Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page will go through the steps of enrolling a device into Endpoint Manager and AutopilotFollow these instructions when working with a device that’s been “Scorched”.

Table of Contents
minLevel1
maxLevel7
Info

You must bind the device being enrolled to the on prem AD Domain

Adding a Device record to Group Membership in Azure Active Directory

To access Azure Active Directory you can chose the Admin Tile within Office 365 or follow this LINK. After clicking on the link you will need to select Azure Active Directory.

  1. To get to the main options for Azure AD click the Azure Active Directory on the left panel

    Image Removed
  2. First, let’s make sure that the device is in Azure AD after being bound to the on prem AD domain

  3. Under the Manage selections chose “Devices”

    Image Removed
  4. Search for the computer name of the device we want to enroll

    Image Removed
  5. Click on “Azure Active Directory” on the left to go back to the original set of options

    Image Removed
  6. Select “Groups” from the panel to the right.

  7. Search for the ManualAutoPilot group

    Image Removed
  8. Click on the ManualAutoPilot group to open up the options for that group

    Image Removed
  9. We want to add the device that is enrolling to this group so you will select “Members”

  10. After selecting “Members” you should click the “+ Add Members”

  11. Search for the computer name or Azure ID of the device you want to add to the group

  12. Click on the device and then click on the blue “Select” button

    Image Removed
  13. You are ready to reset the device.

Reset the Device using Windows 10 Reset Options

  1. Clicking the start button you can search Reset this PC.

  2. Under Reset this PC, click Get started.

  3. Follow the instructions on the screen.

    1. You will want to “Remove Everything”

    2. Chose Local Reinstall when applicable

Enrollment - First Login To Assigned User

Info

You do not need to assign the user account to any special group anymore

Info

The user assigned to the device should be the first to login to the device

...

After the device resets you will be at an Out Of Box Experience (OOBE). Select the following options:

  1. Yes - United Stations (Region)

  2. Yes - US (Keyboard Layout)

  3. Skip - Skips the setup for a second keyboard layout

  4. Accept - Accepts the Win 10 license

...

You should see one of the following screens:

...

For the first picture you will select “Set up for an organization”.

...

When you select "Next" it should go to the SSD Organizational sign in page

...

The Assigned User will put in their SSD Password.

The next screen should look like this:

...

Device Setup will begin. The page with the three stages is called the "Enrollment Status Page" 

  1. Device Preparation - Hardware Checks, Network Check, Registering with Endpoint Manager, Joining Azure AD

  2. Device Setup - Computer/Computer Group based security, certificate and application installs/setup 

    1. A restart of the device may take place after this step

  3. There's a Privacy Setting screen that may appear next. Select "Accept"

  4. In some cases the system will present a generic Win 10 login screen

    1. The Assigned User will need to sign in with their @co.ssd.k12.mo.us account again

  5. User Setup - User/User Group based security, certificate and application installs/setup

  6. You should see a "Continue anyway" button at the bottom right of the screen. The User may select this to go into Windows 10.

    1. If this is selected there's still setup taking place that may cause the system to restart.

  7. The device will log into Windows 10 after completion if you did not chose the "Continue Anyway" button.

  8. There are some cases where a User may need to "Sign Out" and "Sign Back In" this is a normal operation linked to Credential Manager adding user authentication information.

Changing the Name of the Device

You will be working within Endpoint Manager. You can access Endpoint Manager through the Admin Tile in Office 365 or through this LINK.

  1. Once you’re in Endpoint Manager you will select “Devices”

    Image Removed
  2. Select “Windows” as the platform

    Image Removed
  3. Search for the device by its serial number. In most cases (as of July 2021) it’ll show up as Desktop-RANDOMSTUFF

    Image Removed
  4. Select the device you’re working on. You should see a screen with the following information

    Image Removed
  5. To change the name select the three “…”'s to find a “Rename Device” selection

  6. A new pane will open and you can type in SSD-SERIALNUMBER

  7. Select “Yes” for restart after if you are with the system otherwise leave this option as “no”

    Image Removed
  8. If everything worked correctly you should see a Restart and Rename “Complete” Status in the device record

    Image Removed

Add Device record to Autopilot via the ManualAutoPilot Group

...

Only add the Device record when the name change has completed and Azure Active Directory and Endpoint Manager displays the correct name. If either name is wrong then sync has not completed between the two and the Autopilot profile will not work correctly

  1. Checking accuracy in Endpoint Manager - Under Devices → Windows you can search for the serial number of the device and see if the name is SSD-SERIALNUMBER

  2. Checking accuracy in Azure Active Directory - Under Devices you can search for SSD-SERIALNUMBER. Because we are a Hybrid AD setup you should see two records that match.

    1. If you see more than two you will need to stop and figure out where the rogue records came from.

    2. If you only see one record then the device’s name update has not sync’d with Azure.

...

You will use Azure Active Directory to put the device record into ManualAutoPilot group.

...

Select “Azure Active Directory” then “Groups” from the panel to the right.

...

Search for the ManualAutoPilot group

...

Click on the ManualAutoPilot group to open up the options for that group

...

You will select “Members” then the “+ Add Members”

...

When searching for a device you will see both devices.

  1. You can open the “Hardware” section of Endpoint Manager and use the Azure AD Device ID to distinguish which record is the new device.

    Image Removed
  2. You could also attempt adding both device records to the group as its unlikely to duplicate any assignments or cause any negative output (as of the time of this writing we’re testing this)

...

After the device record is added to ManualAutoPilot group you will have to wait between 10 minutes to 36 hours for the next step to complete. (Yes I’m serious and so is Microsoft)

...

You will want to use Endpoint Manager for verifying that Autopilot profile is assigned and working

...

When you’re in Endpoint Manager you’ll select “Devices”

...

Select “Enroll Devices”

...

Select the “Devices” option under Windows Autopilot Deployment Program

...

Search by serial number to see the device you’re working with

...

This is an example of what you should see:

...

When clicking the checkbox next to the device you can change the settings of the device when its imaged/Autopilot Restored.

  1. You can set the name as SSD-SERIAL

  2. You can set the primary user

The record may have one of the following Autopilot Profile Statuses

...

“Not assigned” - Typical of a device first exchanging data between itself and Autopilot/Azure

...

“Pending” or “Downloaded” or “Installing” - The profile exchange is complete but one or both entities have not confirmed a working profile yet.

...

Note

Hybrid AD is no longer supported by Microsoft Endpoint Manager and will no longer be used

Info

Before following these instructions anything related to the device should be deleted including:

  • On Prem AD Device Records

  • Azure AD Device Records

  • Microsoft Endpoint Manager Device Record

  • AutoPilot Device Record

Wipe Device to Vanilla Windows 10

Using a USB drive with a bootable Windows 10 install you should wipe the device. Several tips that may help with this are:

  1. Delete the partitions of the device until there’s one large partition. Windows 10 will partition and allocate necessary space to partitions itself.

  2. You should avoid anything that would put a monolithic image on the device; the device must be at the blue Out of Box Experience screen to move forward.

Import the Device into AutoPilot

The device should be at the first blue screen for the out of box experience (aka Chose your region screen).

  1. Press the combination of keys Shift-FN-F10

  2. This should open a command prompt window

  3. Type in powershell and press enter

  4. Type the following commands pressing enter between commands

    Code Block
    $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
    Install-Script -Name Get-WindowsAutoPilotInfo
    Get-WindowsAutoPilotInfo -online

     

  5. Answer “Yes” to all the questions that are asked during the PowerShell commands

  6. You will need to authenticate to Azure twice. You will use your USERNAME@ssdmo.org and SSDPassword to do this.

  7. You will see “Waiting for 1 of 1 to be imported and eventually 0 of 1 after the import is complete. This process may take a few minutes.

Enable the device in Azure AD

  1. Navigate to Azure Active Directory

  2. Select "Azure Active Directory" on the left panel.

    Image Added
  3.  Select “Devices”

    Image Added
  4. Type the Serial Number of the device you just imported.

    1. Note that your device will have a red “No” for Enabled

      Image Added
  5. Click on the device record

  6. Click “Enabled” which will ask you to confirm the choice

  7. Scroll down and confirm the group “AutopilotComputers” is present on the device record.

    Image Added
Note

Allow the computer to remain online for 20 - 30 minutes. This will give it time to sync across the management system and download the correct profile. Restart the computer and then it will be ready for the user to log into the device.