New [2024] Step-by-Step Guide: Windows10/11 Autopilot Test Lab in Azure Environment

What is Windows Autopilot

It is a suite of technologies designed to simplify the setup and configuration of new Windows devices, preparing them for immediate productivity. This tool is versatile, capable of deploying both Windows PCs and HoloLens 2 units. 

Prerequisites

The following are requirements for running Windows Autopilot Device Testing Lab in Azure.

• Valid Azure Subscription (Pay-as-you-go, Visual Studio Enterprise, CSP etc)
• M365 Tenant with Valid Intune License to use Windows Autopilot functionality.
• Azure Subscription Owner\Contributor Access
• M365 Tenant Global Administrator Access

Azure Requirements

•        The Host operating(Azure VM) system must be Windows Server 2016 or later
•        Deploy a Dv3 and Ev3 series Windows Server VM in Azure that supports nested virtualization
•     Azure Host VM should have enough CPU & memory to run the guest VMs

Creating Azure VM

 Open https://portal.azure.com/  search for Virtual Machines

On the Virtual machines page (Home > Virtual Machine), click Create button to create a virtual machine.

The VM creation page contains multiple tabs, and each tab contains a couple of sections. 

• First, we need to select the desired subscription where we want our Virtual Machine. 
• Next, we need to select a resource group or create new one. 
• Further, we need to provide a name to our virtual machine. 
• Next, we need to add the region where we want our virtual machine to be. 
• Availability options we will select as No Infrastructure redundancy required, Because it’s not a critical server
• Security type we will select as Standard, because we need vTPM support inside our guest VM

• Select windows VM image type, I have selected Windows Server 2022 Datacenter Azure Edition image. 
• Now, we need to select machine size, i have selected the machine size as D8s_V3. 

 

•  We have selected Windows VM, so we need to make sure that we have enabled port 3389 for RDP (Remote Desktop Protocol) to the VM in inbound rules as mentioned in the below image. 

• We need to run multiple guest VMs in Azure VM Host, so it is recommended that we should use Premium SSD disk. Therefore, we are using Premium SSD, rest of the settings in disk tab can be default. 

Click Next. 

• Now, we need to add a network and a subnet where our VM will reside. 
• We can create Virtual Network by clicking on Create new or proceed with the current selection.in our case we are proceeding with the current selection.

• Delete Public IP and NIC when VM is deleted is an optional selection. 

Rest of the settings can be leave as default 

Deployment is in Progress , status will appear in your screen.

• Once the VM is ready, we can access the VM using RDP client as mentioned in the below steps. 

• Copy the public IP address from VM Dashboard 
• Open RDP Client and paste the public IP or you can click connect button from VM dashboard

Now add credentials and click Connect, you will  be redirected to the VM. 

Install Hyper-V Role:

Once we login , we can install Hyper-V role using Server Manager console.

Open Server Manger click on Add roles and features.

Click on Next

Installation Type select Role-based or feature-based installation.

Select the Server and Click Next

Now select the Hyper-V role which we want to install.

Click on Add Feature so all the features required by the Hyper-V role are installed.

click on next and keep all settings as default, and go ahead with the installation of the Hyper-V role 

After installing the Hyper-V role and rebooting the server, it is necessary to install the DHCP role in order to automatically assign IP addresses to our VMs as needed.

Install-WindowsFeature -Name DHCP –IncludeManagementTools

When Azure VM comes back, RDP into it, open PowerShell as an administrator and run commands below to configure the HyperV network.

$switchName = "InternalNAT"

New-VMSwitch -Name $switchName -SwitchType Internal

New-NetNat –Name $switchName –InternalIPInterfaceAddressPrefix “192.168.0.0/24”

$ifIndex = (Get-NetAdapter | ? {$_.name -like "*$switchName)"}).ifIndex

New-NetIPAddress -IPAddress 192.168.0.1 -InterfaceIndex $ifIndex -PrefixLength 24

Commands above will create a HyperV internal switch, set nat rule and gateway for that switch. Please make sure all commands ran without errors

 If all the commands above are successful run commands below in the same PowerShell window to configure the DHCP Service.

Add-DhcpServerV4Scope -Name "DHCP-$switchName" -StartRange 192.168.0.50 -EndRange 192.168.0.100 -SubnetMask 255.255.255.0
Set-DhcpServerV4OptionValue -Router 192.168.0.1 -DnsServer 168.63.129.16
Restart-service dhcpserver

Commands above will create DHCP scope for Hyper-V NAT, assign gateway IP, DNS IP for that scope. 

Restart the DHCP service using the below command

Restart-service dhcpserver

 Please make sure all commands ran without errors

 If all the commands above are successful you can now create a VM in the nested virtualization environment.

 Create VM in Azure Host VM

 Now let us create a VM inside Hyper-V, click on New -> Virtual Machine

In the New Virtual Machine Wizard window, on the Before You Begin page, click Next. 

On the Specify Name and Location page, type the new virtual machine’s name in the Name box. In this example, the VM name is Windows 11.

If you need to change the location for the new VM, put a check on the Store the virtual machine in a different location box, then browse or enter the path in the Location box. If the folder path you specify does not exist, the wizard will create it.  

Next, on the Specify Generation page, choose the VM generation version.

Generation 2 – Supports only 64-bit guest operating systems and this generation also has UEFI-based firmware.

On the Assign Memory page, specify how much memory to assign the VM.

Uncheck the Use Dynamic Memory for this virtual machine box. Hyper-V nested VMs does not support dynamic memory. After the memory selection click Next.

On the Configure Networking page, select the network adapter you would like to attach to this VM. 

Next, on the Connect Virtual Hard Disk page, you have the option to: 

• Create a virtual hard disk – This option creates a new virtual hard disk (VHD) and lets you customize the name, location, and size. The new VHD will be empty, and you will have to install an operating system afterwards. 
• Use an existing virtual hard disk – This option lets you choose an existing VHD (if you have one) that you want to be attached to the VM instead of creating a new one. 

• Attach a virtual hard disk later – Choose this option if you want to skip this step and continue creating the VM without a VHD. You can still create a new or attach an existing VHD after you’ve created the VM. 

On the Installation Options page, choose how you want to install the operating system (OS). In our case we are going to select Windows 11 ISO

Finally, on the Completing the New Virtual Machine Wizard page, review the new VM’s settings and click Finish

Now, let us go to the settings of the VM we created and change the vCPU

Here we are adding 3vCPU

Lets power ON the VM and Install Windows 11 OS.

VM, Windows 11 OS installation is progressing. Once the OS installation is completed, we will do the Autopilot Provisioning on this Test VM.

Creating Windows Autopilot Dynamic Device Group

Now Let’s create a Device Group and Assign Windows Autopilot deployment profile to that Group.

• Open https://Intune.microsoft.com
• Select Groups then new group.
• In new Group, configure the following properties: Group type: Select Security.
• Group name and Group description: Enter a name and description for your group.
• Microsoft Entra roles can be assigned to the group: Select No, Microsoft Entra roles aren't assigned to this group.
• Membership type: Choose how devices become members of this group. Select Dynamic Device.

Dynamic device members: Select Add dynamic query > Add expression.
Create rules using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group.

When creating expressions:

To create a group that includes all of your Autopilot devices, enter:

(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))

Save your expressions. Select Create.

Create Windows Autopilot deployment profiles.

Open https://Intune.microsoft.com choose Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile > Windows PC

On the Basics page, type a Name and optional Description.

To ensure that all devices in the designated groups are automatically registered to Autopilot, enable the "Convert all targeted devices to Autopilot" setting to Yes.

Devices that are corporate-owned and not already on Autopilot within the assigned groups will register with the Autopilot deployment service. Please note that personally owned devices will not be registered to Autopilot.

Allow 48 hours for the registration process to complete. If a device is unenrolled and reset, Autopilot will re-enroll it.

Please be aware that once a device is registered in this manner, disabling this setting or removing the profile assignment will not remove the device from the Autopilot deployment service. The device will need to be manually removed instead.

Please be aware that selecting the option to Convert all targeted devices to Autopilot does not automatically change existing Microsoft Entra hybrid devices in the assigned group(s) into Microsoft Entra devices. This setting simply enrolls the devices in the assigned group(s) into the Autopilot service.

Select Next.

On the Out-of-box experience (OOBE) page, for Deployment mode, choose one of these two options:

User-driven: Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.

Self-deploying: Devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to enroll the device. When a device has no user associated with it, user-based compliance policies don't apply to it. When self-deploying mode is used, only compliance policies targeting the device are applied.

Please see the below screenshot for our current selection

In the Join to Azure AD as box, choose Azure AD joined.

Configure the following options:

Microsoft Software License Terms: Choose whether or not to show the EULA to users.

Privacy settings: Choose whether or not to show privacy settings to users.

Language (Region): Choose the language to use for the device. This option is available in all Deployment modes.

Automatically configure keyboard: If a Language (Region) is selected, choose Yes to skip the keyboard selection page. This option is available in all Deployment modes.

Note: Language and keyboard settings requires ethernet connectivity. Wi-fi connectivity isn't supported because of the requirement to choose a language, locale, and keyboard to make that Wi-fi connection.

Apply device name template (requires Microsoft Entra join type): Choose Yes to create a template to use when naming a device during enrollment. In our case we are following LAB-PC%RAND:3%

Select Next and select the Autopilot LAB Device Dynamic group which we created earlier.

Once Group is selected Click and Next

Review the Settings and Select Create.

Windows Autopilot Deployment profile has been created and Assigned.

Importing LAB VM Device Hash to Windows Autopilot

In Our Case the Device is already installed with Windows 11 OS,

While OOBE is running, you can start uploading the hardware hash by opening a command prompt. 

Open Command Prompt by pressing Shift F10, In that CMD prompt Type Powershell.exe ,it will open powershell prompt and then type the below commands


[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

PowerShell.exe -ExecutionPolicy Bypass

Install-Script -name Get-WindowsAutopilotInfo -Force

Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned

Get-WindowsAutopilotInfo -Online

You're prompted to sign in. An account with the Intune Administrator role is sufficient or you can use Global Admin account as well.

Once authentication is successful device hash is uploaded to Intune

After you confirm the details of the uploaded device hash, run a sync in the Intune Portal Select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program) > Sync.

After the device appears in your device list, and an Autopilot profile is assigned, restarting the device causes OOBE to run through the Windows Autopilot provisioning process.

Optionally ,We will assign user account to this device.

Ready to go! We have successfully accessed our Lab VM.

We will enter the user account password and choose sign-in

Now Windows Autopilot is doing its Magic.

We have Enabled Virtual TPM for this device ,so we need to complete the Windows Hello setup.

We will configure PIN option, Biometric is not supported for VMs
All Set ,Now we Successfully Logged in to our Lab VM

Now will make sure Device Name Template is applied as expected.

Conclusion:

To test Windows Autopilot without physical hardware, consider using an Azure VM with Nested Virtualization to create a lab environment and test all the capabilities of Windows Autopilot and Intune.