Provisioning Windows devices with Windows Autopilot

Windows Autopilot helps IT admins prepare new devices for use by pre-configuring and making them ready for work within minutes of unboxing. With Windows Autopilot, enrolling and configuring Windows devices will become much simpler and faster. This device will be automatically enrolled in Hexnode when the user powers on the device for the first time. Autopilot enrollment allows new devices to be set up automatically with predefined configurations and policies. This is especially useful for large organizations that need to deploy a significant number of devices efficiently.

Step 1: Configuring Microsoft Entra ID in Hexnode

1. Navigate to Admin > Integrations on your Hexnode UEM console.
2. Click on the Windows Autopilot tile from the available integrations.
3. If you’ve already configured Microsoft Entra ID, select the configured domain from the dropdown and proceed with configuring Autopilot settings.

   If Microsoft Entra ID hasn’t been set up in Hexnode, a window will prompt you to enter your organization’s Microsoft Entra custom domain/Directory (Tenant) ID. Enter the ID and click Configure.

4. You will be prompted to sign in with your Microsoft Entra ID credentials.
5. A pop-up will request permission for the Hexnode Azure Directory Services app. Check the box and click Accept.
6. You will be redirected back to the Hexnode UEM console, completing the Microsoft Entra ID integration.
7. Select either Allow self-enroll or Map UPN to email address.
8. Under Scheduled Sync, configure the sync settings for the Active Directory domain:
   1. Specify the time (hours and minutes) when the sync should be initiated.
   2. Choose the sync frequency (Daily or Weekly).
9. Click Next.

Configuring Autopilot settings:

1. In the next window, under Configure Autopilot Settings, select the policies to be applied to devices. These policies will be applied post-enrollment.
2. Click Next.
3. Upon successful setup of Windows Autopilot, you will be prompted to optionally configure Conditional Access.
4. To verify the configuration, navigate to Enroll > Platform-Specific > Windows > Windows Autopilot. From here, you can click the Sync button to import devices from the configured Microsoft Entra ID.

Step 2: Adding Hexnode UEM app to Microsoft Entra ID portal

1. Log in to your Microsoft Entra ID portal.
2. Click on the menu bar on the top left
3. Navigate to Microsoft Entra ID.
4. Navigate to the Mobility (MDM & WIP) tab within the Manage section. Click the + Add application option on the top and select Hexnode UEM app from the available applications.
5. The app will be added to the list.
6. Now click on the Hexnode UEM app from the list.
   Notes:

   • To automatically install the Hexnode agent app on devices enrolled through Autopilot, make sure to enable the “Install Hexnode Service App Silently on Windows Devices” option in the Hexnode App Updates section under Admin > General Settings before enrollment. The installation process will begin automatically after 5 minutes.

     title=”Install Hexnode Service App Silently on Windows devices option in General Settings” alt=”Enable the ‘Install Hexnode Service App Silently on Windows devices’ option to automatically install the Hexnode agent on devices enrolled in Hexnode without the Hexnode agent app” width=”750″ height=”500″>

   • If you haven’t enabled the “Install Hexnode Service App Silently on Windows Devices” option during enrollment, you can still manually trigger the installation of the Hexnode agent app by clicking the refresh button next to the Hexnode Service (Agent) App status in the Enrollment Details section of the Device Summary for that Windows device from the Hexnode UEM console.

     title=”Refresh button to initiate installation of Hexnode agent app” alt=”Refresh button on the Device Summary page to initiate the installation of the Hexnode agent app” width=”750″ height=”500″>

   • Make sure the MDM user scope is set to:
   • ‘All’ or ‘Some’ for the Hexnode UEM app
   • And ‘None’ for the Microsoft Intune app

   Choosing the option ‘All’ allows all users to proceed with automatic enrollment for their Windows devices, whereas the option ‘Some’ lets you choose the groups that can automatically enroll the devices.
   

7. Copy the URLs for both MDM terms of use URL and MDM discovery URL from the Hexnode portal (Enroll > Platform-Specific > Windows > Windows Autopilot) and paste it here.

Step 3: Extracting the hardware IDs of the Windows devices

The next step is to extract the hardware IDs of the devices. You can get the hardware IDs of the devices using either of the following two ways:

• From vendor: You can get the hardware IDs from the vendor or reseller from where you have procured the devices. The vendor will provide you a CSV file that can be uploaded to the Microsoft Entra ID portal.
• Using script: If you want to enroll your devices to Autopilot, then you can use the script provided below. Please follow the steps below to extract the Hardware IDs.
  1. Copy this script file to the PC.
  2. Once copied, on the target device open the command prompt with administrator privileges and execute the PowerShell file.
     Script to fetch hardware hash IDs

     [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory -Path "C:\HWID" Set-Location -Path "C:\HWID" $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned Install-Script -Name Get-WindowsAutopilotInfo -Force Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Confirm:$false -ForceBootstrap Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv Write-Host "`n Hardware Hash: " (Import-Csv AutopilotHWID.csv).{Hardware Hash}

     1 2 3 4 5 6 7 8 9 10

     [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory -Path "C:\HWID" Set-Location -Path "C:\HWID" $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned Install-Script -Name Get-WindowsAutopilotInfo -Force Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Confirm:$false -ForceBootstrap Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv Write-Host "`n Hardware Hash: " (Import-Csv AutopilotHWID.csv).{Hardware Hash}

  Once the PowerShell file is executed, it generates a CSV file named AutopilotHWID.csv in the C:\HWID directory. This file is then copied to the current directory where the PowerShell script was run.

  This CSV file has 3 columns: Device Serial Number, Windows Product ID and Hardware Hash.

  You can also execute the above script using Hexnode’s Execute Custom Script remote action on a group of Windows devices and fetch the hardware IDs directly to the Hexnode console. Once the action is successful, you can view the fetched hardware IDs by clicking on the Show Output button corresponding to it on the Action History tab of the device.

Step 4: Uploading the Hardware IDs to Microsoft Intune admin center

Once you get the CSV file, the next step is to add it to the Microsoft Intune admin center. Follow the steps below:

1. Login into Microsoft Intune admin center.
2. Click Devices > Windows > Device onboarding > Enrollment.
3. Under the section Windows Autopilot, select Devices.
4. Click Import.
5. Upload the *.csv file obtained in Step 3 and click Import.
6. Once the CSV file is imported, the screen will be updated to show the devices that are imported from the CSV.

Step 5: Assign Users to hardware IDs

Once you have uploaded the hardware IDs, you can assign the users. This will make sure that only the assigned user can complete the enrollment on the Windows device using their credentials.

If you choose to assign a user, you need to make sure that the user is a licensed Intune user.

Follow the steps below to assign a user,

1. Navigate to Devices > By platform > Windows > Enrollment. Under the Windows Autopilot section, click on Devices.
2. Choose the device and click Assign user.

Step 6: Creating Deployment Profile

1. Login into Microsoft Intune admin center.
2. Navigate to Devices > Windows > Device onboarding > Enrollment.
3. Under the section Windows Autopilot, select Deployment profiles.
4. Select Create profile > Windows PC.
5. Provide a name and description for the profile and click Next.
6. Set up the Out-of-Box Experience (OOBE) on the next page.
7. In the following step, assign the profile to devices by selecting either Add groups or Add all devices.
8. Finally, review the configured settings, then click Create.

The newly created profile will be added to the list of Windows Autopilot deployment profiles.

Checking the Autopilot devices in the Hexnode portal

After creating the configuration profile, the details of the devices that are synced from your Microsoft Entra ID portal will be listed in the Hexnode UEM console under Enroll > Platform-Specific > Windows > Windows Autopilot. From this list, you can manage and associate the policies with devices. To modify/delete the Autopilot configuration, click on the Actions menu in the upper right corner.