1. Home
  2. SureMDM
  3. Windows Management
  4. How to get Windows 10 Devices Business-Ready with Windows AutoPilot and SureMDM?

How to get Windows 10 Devices Business-Ready with Windows AutoPilot and SureMDM?

KB ID: 42G2007359
Views: 2677
Updated: June 2021

Windows Autopilot provides a new approach to IT Pros with options to pre-register Windows 10 devices with an organization, pre-configure them and make them business-ready within minutes of unboxing.

The only intervention required from the user is to connect to a network and verify his/her credentials to start automated configuration of device settings, apply policies, install apps and auto-enroll devices into SureMDM.

To set up SureMDM and apply a desired profile using Windows AutoPilot, the following four things need to be done:

– Create a default profile on SureMDM so that it can be applied as soon as the user powers on the device.

– Configure Azure AD and SureMDM.

– Upload device IDs and configure AutoPilot deployment profile.

– Assign a user to the device.

Configure a default profile for Windows 10 devices

To configure a default profile for Windows 10 devices, follow the below-mentioned steps:

1. Login to SureMDM Web Console.

2. On SureMDM Home, click Profiles Windows Add.

3. Under the Work Profile section, select the desired profile, configure it and save it.

4. Once saved, go to the Profile screen, select the profile and click Set As Default.

Configure Azure AD and SureMDM

To configure Azure AD and SureMDM, follow the steps mentioned below:

1. Login to Azure AD portal.

2. Click Azure Active Directory.

3. Click Properties and copy the Directory ID.

4. Login to SureMDM Web Console.

5. Go to Settings Account Settings > Device Enrollment Rules.

6. Under Microsoft Windows Store for Business, in the Tenant ID field, paste the Directory ID copied in step no.3  and click Validate.

Tenant ID pasted here will be validated.

7. Navigate to the Azure portal.

8. Click Azure Active Directory Mobility (MDM and MAM).

9. Click Add application > On-Premises MDM application.

10. Enter an application name and click Add.

The newly created application will be added in the Mobility(MDM and MAM) section.

11. Select the newly created application and enter the following details:

  • MDM User scope – All
  • MDM terms of use URL: https://xxxxxx.com/Windows/View/TermsOfUse.aspx

(Examplehttps://suremdm.42gears.com/Windows/View/TermsOfUse.aspx)

  • MDM discovery URL: https://xxxxxx.com/EnrollmentServer/discovery.svc

(Examplehttps://suremdm.42gears.com/EnrollmentServer/discovery.svc)

12. Click SureMDM Application Settings Properties.

13. Enter console URL (https://XXXXX.42gears.com) in App ID URI, copy Application ID and click Save.

Note: Make sure that Multi-Tenanted option is set to No.

14. Click Keys. Enter the Key Description, select a Duration and click Save. Copy the Key generated.

Note: Copy and paste the generated Key. If this window is closed, the generated key cannot be fetched again.

15. Navigate to Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

16. Enter the below details in the required fields and click Save.

17. Go to SureMDM Web Console > Settings Account Settings > Device Enrollment Rules > Oauth Azure AD.

18. In the Application ID field, paste the application ID copied in Step No.13.

19. In Application Secret field, paste the copied key value generated in Step No.14.

20. Click Apply.

Upload device IDs, configure and  AutoPilot deployment profile

When a new set of devices is purchased, the hardware vendor sends a list of device IDs to the IT Admin. This list can be uploaded on Azure AD portal to claim the device ownership.

To upload the devices IDs, follow below-mentioned steps:

1. Log into Azure AD portal.

2. Go to Device Enrollment > Windows Enrollment > Devices > Import.

Note: The .csv file should have the following details:

<Serial Number>, <Windows Product ID>, <Hardware Hash>, (optional <Group Tag>)

IT Admin can then use the Manage option on the Store for Business portal to create an AutoPilot deployment profile and assign them to the device. This profile includes instructions to either turn the setup ON or OFF for features like OEM RegistrationPrivacy Settings or Local Admin Account after the device is switched after the unboxing.

To deploy a AutoPilot profile, follow below-mentioned steps:

1. Log into Azure AD portal.

2. Click Device Enrollment > Windows Enrollment > Deployment Profiles.

3. Select the created profile > Assignments > Select groups to include > Select the group and click Select.

Note: To create a group on Azure AD Home, click Groups New Group > Group Type select Security > Give a name and group description > Select Membership Type as Dynamic Device > Under Advanced rule for Add dynamic query add (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) and click Add query. Once done, a group will be created and all the AutoPilot devices will get added to it.

Assign users to devices

When the IT Admin assigns an existing user to an uploaded device ID and when the new Windows device is unboxed and powered on, the user’s User ID will be auto-populated and the user will be prompted to enter the password to continue and experience the custom setup process. To assign a user, follow the steps below:

1. Log into Azure AD portal.

2. Click Device Enrollment > Windows Enrollment > Devices > Select the device > Assign User.

3. Under the Select User section, select the user.

4. Click Select.

Once done, a standard enterprise-defined setup process gets initiated and the device becomes business-ready within minutes of the registered Windows 10 device being unboxed and powered on.

To learn more about 42Gears UEM features for Windows 10 devices, click here.

Related Articles