Windows 10 Out of the Box Enrollment (OOBE) with Workspace One UEM and Azure Autopilot

Today's post illustrates how I set up my Workspace One UEM and Azure sandboxes to provide Out of the Box Enrollment or OOBE to Windows 10 devices.

These are the components that I used for this integration

• A publicly registered Windows domain with DNS services where I could add DNS entries
• A Workspace One Access (vIDM) SaaS tenant
• A Workspace One UEM CN1506 SaaS tenant
• An Azure AD Subscription 

Before starting this set up my Windows domain was already integrated with my Workspace One Access Tenant. This is a pre-requirement.

Let's start with the basics. In your Workspace One Access tenant make sure you have a Windows 10 device authentication policy

And in the Workspace One UEM console make sure your Intelligent Hub is set to be pushed to the devices after enrollment in Settings \ Devices & Users \ Windows \ Windows Desktop \ Intelligent Hub Application

Select which optional prompts you wish to show the user during enrollment in Settings \ Devices & Users \ General \ Enrollment

Now that we are done with both Workspace One UEM and Workspace One Access configurations you need to set up Autopilot in Azure. 

The first step is to add your Workspace One UEM tenant in Mobility (MDM and MAM). The way I set up my configuration was to add the Airwatch by VMware application and set its MDM user scope to None. My intent was to use it as an example. 

I then added a second App pointing to my Workspace One UEM tenant and set its scope to All. More information on which attributes to set in these steps can be found in this Techzone article: Article

Airwatch by VMware App

My customized MDM App

The next step is to click n the MDM application settings, go into API permissions and add specific permissions to your MDM application.

You are required to provide specific delegated permissions and application permissions

You need to click on Azure Active Directory Graph in order to be able to set the permissions

I set the following permissions for my lab:

Delegated Permissions:

• Directory.AccessAsUser.All
• Directory.Read.All
• User.Read

Application Permissions:

• Device.ReadWrite.All
• Directory.ReadWrite.All

Once you selected the necessary permissions the last step is to grant consent

These were the steps required in the Azure Portal. Next you need to configure you Microsoft Business Store You can for example customize your store background page, a user-name hint, and Sign-in page text. Those attributes will be displayed to the user during the OOBE process. 

Now, within the Autopilot process you can work with PC vendors in order for them to add the new devices you purchase in your business store. In this set up since I had to work with Windows 10 devices I already had I ran a couple of powershell commands into my Windows 10 devices to create a CSV file. Then I imported the CSV files into my business store in order for these devices to be part of my OOBE process with Autopilot. You could do the same in order to test your Autopilot set up. These are the powershell commands I used:

• Install-Script -Name Get-WindowsAutoPilotInfo

• Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\<directory>\<filename>.csv

Once you have the CSV files ready import them to your Microsoft Business Store

Now you can create your Autopilot profile, deciding which pages you want the user to see during the process (my stance on this is less is more) and assign the devices you imported using the CSV files to this new Autopilot profile

      

The final step is for your to bring your device to a fresh state with this command and test your OOBE with Autopilot 

 (***CAUTION***,All the data on the device will be lost!) 

• C:\Windows\System32\Sysprep\sysprep.exe /oobe /shutdown

This should be your result. Happy testing!