Microsoft Autopilot

What is Microsoft Autopilot?

  • Microsoft Autopilot is an automated device provisioning service provided by Microsoft for Windows Devices.

  • Autopilot allows manufacturers and suppliers to place devices into CEDP's Intune environment before devices are delivered to schools.

  • This allows device to auto-enroll once turned on and connected to the network.

How does it work?

Pre-delivery

When placing orders through our Prefered Suppliers, devices will be automatically added into CEDP's Microsft Intune Environment.

At the time of ordering, schools will need to specify what the devices will be used for, this will allow the devices to be automatically placed into their correct groups, and receive the correct provisioning profile.

Schools will have two default 'Order IDs' that they need to quote at the time of ordering.

AGEID-STA - For Staff Devices

AGEID-STU - For Student Devices

If schools would like more specific Order IDs (to put devices into specific groups) this can be arranged through a ServiceNow Ticket.


Post-delivery

Once schools have received the devices, they will need to be connected to the network (Through WiFi or Ethernet) and the device will go through its automated provisioning. The exact setup will depend on the device's Order ID.

AGEID-STA - These will be setup using the 'User-Driven' process. After connecting to the network, the device will ask you to sign in with an Azure AD Account. The staff member who will be using this device should be the one to sign in. This will also create them as an admin for the device.

AGEID-STU - These devices will be setup using the 'Self-Deploying Mode' process. This is used for shared devices with no user attached. After connecting to the network, the device will automatically provision itself.

There may be situations in which a staff device may be used as a shared device, or a student device may be used as a 1-1 device. In these cases a custom Order ID and group will need to be used.



How are the devices provisioned?

Autopilot enrols the devices into Intune and performs an Azure AD Join. Azure AD Join allows anyone with a Microsoft Azure AD account to sign into the device. (All CEDP users are provisioned an Azure AD account)

Azure AD Join sign-in is cloud-based, so anyone can sign in provided they have an internet connection.


What settings will be applied to the device?

Depending on the Order ID used, STA or STU, different settings will be applied to the devices. These will be a base setting applied to all Autopilot devices. Further settings and restrictions can be applied if requested.


Staff

The default settings for staff devices will be a 1-1 setup, where only one staff member will be using the device.

Settings

  • Block un-enrollment of the device

  • Bitlocker enabled (BitLocker recovery key available in intune)

  • Disable Windows Hello for Business (This is disabled due to the WHFB requirement of having Multi-factor authentication enabled)


Students

The default settings for student devices will be a shared device setup.

  • Updates to install between 12am-5am

  • User accounts will be deleted after 2 weeks if a user has not signed in (To save disk space)

  • Block un-enrollment of devices

  • Block access to the following settings; Power, Accounts,

  • Do not display last logged in user

  • Disable Windows Hello for Business (This is disabled due to the WHFB requirement of having Multi-factor authentication enabled)