentials to start automated configuration of device settings, apply policies, install apps and auto-enroll devices into SureMDM.

Purpose

The purpose of this knowledge article is to help the admin set up Windows Autopilot to simplify and expedite the deployment and configuration of Windows devices in an organization.

To set up SureMDM and apply a desired profile using Windows Autopilot, the following five processes are involved:

i. Create a default profile on SureMDM so that it can be applied as soon as the user powers on the device.

ii. Setup SureMDM configuration settings on Azure AD console.

iii. Setup Windows Enrollment settings on SureMDM. 

iv. Upload device IDs and configure Autopilot deployment profile.

v. Assign users to the device.

Configure a default profile for Windows devices.

To configure a default profile for Windows devices, follow the below mentioned steps:

1. Login to SureMDM Web Console.

2. On SureMDM Home, click Profiles > Windows > Add.

3. Select the desired profile, configure it and save it.

4. Once saved, go to the Profile screen, select the profile and click Set As Default.

Setup SureMDM configuration settings on Azure AD console.

  1. Login to Azure AD portal.
  2. Click Azure Active Directory > Mobility (MDM and MAM).
  3. Click on Microsoft Intune > Set ‘MDM User scope’ to ‘None(This ensures all Autopilot devices will be managed via SureMDM)
  4. Click on Microsoft Intune Enrollment > Set ‘MDM User scope’ to ‘None’ (This app may or may not be visible on certain Azure environments)
  5. Click Add application > search for ‘SureMDM by 42Gears’ > Review Permissions and Create (If unable to add, check your Azure Account RBAC settings)
  1. Select the newly created application and enter the following details:

Customer ID is SureMDM Account ID & Tenant ID is Microsoft Entra Tenant ID(formerly known as Azure Tenant ID)

  1. Setup Windows Enrollment settings on SureMDM.
  1. Login to SureMDM Web Console.
  2. Go to Settings > Account Settings > Windows Management > Windows Enrollment.
  3. Under Microsoft Windows Store for Business update Tenant ID from Azure Portal.
    • To Find Tenant ID
    • Login to Azure AD portal
    • Click Properties > Copy Tenant ID
  1. In the Application ID field, update value 98a7653a-3678-4c69-a0a3-c09ab5d65bdd (These values are default unless custom app is used in your Azure Tenant)
  2. In Application Secret field, update value

    ef+yonPXlHkjpE9q9wa19EuczcaxPaUGiDa8TZ9RKwA6+jESISZdPlr29KZg55lSFzp9m2SAwikQvm3Rl8VfTolw+QDHsv5qtCNwH7pBvN8GH4ibiJQoHkQcyKNYYGFb

    (These values are default unless custom app is used in your Azure Tenant)
  3. Click Apply.

Upload device IDs, configure and Autopilot deployment profile

When a new set of devices is purchased, the hardware vendor sends a list of device IDs to the IT Admin. This list can be uploaded on Azure AD portal to claim the device ownership.

To upload the devices IDs, follow below-mentioned steps:

  1. Log into Azure AD portal.
  2. Go to Devices > Windows > Windows Enrollment > Devices > Import.

Note: The .csv file should have the following details:

<Serial Number>, <Windows Product ID>, <Hardware Hash>, (optional <Group Tag>)

IT Admin can then use the Manage option on the Store for Business portal to create an Autopilot deployment profile and assign them to the device. This profile includes instructions to either turn the setup ON or OFF for features like OEM Registration, Privacy Settings or Local Admin Account after turning on the device following the unboxing process.

To deploy a Autopilot profile, follow below-mentioned steps:

  1. Log into Azure AD portal.
  2. Click Devices > Windows > Windows Enrollment > Deployment Profiles.
  3. Select the created profile > Assignments > Select groups to include > Select the group and click Select.

Note: To create a group on Azure AD Home, click Groups > New Group > Group Type select Security > Give a name and group description > Select Membership Type as Dynamic Device > Under Advanced rule for Add dynamic query add (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”)) and click Add query. Once done, a group will be created and all the Autopilot devices will get added to it.

Please refer to this article for more details on creating groups and customizing it.

Assign users to devices.

When the IT Admin assigns an existing user to an uploaded device ID and when the new Windows device is unboxed and powered on, the user’s User ID will be auto-populated and the user will be prompted to enter the password to continue and experience the custom setup process.

To assign a user, follow the steps below:

  1. Log into Azure AD portal.
  2. Click Devices > Windows > Windows Enrollment > Devices > Select the device > Assign User.
  3. Under the Select User section, select the user.
  4. Click Select.

Note: This step requires you to have Intune license assigned to users prior to assigning them to an Autopilot device.This step is optional and assigning a licensed user to a specific Autopilot device only impacts pre-populating the UPN and setting of a custom greeting name.

Once done, a standard enterprise-defined setup process gets initiated and the device becomes business-ready within minutes of the registered Windows device being unboxed and powered on.

Deploying SureMDM Agent for Dual Enrollment.

Devices enrolling in Autopilot via SureMDM by default enroll as EMM enrolled devices.

To leverage complete functionality of SureMDM, Dual Enrollment is recommended.


Below are steps to deploy SureMDM agent to EMM enrolled devices seamlessly

1. Login to SureMDM Web Console

2. Go to Settings > Account Settings > Customize SettingsCustomize SureMDM Agent/SureLock > Windows

3. Edit Settings > Paste below basic xml (Reach 42Gears support for any additional available key pairs) > Done

<NixSettings>
    <EnableNix>true</EnableNix>
    <ServerPath>Enter ServerPath here</ServerPath>
    <Password />
    <DeviceEntityStatus>PREAPPROVED</DeviceEntityStatus>
    <DeviceID />
    <CustomerID>Enter AccountID here</CustomerID>
    <NewIDType />
    <NameType>MachineName</NameType>
    <IDType>SYSTEMID</IDType>
    <EnableMailbox>true</EnableMailbox>
    <IsApproved>true</IsApproved>
</NixSettings>

4. Click on Generate and then Download the .exe of SureMDM Agent.

5. Convert the .exe file downloaded in Step 4 to .msi using any tool and then proceed to next step.

Note: Since only deployment of .msi is supported on EMM enrolled devices, we would need to perform the conversion of .exe to .msi. Ensure Install switch /verysilent is used when generating .msi file using the .exe of the SureMDM Agent.

6. Upload the .msi file to SureMDM console.

  • SureMDM console > App Store > Windows > Add New App > Select MSI File.
  • Provide the URL where .msi file of SureMDM Agent is hosted > Click on Add.
  • Update App Title, Category and Description > Click save.

7. Browse to SureMDM console > Profiles > Windows > Application Policy > Add > Windows App Store > Choose SureMDM Agent uploaded in previous step > Add.

8. Name the policy and save. Deploy these to group of EMM enrolled devices.

Once done, EMM enrolled devices would be Dual Enrolled without any user intervention and device will now support all capabilities of SureMDM.

To learn more about 42Gears UEM features for Windows devices, click here.

Need more help? Here’s how to get help from our experts. 

CONTACT US

Was this helpful?
YesNo
Updated on October 2023