Support tip: Upcoming changes for deploying Windows Autopilot for existing devices
Published Jul 02 2024 03:30 PM 12.3K Views

Windows Autopilot makes it easy to deploy and configure new Windows devices. You don't need to install anything manually or follow complicated steps. You simply connect the device to the internet, sign in with your work account, and let Autopilot do the rest.

 

But what if you have existing devices that are running an out of support version of Windows? You might want to upgrade them to Windows 11 and deploy them with Autopilot, so you can manage them from the cloud and apply the same settings and policies as your new devices. Or perhaps you have devices that need to be reimaged. That's where Autopilot for existing devices is helpful. It allows you to use Configuration Manager task sequences to apply an Autopilot profile on the device by creating a JSON file. You don't need to register the device in Autopilot or assign a profile in Intune beforehand.

 

To learn more, review the Microsoft Learn articles Windows Autopilot for existing devices and Step by step tutorial for Windows Autopilot deployment for existing devices in Intune and Configuration Manager.

 

Important upcoming changes 

We're always working on improving Autopilot for existing devices and making it more secure and user-friendly. Starting on September 5, 2024, or soon after, Intune will block Autopilot for existing devices functionality for all customers that have blocked enrollment of personal devices using enrollment restrictions. This aligns with the behavior of other automatic MDM enrollment methods where we cannot verify the device identity.

 

To continue using Autopilot for existing devices with enrollment restrictions blocking personal devices, register all devices for Autopilot or use Windows corporate identifiers.

 

If you’re unable to use Autopilot registration or Windows corporate identifiers and still need to use Autopilot for existing devices, fill out this form to request an exception.

 

In this blog, we'll explain how to enhance security for your environment when using Autopilot for existing devices and help you prepare for these upcoming changes.

Best practices

Autopilot for existing devices is a convenient way to upgrade or migrate your devices to Windows 11 and deploy them with Autopilot, but it also comes with some security considerations. Today, any device that enrolls through Autopilot for existing devices with a valid JSON file is marked as corporate by default and allowed to enroll in Intune, regardless of whether it’s owned by an organization or not. To learn more about which devices are authorized for corporate enrollment, see Overview of enrollment restrictions.

 

We realize security is paramount to customers, and we're constantly trying to balance security and ease of use. While Autopilot for existing devices is intended as a convenience, empowering customers to begin their cloud native journey, we also realize that you may want to limit enrollment for non-corporate devices. Given that, here are some recommendations to enhance security for enrollment and ownership:

  1. Upload device identities in Intune by registering for Autopilot or uploading corporate identifiers:
    • Register eligible devices to Autopilot via hardware hash. You can use the Import-AutopilotDevice.ps1 script to register the devices that you want to enroll in Autopilot, based on their hardware hash. This will ensure that only the devices that you own and manage can enroll in Autopilot.
    • Upload Windows corporate identifiers for each device you plan to deploy via Autopilot for existing devices.
  2. Use multi-factor authentication (MFA) to secure your enrollment. You can require users to use MFA when they sign in with their work account during the OOBE.
  3. Use Conditional access and compliance policies to restrict access to organizational resources from personally owned devices or devices which do not meet your security standards.
  4. Add enrollment restriction assignment filters to block unknown enrollment profile names from enrolling. You can create an assignment filter that only allows devices with specific enrollment profile names to enroll and block the rest. The enrollment profile name is based on the unique ID of the Autopilot profile and is referenced in the JSON file.
  5. Enable enrollment notifications to monitor new device enrollment. You can configure Intune to send you an email notification whenever a new device enrolls in your tenant. This helps you detect any unauthorized or suspicious enrollment activity.

We recommend using multiple methods to strengthen the security of your environment.

 

Windows corporate identifiers

Corporate identifiers enable you to pre-upload a list of known devices which can enroll when you’re restricting enrollment of bring-your-own (BYOD) or personal devices. If you plan to deploy devices using Autopilot for existing devices functionality, upload their corporate identifier information (serial number, model, manufacturer) in Intune to ensure they are allowed to enroll as corporate devices. Devices registered for Autopilot don’t need corporate identifiers uploaded. To learn more, read New Windows corporate device identifier feature: everything you need to know.

 

Image showing how to upload Windows corporate identifiers via CSV.Image showing how to upload Windows corporate identifiers via CSV.

 

Corporate identifiers for Windows 10 will be available starting July 9, 2024 with KB5039299.

 

Enrollment restrictions - filters

When using enrollment restrictions, you can create further restrictions by using assignment filters. You can use the following attributes to apply filters to Windows enrollment restrictions:

  • OS version
  • Operating System SKU
  • Ownership
  • Enrollment profile name
  • Model
  • Manufacturer

 

When using Autopilot for existing devices, create an enrollment restriction that blocks any user that’s using a device with a non-allowed enrollment profile name.

 

To do this, first create an assignment filter using the enrollmentProfileName property with the following rule, where you define all enrollment profiles in your tenant:

 

(device.enrollmentProfileName -notIn [“OffilineAutoPilotProfile-<ZtdCorrelationId1>”, “OffilineAutoPilotProfile-<ZtdCorrelationId2>”, etc.])

 

Next, create an enrollment restriction with MDM set to Block and add the filter at the Assignment step.

 

This will ensure that any device that isn‘t listed in the filter is not allowed to enroll.

 

Image showing how to specify a filter for the 'enrollmentProfileName' property.Image showing how to specify a filter for the 'enrollmentProfileName' property.

 

Note: We’ve recently deployed a fix to ensure that the profile name for devices registered to Autopilot through this flow will correctly match the name of the Autopilot profile assigned, as opposed to the name in the JSON file. This blog covers upcoming changes to Autopilot for existing devices deployments and goes over best practices to secure your environment.

 

We hope this blog has helped you understand how to use Autopilot for existing devices and how to secure your environment when using it. If you have any feedback or questions, please let us know in the comments below or reach out to us on X @IntuneSuppTeam.

18 Comments
Version history
Last update:
‎Jul 02 2024 03:36 PM
Updated by: