With Microsoft finally releasing the ISO for Windows 11 Insider Preview Build 22000.160 to be able to do a clean installation or in-place upgrade, I thought now might be a good time to take the new MS flagship OS out for a spin.
This blog post is to purely note my experiences of trying out modern provisioning of the modern OS that is Windows 11 which should help to answer the below questions.
- Are there any significant changes to the end-user experience?
- Does it require any additional configuration from the Intune Admin perspective?
- Any new feature additions?
Let’s find out.
Table of Contents
Intune Autopilot Profile Configuration for Windows 11
If you are already using Windows Autopilot for device provisioning (Windows 10) in your environment, then you would already have an Autopilot profile configured and assigned. There should not be a need to change anything in the current setup to support Windows 11.
Below is the standard Autopilot profile (User-driven AAD join) that I have had configured in my tenant.
Intune ESP Profile Configuration for Windows 11
If you are already into modern provisioning your Windows 10 devices with Windows Autopilot and Intune, then you might already have an ESP profile in place. This also needs no change to the profile as such.
Below is the standard ESP that I have had configured in my tenant.
Registering Windows 11 device to Windows Autopilot service
Other than the fresh new OOBE graphics that Windows 11 comes equipped with, there are no changes as such to the process of registering the device to Autopilot service from the OOBE.
Press Shift + F10 (Shift+Fn+F10) to bring up the CMD console during the OOBE setup. In the CMD window that appears, type the below commands in sequence
- powershell.exe -> to start a PowerShell session.
- Set-ExecutionPolicy -ExecutionPolicy Bypass -> to bypass the current execution policy.
- Install-Script -Name Get-WindowsAutopilotInfo -> the script that will help extract hash for autopilot registration.
You will be prompted for consent a few times time now. Type Y and press Enter to confirm. The script will get installed.
Now if you want to extract hash as a CSV and then upload it via Intune to register the device to Windows Autopilot, you can do the usual here.
- mkdir C:\AutopilotHash -> to create a folder where the hardware hash file will be saved.
- Set-Location C:\AutopilotHash -> set current working directory to the created directory as above.
- Get-WindowsAutopilotInfo -OutputFile <name_of_hash_file>.csv
Once the hash file is created, you can plug in a USB drive and from the same PS session, open the File Explorer (explorer.exe) to copy/move the created hash file to the USB drive.
You can then take it to another system from where you can sign in to the MEM console and upload the hash to register the device with the Windows Autopilot service.
However, if you don’t want to do the manual work as above and have the required permissions, you can also register the device to the Windows Autopilot service directly from the OOBE screen.
Here I have registered the device to Autopilot services directly from the OOBE thanks to the -Online switch of the Get-WIndowsAutopilotInfo script.
For that, post the Get-WindowsAutopilotInfo script gets installed, type in the PS session
- Get-WindowsAutopilotInfo -Online
- Sign-in with your Azure credentials when prompted [An account with the Intune Administrator role]
If the required app registration is in place for the tenant with the Graph API permissions Admin consented, the process will go through and you can see the progress of the device registration process.
There will be quite a few “Waiting for 1 of 1 to be imported” before you finally get the “1 device imported successfully“.
Once you get to see the device has been synced, you can just type in shutdown /r /f /t 0 to restart the OOBE process for the device to complete the Autopilot check and get the Autopilot profile downloaded.
Provisioning Windows 11 with Windows Autopilot and MEM Intune – End-user Experience
If the device is connected to the network (wired Ethernet) which meets the network pre-requisites to pull of Windows Autopilot provisioning, then the device will try to get the Autopilot profile downloaded as soon as Windows starts the OOBE process.
As usual, the device does the Autopilot check as part of the OOBE ZDP Update process.
Provided the device successfully got the Autopilot profile downloaded, if the Autopilot profile configures the OS Language (Region) and Keyboard, then the Windows 11 OOBE setup presents you with the custom branded Azure sign-in dialog as below.
As the user enters credentials to authenticate, in this case, the provisioning is taken over by the Azure AD join mechanism. [Covered here in this Microsoft Technet blog post].
The Windows 11 OOBE setup shows the above screen shortly before you get presented with the ESP screen.
As the device provisioning completes the Device setup phase, ESP gives way to what Microsoft calls the First Sign-in Animation (FSIA) screen.
💡 This is the time when the CloudExperienceHost process which runs the OOBE setup switches from using the defaultuser0 account and initiates the Winlogon process for the original user account.
💡 If the tenant is a managed tenant and the device has not been restarted during the device ESP, user is not presented with the Winlogon UI as it uses the cached credentials from the previous Azure AD sign-in. If it is a federated tenant (or in case of Hybrid Azure AD join) user is presented with the Winlogon UI for login.
The OOBE setup continues with the Account setup phase of ESP to track user-targeted policies.
As the device completes the Account setup ESP phase, the user gets presented with the Desktop.
Till now, at least in terms of experience, everything is the same except for the new graphics.
End-user can, as usual, go to Settings > Accounts > Access work or school and from there click on Info to view the managed policies and initiate a Sync.
Anything new? Windows Autopilot Diagnostics Page in Preview
Currently with Windows 11, if the Autopilot device provisioning encounters any errors (failed enrollment, failed apps/policies, etc.), there is a new Windows Autopilot diagnostics page to help troubleshoot Windows Autopilot failures.
To enable this, your ESP profile must have the following settings Turn on log collection and diagnostics page for end users set to Yes.
In case of a failed provisioning, the end-user can click on the view diagnostics link to check the reason for failure.
This opens up a new diagnostic screen within the OOBE setup which gives you the information in three sections as below.
You can expand the sections to view the reason for which the provisioning failed.
As an example, in my case, the deployment failed because of IME agent installation in itself failed. [This was actually a deliberate attempt in my lab environment by choking the network to get an error scenario.]
All in all, this is a very nice addition to the ESP, which IMHO, makes the life of IT Admins easier when troubleshooting Windows Autopilot failures.
Wrap Up
That’s all for today.
If you have not tried out Windows 11 yet, I would highly suggest getting the Insider preview build ISO and spinning up a Hyper-V or wipe/load a physical device to experience the new Windows.