PXE boot your way into Windows AutoPilot and Windows 10 Shared PC

Introduction

This is a continuation of my previous post on Windows AutoPilot for existing devices. This time covering a similar scenario, where I’m PXE booting an existing device (known or unknown to ConfigMgr) into a Windows 10 Shared PC with Windows AutoPilot and Microsoft Intune

Now, the scenario might have many similarities compared to last week, but nevertheless there’s a real purpose with the crazyness. This is about getting started with Windows AutoPilot and giving you inspiration on how to do that. In my environment, it’s a whole lot easier to make the switch into AutoPilot for non-user devices (I bet I’m not alone on this one). That be devices which are shared between users in public spaces and kiosk devices in particular.

Also, devices in this category are quite often not brand new and might even be old repurposed user-devices (hence we cannot ask our reseller to add them into AutoPilot prior to delivery and thus we have to do it ourselves) 🙂

A peek into the AutoPilot Deployment Profiles in my environment

Configuration Manager

Again, this is based on the ‘AutoPilot for existing devices‘ approach using ConfigMgr. If not familiar with this feature, you should start with my previous post here: https://www.imab.dk/autopilot-for-existing-devices-move-from-windows-7-to-modern-co-managed-windows-10-using-configmgr/

In short, this is a task sequence looking similar to the example below, copying the AutoPilot JSON based on the AutoPilot Deployment Profile being covered in the next section.

The AutoPilot task sequence in question is deployed as available to ‘All unknown computers‘ as well as known devices, making it possible to PXE boot from any device in the environment. This is all very basic ConfigMgr, but for your convenience I have included a few pictures of the deployment of the Task Sequence.

And when PXE booting (I’m using Nickolaj’s OSD frontend), the task sequence will be available for installation.

Windows AutoPilot Deployment Profile

This is based on a User Driven and Azure AD joined deployment profile. (Note to self and everyone else: Self deploying profiles requires TPM 2.0 and some of my old hardware is not compliant here)

You will want to enable Convert all targeted devices to AutoPilot on the profile as shown below. This is due to the device being deployed this way, isn’t considered an AutoPilot device until converted or manually added to the AutoPilot service.

The Out-Of-Box Experience is configured as below. The important part here is the device name. I’m tagging all the devices with a prefix of KIOSK- enabling me to easily identify the devices.

And this is done because the Deployment Profile is assigned to the group: Intune_AutoPilot_SharedPCs.

Where the group has a dynamic membership rule picking up all my Shared PC/Kiosk devices. Again, see below rule for inspiration.

ATTENTION: If you like me have a general AutoPilot deployment profile targeting ALL AutoPilot devices, you will want to make exclusions on the assignments to prevent overlapping deployment profiles.

When the device is successfully converted to an AutoPilot device, you will find it listed in the Device enrollment -> Windows enrollment -> Windows Autopilot devices blade.

Take notice of the assigned deployment profile.

The process in details

First step is obviously to PXE boot a select device and run the task sequence. Everything pretty standard.

Next up is to complete the AutoPilot Out-Of-Box Experience by signing in with credentials which is allowed to join devices into Azure AD, enroll devices into Intune and is assigned the proper license.

Now, considering this will be a shared device, I have created a unique account for the purpose (sharedpc@imab.dk). I don’t want to enroll devices into my own context or any other real user’s context. Note that there is a max limit on how many devices a given user can have in both Intune and Azure AD. 

For this specific scenario, I have also created an unique Enrollment Status Page which keeps the user at the shown screen until certain apps are installed.

The Enrollment Status Page is specifically assigned to a group consisting of the user which is also doing the actual enrollment (sharedpc@imab.dk)

And for your inspiration, this is how I have configured the Enrollment Status Page. Notice I have configured the page to block the device until 3 specific apps has been installed.

Those 3 apps is also assigned as required to the same user (sharedpc@imab.dk).

And when everything is done configuring and installing, the user is automatically signed in where we can verify our required apps indeed are installed.

One of the required apps is the relevant pictures, packaged as a line-of-business app. I want to make sure the device is somewhat properly branded before being presented as ready.

Moving forward with signing into the device, I have created relevant configurations which gives the user a short instruction on how to sign in with the Shared PC guest account. More on this later.

The guest account visible in the bottom left corner.

And the final and complete Shared PC experience with a full screen start menu. Also more on this later.

Shared PC Configurations

This section is of less interest IMO and will probably vary a lot depending on who’s doing the configuration and the needs. For now, I have following configurations in Intune in place. Note that this will probably change A LOT before I’m completely satisfied. If you have any questions in regards to a specific configuration, please let me know. For now I will just touch them very briefly, though I’m probably going into more details once I’m done. Soon!

Note: All of these configurations are obviously assigned to my group consisting of the relevant AutoPilot Shared PC devices. Same group as earlier. 🙂

Shared PC

https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc

Allow Local Reset

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset-local

Start menu and task bar

https://docs.microsoft.com/en-us/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management

Enjoy 🙂

6 thoughts on “PXE boot your way into Windows AutoPilot and Windows 10 Shared PC”

    • Not to my knowledge. What you are looking for here is probably just a local account with autologon enabled – that’s quickly done with a few lines of powershell. The guest account in Windows 10 Shared PC is an unique login for each time it’s used (you will see a new local user for each time it’s used)

      Reply
    • Depends on the Office version and your needs. Office 365 ProPlus comes with a shared computer option. Office 2019 is another option licensed with a MAK key 🙂

      Reply
  1. Hi, was wondering if there was an update on this working for a Hybrid profile? Last comment I saw, this did not work.

    Love the tutorials, thanks for your contributions!

    Reply

Leave a Reply to Infrastructure Engineer Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.