Cymraeg
Hwb

Windows - Device enrolment

Enrollment guide: Microsoft Intune enrollment | Microsoft Learn

Device enrolment can be done in a variety of ways depending on the device’s operating system and ownership.

There are two main types of device ownership supported by Hwb that can be set during enrolment:

  • Owned - This is suitable for one-to-one devices that are primarily used by a single user.

    For Windows devices, primary users of an ‘owned’ device can use Company Portal to install available applications and perform some device actions, such as reset. They can also recover the Bitlocker for the device from their Microsoft account.

  • Shared - This suitable for classroom or ICT suite usage where the device is not solely used by the same user.

    For Windows devices, users on a shared device are always standard users by default.  They can access the Company Portal app but only to install available applications.

Provisioning package

Bulk enrollment for Windows devices | Microsoft Learn

For bulk enrolment of devices, you can use a provisioning package applied via a USB pen drive during the OOBE phase. This can be created using the 'Set Up School PCs' app or the 'Windows Configuration Designer' (for more advanced controls). Devices enrolled through a provisioning package are setup as shared devices.

This is a ‘light-touch’ method, needing physical interaction with the device.  As such, if a device needs to be wiped and re-enrolled this must be done in person with a provisioning package again, unless it has since been configured for Autopilot deployment.

It is important that you use the correct Device Provisioning Identifier when setting the device name in provisioning packages. This is to ensure that the enrolled devices are placed in the correct provisioning group for your administrative scope – see Intune Groups.

Provisioning packages are valid for 180 days, after which time you need to create a new one or update the enrolment token within it.

Warning

Due to permission requirement changes by Microsoft, retrieval of the bulk enrolment token in Set Up School PC (SUSPC) and Windows Configuration Designer (WCD) can only be done by the Hwb team.
If you need a provisioning package, please contact the Hwb Service Desk with the details of the package.  Alternatively, you can inject an existing bulk token into a new package using WCD.

Information

Only provisioning packages created with the Set Up School PCs app can be used with Windows 11 SE devices, and requires the Windows 11 SE operating system choice to be selected during creation.

Autopilot

Windows Autopilot documentation | Microsoft Learn

Windows Autopilot is a service that can be used to easily enrol and configure Windows devices through the cloud. It is a simple process which reduces the IT technician’s time spent on deploying devices as rather than having to maintain a golden image, or manually enrol the device and apply policies and apps, as Autopilot will automatically do it all. It allows for multiple devices to be deployed quickly and efficiently.

Windows Autopilot can also be used to pre-provision a device, meaning that it can be sent directly from the reseller already enrolled into Intune with device assigned policies and apps applied.  This eliminates the need for an IT technician to touch the device at all, and all the end user must do is unbox it, power it on, and log in.

Autopilot requirements:

  • devices must be running a supported version of Windows 10/11
  • devices must be connected to the Internet, with access to Microsoft enrolment services.
  • for Self-Deployment and Pre-Provisioning enrolment types, the device must have TPM 2.0
  • all apps should be in the Win32 format, as having a mix of Win32 and LOB apps can cause failure.
  • devices are registered in the Autopilot service – this can be done by the reseller, or manually by importing the hardware hash of the device into the Autopilot portal.
  • devices are given the correct group tag (DPid) so that it is added to the appropriate provisioning device group.
Warning

The Autopilot portal is not scoped. All devices registered in Autopilot on the Hwb tenant will be visible by all admins, not just your own.  Please be careful that you are acting on the correct devices when making changes.

Autopilot deployment

There are several types of Autopilot deployment, which control how the device is setup when enrolled into Intune. The enrolment experience can be tailored through use of an Enrolment Status Page.

Devices using this method of deployment are considered shared devices. It is commonly used for scenarios such as IT suites but can be used for any situation. The benefit of this method is that there is little to no interaction needed to setup as no user credentials are needed to initiate the process.

A typical enrolment behaviour is:

  • user turns on the device.
  • if the device is connected to the Internet, it will automatically select the language, locale, and keyboard settings based on the enrolment profile settings.
  • otherwise, the user follows the Out-of-box Experience wizard, selecting their language, locale, and keyboard, and connects to their Wi-Fi.
  • the device enrolment begins, applying device assigned policies and apps (progress is shown if an Enrolment Status Page has been assigned in Intune).
  • the login screen is displayed when enrolment has finished.
  • user-based policies are applied once the user signs in.

Devices using this method of deployment are considered ‘owned’ devices, as it requires a user to enter their credentials to initiate enrolment, and associates the device with the user’s account in Intune.  It is best for 1-to-1 device use, such as staff devices, but doesn’t prevent other users from also logging in. 

As the primary user of the device, the user can fully use the Company Portal app and recover the Bitlocker key for the device from their Microsoft account.

When configuring the enrolment profile for this method you can choose to make the primary user a local administrator or standard user.

A typical enrolment behaviour is:

  • user turns on the device.
  • user follows the Out-of-box Experience wizard, selecting their language, locale, and keyboard.
  • user connects to the Wi-Fi (if not already connected to the Internet)
  • user enters their Hwb credentials when prompted.
  • the device enrolment begins, applying device and user assigned policies and apps (progress is shown if an Enrolment Status Page has been assigned in Intune)
  • user is logged in on completion.

This method is an extension to the User-driven method. It still makes use of the user-driven setup, but rather than entering the user’s credentials to begin enrolment, the device enters a pre-provisioning stage where device assigned policies and app are applied and the device is resealed. Once built, it can then be sent to a site, where the user can continue the enrolment by logging in to pull down any user assigned policies and apps.

This is generally done by the user’s IT support or a reseller, and greatly cuts down the time the user needs to wait for the device to enrol.

A typical enrolment behaviour is:

  • technician turns on the device and joins it to the Internet.
  • technician enters the provisioning menu and selects 'Windows Autopilot Provisioning'.
  • technician confirms the details of the Autopilot enrolment and starts the pre-provisioning.
  • the device begins enrolment, applying only the device assigned policies and apps.
  • if successful, the device shows a green screen and the technician reseals it.
  • the device is shipped to the user.
  • user turns on the device, and follows the Out-of-box Experience wizard, selecting their language, locale, and keyboard.
  • user connects to the Wi-Fi (if not already connected to the Internet).
  • user enters their Hwb credentials when prompted.
  • the enrolment process finishes, applying user assigned policies and apps, and logs them in.

During enrolment, any apps or policies targeting the groups the device is a member of will be applied. You will need to ensure that the device is moved to the correct Intune groups before starting the Autopilot enrolment process, otherwise the device may not be configured correctly at first use.  For example, if the device is meant for use by a student, and you have applied restrictions to the Student Devices group, the device will need to be in that group to receive the restrictions during Autopilot ready for the student to use.

Warning

Self-deploying and Pre-Provisioning methods require the device to have TPM 2.0 otherwise it will fail.

    1. Sign into the Intune portal using an Intune Admin account.
    2. Navigate to Devices > Enroll Devices > Windows Enrollment.
    3. Click Deployment Profiles under Windows Autopilot Deployment Program.
    4. Click on Create profile.
    5. Select Windows PC.
    6. Enter an appropriate name for the enrolment profile – we recommend using the local authority number as a prefix and including the enrolment type (e.g. 667 Self Deploying)
    7. Configure the Out-of-box Experience as desired, selecting the deployment mode – User Driven or Self-Deploying.
    8. Remove any scope tags not required.
    9. Assign the enrolment policy to an appropriate group.
    10. Click Create on the Review + create screen.

    We strongly recommend only creating one enrolment profile per deployment type (per local authority) and add the relevant school groups to the assignments to reduce the number of policies needed.  The only need for multiple policies is to set a device name template for each school. Instead, we recommend using a custom configuration policy applied at each individual school - see Windows - Device naming.

  • For a device to be assigned a deployment profile it must be a member of a device group that is targeted by that profile. The group tag of the device in the Autopilot portal will place the device in the relevant provisioning devices group, so you may need to move the device to an appropriate group first and wait for the profile to be fully assigned before proceeding with enrolment - see Move or add a device to another device group.

    We recommend targeting a deployment profile to:

    • the parent 'School Devices' Intune device group
      This will target all devices with the same profile so only use this if all devices in the school use the same deployment type.
    • the 'Student Devices' and 'Teacher Devices' groups
      Using a different deployment type for each group, such as self-deploying and user driven respectively.
    • a custom group created through the User Management Portal
      This provides more flexibility, so you can have separate groups for self-deploying and user driven with a mixture of teacher and student devices in either.

     

    A device can only have one deployment profile assigned to it at a time.  Ensure that the device is not in multiple groups where different enrolment profiles are assigned, including parent groups, to avoid unexpected results.  You can check which profile is assigned to a device in the Windows Autopilot portal in Intune.

  • An Autopilot device can easily be moved to another site by changing its group tag in the Autopilot portal, placing it in the relevant provisioning devices group. It may also be necessary to change the device name before performing an Autopilot Reset, as this may keep the device in the old site's provisioning devices group.

    Once it has moved and added to the correct group(s) for the new site, all is needed is an Autopilot Reset on the device to clean it and re-enrol.

    1. Sign into the Intune portal using an Intune Admin account.
    2. Navigate to Devices > Enrol Devices.
    3. Search for the device by serial number and select it.
    4. Change the group tag to the new site’s Device Provisioning Identifier (DPId).
    5. Sign into the User Management Portal in another browser tab.
    6. Navigate to the Intune Groups page on the relevant dashboard.
    7. Wait for the device to show in the new site’s provisioning devices group – this may take a little while.
    8. Move the device to the correct group(s) to receive the deployment profile, configuration policies and apps.
    9. In Intune, refresh the device in Autopilot to confirm the new deployment profile has been assigned – this may take a little while.
    10. Perform an Autopilot Reset and re-enrol the device.

    There is a PowerShell Script available to change the group tag of device in bulk, and can be requested via the Hwb Service Desk.

  • Autopilot reset will revert the device back to the original state, meaning all user profiles and apps are removed. There is no need to wipe and reinstall windows to have a fresh image, and it can be done without returning the device to base.

    1. Sign into the Intune portal using an Intune Admin account.
    2. Navigate to Devices > Windows.
    3. Search for the device using the serial number or device name.
    4. Click on the device.
    5. Click on Autopilot Reset.

    You can reset multiple devices at once using 'Bulk Device Actions' or selecting the devices from a group in the Intune for Education portal.

Hardware hash harvesting

Manually register devices with Windows Autopilot | Microsoft Learn

The hardware hash is a special identifier specific to the device, needed to manually add the device to Windows Autopilot, and can be retrieved using several methods.

The easiest way to do this, especially on multiple devices, is via a PowerShell script in a provisioning package on a USB pen drive.  By inserting the USB pen drive into the device at the OOBE screen, the script will run and collect details such as the Serial number, Hardware Hash, Windows Product ID, and the group tag which are exported into a single CSV file. These can then be imported into Autopilot in one go.

Please contact the Hwb Service Desk to request a copy of the Hardware Hash Harvesting package.

Information

Once the hash has been collected and exported, the file will contain a timestamp. This means it will allow the hash to be collected multiple times for the same device and will cause issues on import. If this happens, you will have to delete the CSV file and redo the hash collection process, so make sure to only do this once per device.

Warning

The hardware hash cannot be harvested from Windows 11 SE devices due to PowerShell being blocked. To use Autopilot, you must ask the reseller to add the devices to the service.

Enrollment Status Page

Set up the Enrollment Status Page | Microsoft Learn

An Enrollment Status Page (ESP) policy can be used to configure the enrolment behaviour on a device, such as requiring policies or certain applications are installed before enrolment continues. The Enrolment Status Page is shown on a device during enrolment, displaying the steps of the process as governed by the ESP policy.  It is useful for tracking enrolment progress and troubleshooting failures.

It is highly recommended to create your own Enrolment Status Page to meet your needs, otherwise the default one will apply.  This can be targeted to the top-level local authority devices group to apply to all devices.

Autopilot troubleshooting

Troubleshoot the Enrollment Status Page (ESP) - Intune | Microsoft Learn

Depending on the method of deployment chosen, there can be many different types of issues and problems that can arise. If this does happen, there are some useful logs for diagnosing the cause:

  • Event Viewer – Applications and services logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
  • Event Viewer – Applications and services logs > Microsoft > Windows > ModernDeployment-Diagnostics-Provider
  • C:\programdata\Microsoft\IntuneManagementExtensions\Logs

Some common failures during Autopilot enrolment include:

    • A mixture of Win32 and LOB apps being deployed
      This causes issues with the TrustedInstaller service as it does not know there is an existing install taking place. Ensure all apps are deployed as a Win32 app, wrapped up in an intunewin package.
    • Install switches are not correct in the installation command
      This can causes issues with the flow of the process, and even halt it causing a time-out.
      Check install switches are correct. Installs through Autopilot need to be silent and supress any prompts or reboots.
    • Large apps causing a time-out
      You can change the value of 'Show an error when installation takes longer than specified number of minutes value, 60 minutes' in the ESP profile. Consider making the larger apps ‘available’ to install afterwards through Company Portal.

    • TPM does not meet the 2.0 minimum requirement or the TPM has an issue
      This usually only affects devices with Self-Deploying of Pre-provisioning enrolment types.
      Make sure that the TPM/BIOS firmware is up to date.

    There is a useful command to run to get the TPM information:

      • Open a command prompt in the Autopilot failed screen by pressing Shift+F10.
      • Enter Tpmtool getdeviceinformation
      • Check these 3 settings - If any of these are different then diagnose and fix the issue, before trying again
      • Ready for Attestation – True
      • Ready for Storage – True
      • TPM has vulnerable Firmware – False

  • This usually only affects devices with Self-Deploying of Pre-provisioning enrolment types.
    Check the device is not already enrolled in any tenant. If this is the case, the device will need to be deleted in the Intune portal before retrying.

Warning

If an Applocker policy is being applied as part of the Autopilot process, this will cause the ESP tracking to fail as it forces a reboot of the device to apply some of the policies. Please apply these policies after the Autopilot process or disable ESP.

Changing the default language to Welsh

Changing the default language of a device to Welsh can be tricky once the device has been enrolled, without the user doing this themselves through Settings.

As such, it is recommended to add the Welsh Language pack to the device as a provisioning package before it is enrolled. This makes it available as a selectable language in the OOBE phase setting it as the default system and user language.

Information on how to create the provisioning package is available from the Hwb Service Desk.

White glove service

The white glove service, available from the reseller at time of purchase, enables the device to be fully setup before being shipped. This means it can be delivered straight to the school and is ready to use immediately.

For Windows devices, this service uses either the self-deploying or pre-provisioning enrolment type to configure the device. It installs all device-based apps and policies, updates and language packs, and performs asset tagging requirements.

The local authority will need to work with the reseller to specify the Autopilot requirements, which will involve providing them with the group tag for the destination school.

Once the devices have been registered with Autopilot, the reseller will need to notify an Intune admin in the local authority. The Intune admin will need to move the devices into an appropriate device group to be assigned an enrolment profile before the reseller can then continue with the white glove service.

Information

If the devices are being shipped to different sites, you will need to ensure the reseller is aware of the quantity of devices allocated to each group tag.

  • First published 18 June 2024
  • Last updated 18 June 2024