windows-admins · DrakeOlson · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024
diff --git a/autopilot/Preparing-for-Autopilot.md b/autopilot/Preparing-for-Autopilot.md
@@ -10,78 +10,98 @@ dateCreated: 2022-10-08T18:36:39.937Z
 
 # Intro
 
-Autopilot requires some sigificant shifts in processes and logistics. It is a complete shift in device management. Getting your Department and existing machines ready can be a sigificant challenge. This guide will hopefully prepare you for the shift.
-
-In order to get the most out of this post you must have a precursory knowledge of
-- What is Autopilot
-- Why Autopilot is right for your Business
-- The Difference between Hybrid AD Join and Azure AD Join
-- (optional) Creating App registrations in Azure AD
-
-## New Device Registration
-Autopilot is a factory to user solution. In order to make full and proper use of autopilot you must speak with your PC vendor so that new devices are purchased Autopilot registered and ready. This process is usually straightforward. Most manufacturers such as Dell or HP offer this service for free. Most VARs offer this service for under $10 a machine. Most VAR represenatives know what Autopilot is. I've experienced a few completely waffle on how to proceed with the process.
-Below is a list of vendors with expected pricing and difficulty with registration. Please be aware this is a community run list. It holds no weight or expectation of accuracy.
-
-------
- Dell  | Easy |$0
- Pc Connections | Easy |$5-8
- Data Center Warehouse | Easy |$0-10
- GHA-Associates | difficult - Rep didn't understand the process| Unknown
- CDW |Easy? | $25
- Microsoft CSP Partner Portal - more details https://wiki.winadmins.io/en/autopilot/Preparing-for-Autopilot/New-Device-Registration-MS-CSP-Partner-Portal
-
- ----
-## Existing device registration
-There are many ways to register your existing devices such as 
-
-- The Get-WindowsAutopilotInfo script
-- Gathering them from CM
-- using the AutopilotConfigurationFile.json
-- Having your existing vendor upload already purchased devices
-
-Let's break down each of them
-
-### Get-WindowsAutopilotInfo
-The Get-WindowsAutopilotInfo script is a tool that can be used to collected the nessisary information for autopilot as a csv or upload it directly to autopilot with the -online flag.
-To install the script
-```powershell
-Install-Script Get-WindowsAutopilotInfo
-```
+Windows Autopilot allows devices to be enrolled into Intune and have it set up with organizational policies, applications, wireless profiles, and certificates. This allows devices to be taken out of the box, have the end user connect to the internet, sign in with their credentials, and have a device setup in the same state as traditional imaging.
+
+## Windows Autopilot vs Autopilot Device Preparation
+
+There are two different methods for Autopilot. Windows Autopilot or Windows Autopilot Device Preparation. Windows Autopilot leverages a hardware hash, while Autopilot Device Preparation leverages a Entra ID user and a device preparation policy assigned to the user.
+
+A hardware hash is a *snapshot* of the device when generated that contains hardware and Windows information about the device. This is generated by OEMs that participate in the Autopilot service. Most major OEMs take part in this program. This allows OEMs and resellers that are a Microsoft CSP Partner to register devices for organizations prior to devices arriving. Organizations that don't fall under those two pillars can gather the hardware hash through various methods that rely on physical access to the device.
+
+At the time of writing, Autopilot Device Preparation doesn't have feature parity with Windows Autopilot.
+
+## New Device Registration for Autopilot
+Getting devices registered is the arguably the first step that is needed to be taken when preparing for Autopilot. For any amount of devices, getting the devices registered from the reseller (OEM or VAR) is going to be the most simple. They can register the devices using a group tag to allow devices to be automatically added into dynamic Entra ID groups.
+
+Below is a table of what pricing organizations can expect from OEMs and Value Added Resellers (VAR). Organizations may have different experiences and pricing depending on the vendor, but Autopilot has been out long enough where resellers should have at least heard the word Autopilot. Also noted in the table is the OEM offers an Windows image out of the box with little to no bloatware. This ensures there is minimum third party software that is normally removed with a vanilla image.
+
+<center>
+
+| Company               | Pricing        | Process Experience | Autopilot Image |
+| :-----:               | :-----:        | :----------------: | :-------------: |
+| Dell                  | $0.00          | Easy               | [Dell Ready Image](https://www.dell.com/support/kbdoc/en-us/000205344/dell-windows-image-support-matrix) |
+| HP                    | $0.00          | Easy               | [HP Corporate Ready Image](https://kaas.hpcloud.hp.com/pdf-public/pdf_10173277_en-US-1.pdf)
+| Lenovo                | N/A            | N/A                | Yes |
+| Data Center Warehouse | $0.00 - $10.00 | Easy               | N/A |
+| CDW                   | $25.00         | Easy-Medium        | N/A |
+
+</center>
+
+
+
+## Existing Device Registration for Autopilot
 
-To collect CSV
-```powershell
-Get-WindowsAutopilotInfo -OutputFile
+For existing devices, there are a few automated ways that organizations can leverage. The hyperlinks link out to respective documentation or resources to configure each method.
+
+1. Leveraging a PowerShell [Script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/3.9).
+2. Gathering the Hardware Hash that Configuration Manager gathers during Hardware Inventory via a [report](https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-prepare-Win10#gather-information-from-configuration-manager).
+3. Having Intune gather the Hardware Hash using the convert method on an Intune [Deployment Profile](https://learn.microsoft.com/en-us/autopilot/profiles#create-an-autopilot-deployment-profile).
+4. Having the organization's reseller register them.
+   - This method will only work if devices haven't gotten their motherboard replaced.
+---
+Let's break down Pros and Cons of each recommended method. There are other ways to reinvent the wheel, these are the supported and recommended methods to get devices registered for Autopilot.
+
+### PowerShell Script
+The PowerShell script named *Get-WindowsAutopilotInfo* gathers the hardware hash of a device and without any additional parameters, will display the hash in the terminal.
+
+#### Installing Get-WindowsAutopilotInfo
+
+To install the script, a PowerShell session is required. Below is a shortcut if the device is in the out of box experience to open an **administrative** command prompt. If the device has a PowerShell session, skip to the next code block.
+
+```Dos
+REM To open a PowerShell session in the Windows Out of Box Experience
+Shift+F10 or Shift+Fn+F10
+powershell
 ```
+The two lines below are the commands that allow devices to keep the PowerShell Execution Policy the same but override it for only this Terminal Window.
 
-To transmit online
-```poweshell
-Get-WindowsAutopilotInfo -Online
+```PowerShell
+# Once in a PowerShell session
+Set-ExecutionPolicy Bypass -Scope Process
+Install-Script Get-WindowsAutopilotInfo -Force
+# Confirm any configuration changes PowerShell is asking.
 ```
-To transmit online without Interactive login
-```powershell
-Get-WIndowsAutopilotInfo -Online -Appid -AppSecret
+#### Collecting the Hardware Hash
+
+The hardware hash can be exported into a CSV or automatically registered via Entra ID credentials. It is important that if the CSV method is chosen, that the headers are kept in tact.
+
+```PowerShell
+# Running this command assumes a method to copy the CSV file is already in place.
+Get-WindowsAutopilotInfo -OutputFile "C:\HardwareHash.csv"
+
+# Optionally append the group tag field.
+Get-WindowsAutopilotInfo -OutputFile "C:\HardwareHash.csv" -GroupTag "IT"
 ```
-If you do use this method please be careful to limit your apps permissions.
 
-A community tool that provides a wrapper around this command is available from the [OSD Deploy](http://osdeploy.com) project at https://autopilotoobe.osdeploy.com/
+```PowerShell
+# Running this command will require the PowerShell app being approved since it is a being treated as an Enterprise Application in Entra ID. This also requires the user signing into Entra ID to have permissions to register devices for Autopilot in the Intune tenant.
+Get-WindowsAutopilotInfo -Online
+
+# Optionally add the group tag value.
+Get-WindowsAutopilotInfo -Online -GroupTag "IT"
+```
 
-### Gathering from CM
-Someone Please fill In
+### Community Tools for Autopilot
+- The team at OSDeploy have created a wrapper of the *Get-WindowsAutopilotInfo* script that can populate more values that help the registration process. The documentation can be found [here](https://autopilotoobe.osdeploy.com/)
 
-### AutopilotConfigurationFile.json
-An offically supported method of autopiloting existing devices is to collect and place a json file in `C:\windows\provisioning\autopilot` With the name `AutopilotConfiguration.json` on a device before a device is powered on and enters the Out of Box Experience. Microsoft has a great guide [here](https://learn.microsoft.com/en-us/mem/autopilot/existing-devices) on grabbing the autopilot configuration file from your tennant.
-You'll need to add this to your Image
-This can be done with OSD/MDT
- - [Microsoft Create a CM package](https//learn.microsoft.com/en-us/mem/autopilot/existing-devices)
- - [peter vanderwoude Offline Windows Autopilot Deployment](https//www.petervanderwoude.nl/post/offline-windows-autopilot-deployment-profile/)
-
- A few community members have built One and Done tools. This can be handy if you need to get a branch office / client reimaged to a known good state and running on Autopilot and don't have SCCM at your disposal.
- [Ben from Intune.Training Intune USB Creator](https://github.com/tabs-not-spaces/Intune.USB.Creator)
- [awlnx WindowsAutopilotPrep](https://github.com/awlnx/WindowsAutopilotPrep)
 
-Although this method is offically supported. It's less preferred. It still can be your best option in many cases but there can be issues with Autopilot profile reassignment down the road and your devices autopilot profile name on the hardware tab will be Autopilot-offlineGUID rather than a nice profile name to target. This will only register the device for future Autopilot use if your profile has Convert all targeted devices on.
+## Autopilot Device Preparation
 
-### Vendor Registration
-Here is a list of known vendors who,if you purchased your devices through them, can help you import your existing devices.
+As stated above, Autopilot Device Preparation keys off the end user signing into the device rather than a device hardware hash. It essentially does a lookup of the end user, see what tenant they belong in and pull down the necessary information for Autopilot to kick off. It then assigns the device into group(s) and thus downloads the polices, applications, and scripts the device is assigned. The steps outlined below are a summarization of the Microsoft [documentation](https://learn.microsoft.com/en-us/autopilot/device-preparation/requirements?tabs=software).
 
-- example.com
+1. Create a Corporate Device Identifier in Intune by uploading a CSV containing serial number, manufacturer and model.
+2. Create a Entra Security Group that will house the device preparation policy.
+   - The owner of the group is **required** to be **Intune Autopilot Confidential Client** or **Intune Provisioning Client**. Regardless the app id will be *f1346770-5b25-470b-88bd-d5744ab7952c*.
+3. Configure an Autopilot Device Preparation Policy
+   - Make sure to assign the device group created in step 2.
+4. End user that is assigned with the configuration above, signs into the device during OOBE.