Autopilot enrollment - Windows

BigFix MCM supports Windows Autopilot enrollment.

What is Windows Autopilot

Windows Autopilot is a collection of technologies that helps set up and pre-configure new or factory reset Windows devices. This solution helps the administrator to enroll and manage devices with little to no infrastructure to manage, with a process that is easy and simple. The only interaction required from the end user is to connect to a network and login with their AD credentials. Everything beyond that is automated. You can also use Windows Autopilot to reset, repurpose, and recover devices.

For more information about Windows Autopilot enrollment, see the Windows official documentation at Windows Autopilot.

How it works

The admin configures the Autopilot settings in Azure Active Directory (Azure AD). The devices configured to be enrolled with Windows Autopilot are automatically enrolled in BigFix MCM on first boot up. Devices can be configured to automatically have a default Windows profile to apply via Policy Groups. The default Windows profile can be configured to automatically install BigFix and other applications of the company’s choice, custom MSI, and set a default Windows restrictions policy.

Configuration workflow

The admin needs to sign in to the Azure portal with an active Azure AD Premium license and configure MDM server, Autopilot group, deployment profile, devices and assign users to enroll devices through Windows Autopilot. For detailed instructions on how to configure Windows Autopilot settings through Azure AD, see the BigFix Wiki page Windows Autopilot Configuration Guide.

Briefly to configure Autopilot enrollment, complete the following steps:

  1. Configure BigFix MCM application in Azure AD.
  2. Create Autopilot users and device groups. This enables you to assign devices to a created group and manage the devices by group.
  3. Configure default deployment profile. You can configure default deployment profile through Microsoft Azure AD or through WebUI via Policy Groups. The configured profile is applied by default when a device is enrolled through Autopilot enrollment.
  4. Harvest device IDs in a .csv file and upload your Configure Autopilot devices and assign users.
  5. Configure Windows Autopilot Terms of Service. With this, you can customize the end user agreement screen by adding your company’s logo and terms of service.
After the configuration is completed, when the user switches the machine on, connects to the Internet, enters the password for the assigned user, the enrollment process starts.

Enrollment process

The Autopilot enrollment process begins on first power up of the device or power up following a factory reset.

To begin the enrollment process, do the following steps:

  1. Open the Windows device that is associated with the MDM server. Connect to internet. Enter the password as set in Azure AD. Update the password.
  2. The End User License Agreement page appears. Select the license agreement check box after reading and click Accept. Afterwards, the autopilot enrollment process begins.
After the enrollment is completed, go to Settings > Access work or school to verify MDM server details.

Click Info to verify the policy and application details.

Managing through WebUI

You can manage the enrolled devices through WebUI. In the WebUI device list, you can see the enrollment type is listed as autopilot_enroll.

In the device document, you can see Enrollment Type as autopilot_enroll.

To know how to further manage BigFix MCM, see Manage devices

Warning: If you unenroll Autopilot enrolled Windows device, it deletes work or school account and disconnects the AD user from the device. After unenrolling the device, the Admin cannot re-login to the device unless there is a pre-existing local operator account. To learn how to create a custom local operator account, see https://docs.microsoft.com/en-us/windows/client-management/mdm/accounts-csp.