Using Autopilot to upgrade existing devices to Windows 10

Custom images are the old-fashioned way to deploy Windows PCs: Windows Autopilot can move you into the modern deployment and management world, and it doesn't only work for new PCs.

How to create a Windows 10 system image and use it to restore your computer If you have a spare hard drive, you could have a ready-to-use system image to redo your computer if something goes wrong. Here's how to get set up and make use of a Windows 10 image.

Are you among the 50 percent of businesses that still need to upgrade PCs to Windows 10 before Windows 7 comes out of support on 14 January 2020? If so, you don't need to budget time for deskside visits to babysit upgrades, and you don't need to prepare custom images for your devices. Instead, you can use the Windows Autopilot tools to automate Windows 10 deployment remotely.

Microsoft doesn't charge for Autopilot, but you need to have Azure Active Directory Premium (or a service like Microsoft 365 or Enterprise Mobility + Security that includes it) and a mobile device management (MDM) service like Intune to use it, as well as Windows 10 Pro, Enterprise or Education licences (version 1703 or higher).

Other MDM services are supported, but all the Autopilot documentation describes using Intune because Microsoft suggests it covers the widest range of scenarios. If you use System Center Configuration Manager you can 'co-manage' devices with Intune (by including an SCCM agent in your Intune profile); you only need that to use Autopilot if there are management options that Intune doesn't yet have that you want to use from SCCM.

Many new PCs come with Autopilot support pre-configured by the OEM -- Microsoft, Dell, HP, Lenovo and Toshiba already support this, and Acer and Panasonic will add support soon. You can then customise the pre-installed version of Windows instead of reimaging it with a custom image. That works because the OEMs upload a 'hardware hash' for each device (derived from the SMBIOS UUID, MAC Address and a unique disk serial number on the PC), so that when users start setting up Windows the PC is recognised as belonging to your organization and Autopilot can control the setup.

If you prefer, the OEMs can send you a CSV with those hashes to upload yourself, and major hardware changes like replacing the motherboard mean you'll have to de-register and then re-register the device for Autopilot. Microsoft is also planning a 'white glove' service where OEMs will be able to pre-load applications onto Autopilot-ready PCs.

SEE: Windows 10 power tips: Secret shortcuts to your favorite settings (Tech Pro Research)

As of Windows 10 1809, Autopilot can also now enrol PCs with on-premises Active Directory, not just to your Azure AD tenant. That does require you to be using Hybrid Azure AD because Autopilot needs to be able to connect through the cloud, and you need at least Windows Server 2016 so you can install the Intune Connector for Active Directory. Once you've done that, you can create the device configuration profile in Intune and fill in the computer name prefix and domain name to use. When you set up the Autopilot deployment profile, choose 'Hybrid Azure AD joined (Preview)' under 'Select directory service devices will join'.

Moving to modern deployment

Autopilot can apply settings and policies, set up BitLocker, install apps (including 32-bit MSI installers) and even change the Windows edition to Enterprise (if you have Windows Subscription Activation). Autopilot can also help you repair devices that run into software problems, reset devices that are being passed not to a different user (it removes the user apps and settings, but not the domain join or MDM enrolment) or clean up PCs you're disposing of.

Or you can use Autopilot to upgrade existing devices from Windows 7 (or 8) to Windows 10 1809.

This is one of the scenarios where you do need System Center Configuration Manager (or a comparable desktop management system) to run the upgrade, and the PCs need to be joined to Active Directory. After the upgrade they will be joined to Azure AD and you can choose to manage them only with an MDM service like Intune or to co-manage them with both Intune and SCCM.

SEE: Quick glossary: 5G technology (Tech Pro Research)

As you move to Windows 10, you can move away from the tight control of desktops using group policy and switch to the MDM paradigm of managing users and applications and data rather than the devices themselves. MDM services like Intune are a better match for that, so Autopilot can be a handy part of your strategy for changing the way you manage your PCs.

Autopilot doesn't do an in-place upgrade to Windows 10, but formats the drive, wiping the existing Windows installation -- custom images would also completely overwrite the existing setup. Given that you're upgrading PCs that are already centrally managed, data and user settings should already be backed up and applied through that central management. But if you're using OneDrive for Business, you might want to use group policy to redirect Known Folders to OneDrive to simplify backup and restore of the folders most likely to have user data in without needing to use an SCCM task sequence for that.

The official steps for upgrading with Autopilot take quite a while because they involve booting into Windows PE, formatting and partitioning the drive, applying the Windows 10 image, injecting drivers, loading the Autopilot configuration from a JSON file that you generate in advance using a PowerShell script, booting into Windows 10 (say 20 minutes to get to this stage) and installing the ConfigMgr client. Then you use the System Preparation Tool, sysprep, reboot into Windows 10 setup (another 20 minutes), and then wait for Autopilot to join Azure AD, enrol the device with Intune and push the policies and apps to it.

You can speed that up quite a bit by not using sysprep on each PC, which takes at least 20 minutes out of the process. It's also more in the spirit of modern PC management -- you're just using the standard Windows 10 setup options and then applying management settings from Intune. If you want to take this approach, you can download the faster task sequence here.

You can use Intune to collect the details of your Windows 7 PCs and send the device information to the Autopilot deployment service in the Microsoft cloud. If you want to show users more progress details during the setup -- including while apps are being installed after the OS upgrade is complete -- create an enrolment status page that will stop them trying to use the PC before setup is complete, and let them reset, continue or collect logs if there's a problem.

w10-autopilot-enrolment.png

An enrolment status page keeps users informed during the upgrade and can include custom support information for your organisation.

Image: Microsoft

With the most recent versions of Autopilot, you can choose to completely automate the setup so users don't have to take any action to make the upgrade happen. With previous versions they've had to fill in four separate pieces of information, so you might have needed to send out training materials to prepare them for that. This 'self-deploying mode' is also useful when you don't need to have an account for a specific user, on a shared device or one that will run as a kiosk with only one or two apps. This does require PCs with TPM 2.0, however.

To let your users know what's going on, create a personalised welcome message with your company logo, including hints for their username. You can also choose which of the pages in the standard Out Of Box Experience (OOBE) that users will see (if you want to restrict the number of choices they can make), including having Autopilot automatically accept the Windows EULA for them; you can also stop users opting out of the upgrade. Specify whether the user account created will be a standard or administrator account -- the local admin account won't be removed if you restrict users to standard accounts, but it won't be visible to them.

Other settings are chosen as part of the Autopilot task sequence you create for the Windows 10 upgrade (the boot image for that has to be at least 1803). At this stage you can randomly generate the local admin password and then disable the account, or enable the account with a specified password if you want to use it for support. This is also where you add any applications you want to deploy as part of the upgrade. Downloading and installing those applications can take some time, so again you may want to warn users about the time this will take in the personalised welcome page to cut down on support calls.