This is a continuation of my previous post on Windows AutoPilot for existing devices. This time covering a similar scenario, where I’m PXE booting an existing device (known or unknown to ConfigMgr) into a Windows 10 Shared PC with Windows AutoPilot and Microsoft Intune
Now, the scenario might have many similarities compared to last week, but nevertheless there’s a real purpose with the crazyness. This is about getting started with Windows AutoPilot and giving you inspiration on how to do that. In my environment, it’s a whole lot easier to make the switch into AutoPilot for non-user devices (I bet I’m not alone on this one). That be devices which are shared between users in public spaces and kiosk devices in particular.
Also, devices in this category are quite often not brand new and might even be old repurposed user-devices (hence we cannot ask our reseller to add them into AutoPilot prior to delivery and thus we have to do it ourselves) 🙂
Again, this is based on the ‘AutoPilot for existing devices‘ approach using ConfigMgr. If not familiar with this feature, you should start with my previous post here: https://www.imab.dk/autopilot-for-existing-devices-move-from-windows-7-to-modern-co-managed-windows-10-using-configmgr/
In short, this is a task sequence looking similar to the example below, copying the AutoPilot JSON based on the AutoPilot Deployment Profile being covered in the next section.
The AutoPilot task sequence in question is deployed as available to ‘All unknown computers‘ as well as known devices, making it possible to PXE boot from any device in the environment. This is all very basic ConfigMgr, but for your convenience I have included a few pictures of the deployment of the Task Sequence.
And when PXE booting (I’m using Nickolaj’s OSD frontend), the task sequence will be available for installation.
Windows AutoPilot Deployment Profile
This is based on a User Driven and Azure AD joined deployment profile. (Note to self and everyone else: Self deploying profiles requires TPM 2.0 and some of my old hardware is not compliant here)
You will want to enable Convert all targeted devices to AutoPilot on the profile as shown below. This is due to the device being deployed this way, isn’t considered an AutoPilot device until converted or manually added to the AutoPilot service.
The Out-Of-Box Experience is configured as below. The important part here is the device name. I’m tagging all the devices with a prefix of KIOSK- enabling me to easily identify the devices.
And this is done because the Deployment Profile is assigned to the group: Intune_AutoPilot_SharedPCs.
Where the group has a dynamic membership rule picking up all my Shared PC/Kiosk devices. Again, see below rule for inspiration.
ATTENTION: If you like me have a general AutoPilot deployment profile targeting ALL AutoPilot devices, you will want to make exclusions on the assignments to prevent overlapping deployment profiles.
When the device is successfully converted to an AutoPilot device, you will find it listed in the Device enrollment -> Windows enrollment -> Windows Autopilot devices blade.
Take notice of the assigned deployment profile.
The process in details
First step is obviously to PXE boot a select device and run the task sequence. Everything pretty standard.
Next up is to complete the AutoPilot Out-Of-Box Experience by signing in with credentials which is allowed to join devices into Azure AD, enroll devices into Intune and is assigned the proper license.
Now, considering this will be a shared device, I have created a unique account for the purpose (email@example.com). I don’t want to enroll devices into my own context or any other real user’s context. Note that there is a max limit on how many devices a given user can have in both Intune and Azure AD.
For this specific scenario, I have also created an unique Enrollment Status Page which keeps the user at the shown screen until certain apps are installed.
The Enrollment Status Page is specifically assigned to a group consisting of the user which is also doing the actual enrollment (firstname.lastname@example.org)
And for your inspiration, this is how I have configured the Enrollment Status Page. Notice I have configured the page to block the device until 3 specific apps has been installed.
Those 3 apps is also assigned as required to the same user (email@example.com).
And when everything is done configuring and installing, the user is automatically signed in where we can verify our required apps indeed are installed.
One of the required apps is the relevant pictures, packaged as a line-of-business app. I want to make sure the device is somewhat properly branded before being presented as ready.
Moving forward with signing into the device, I have created relevant configurations which gives the user a short instruction on how to sign in with the Shared PC guest account. More on this later.
The guest account visible in the bottom left corner.
And the final and complete Shared PC experience with a full screen start menu. Also more on this later.
Shared PC Configurations
This section is of less interest IMO and will probably vary a lot depending on who’s doing the configuration and the needs. For now, I have following configurations in Intune in place. Note that this will probably change A LOT before I’m completely satisfied. If you have any questions in regards to a specific configuration, please let me know. For now I will just touch them very briefly, though I’m probably going into more details once I’m done. Soon!
Note: All of these configurations are obviously assigned to my group consisting of the relevant AutoPilot Shared PC devices. Same group as earlier. 🙂
Allow Local Reset
Start menu and task bar