Skill 1.2: Plan and implement Windows 10 by using Windows Autopilot

Within a domain-based environment, deploying new devices to users has become increasingly complex. There are many “moving” parts and components, and each one needs to work precisely to ensure devices are compliant, secure, and usable. This is partly due to the granular nature of the tooling used to ensure that devices comply with strict organizational security requirements. Windows Autopilot is a solution that radically changes this approach while allowing IT administrators to deploy secure and compliant devices.

You must understand how to plan and implement Windows 10 within an organization using Windows Autopilot. This skill explores the planning, example scenarios, and installation requirements for the application of Windows Autopilot.

This skill covers how to:

• Choose method based on requirements
• Create, validate, and assign deployment profiles
• Extract device hardware information
• Import device hardware information to a cloud service
• Deploy Windows 10
• Troubleshoot deployment

Choose method based on requirements

Windows Autopilot offers a new method of provisioning Windows 10 within an enterprise. Of course, it is not the only deployment choice, and indeed, there will be scenarios in which using Autopilot would be folly.

You must explore each of the available deployment options. These options include technology such as MDT or Configuration Manager that may be currently used within your organization. Other methods, such as using Windows Autopilot or Microsoft Intune, may be worth employing to achieve your Windows 10 deployment goals.

Listed in Table 1-9 are many different methods that you can use to deploy and configure Windows 10. You need to understand when to use each deployment method.

TABLE 1-9 Methods for deploying and configuring Windows 10

Configure Windows Hello and Windows Hello for Business

Windows Hello is a two-factor biometric authentication mechanism built into Windows 10. The personal biometric data created and used by Windows Hello is unique to the device on which it is set up, and it is not synced with other devices. Windows Hello allows users to unlock their devices by using facial recognition, fingerprint scanning, or a PIN.

Windows Hello for Business is the enterprise implementation of Windows Hello; it allows users to authenticate to Active Directory or Azure AD, and it enables users to access network resources. Administrators can configure Windows Hello for Business using Group Policy or by using mobile device management policy; it uses asymmetric (public/private key) or certificate-based authentication.

Windows Hello provides the following benefits:

• Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites, which reduces security. Windows Hello allows them to authenticate using their biometric data.
• Passwords are vulnerable to replay attacks, and server breaches can expose password-based credentials.
• Passwords offer less security because users can inadvertently expose their passwords because of phishing attacks.
• Windows Hello helps protect against credential theft. Because a malicious person must have both the device and the biometric information or PIN, it becomes more difficult to hack the authentication process.
• Windows Hello can be used in cloud-only and hybrid-cloud deployment scenarios.
• Windows Hello logs you into your devices three times faster than by using a password.

To implement Windows Hello, your devices must be equipped with the appropriate hardware. For example, facial recognition requires that you use special cameras that see in infrared (IR) light. These can be external cameras or cameras incorporated into the device. The cameras can reliably tell the difference between a photograph or scan, and a living person. For fingerprint recognition, your devices must be equipped with fingerprint readers, which can be external or integrated into laptops or USB keyboards.

If you have previously experienced poor reliability from legacy fingerprint readers, you should review the current generation of sensors, which offer significantly better reliability and are less error prone.

After you have installed the necessary hardware devices, use these directions to set up Windows Hello:

1. Open the Settings app and select Accounts.
2. On the Sign-in options page, under Manage how you sign in to your device, review the options for face or fingerprint. (If you do not have Windows Hello-supported hardware, the Windows Hello section does not appear on the Sign-in Options page.)

To configure Windows Hello, follow these steps:

1. Under the Windows Hello section, select Windows Hello Face, and then select Set up.
2. On the Welcome to Windows Hello page, select Get started.
3. When prompted, enter your PIN or password to confirm your identity.
4. Allow Windows Hello to capture your facial features, as shown in Figure 1-19.

Figure 1-19 Configuring Windows Hello

5. Once complete, you are presented with an All Set! message that you can close.

Users can use Windows Hello for a convenient and secure sign-in method, which is tied to the device on which it is set up.

For enterprises who want to enable Windows Hello, they can configure and manage Windows Hello for Business. Windows Hello for Business uses key-based or certificate-based authentication for users by using Group Policy or by using a modern management approach, such as Microsoft Intune.

To manage Windows Hello for Business with Group Policy, you should review the two Windows Hello for Business GPO settings, which can be found in this node: User Configuration > Administrative Templates > Windows Components > Windows Hello for Business.

One setting is used to enable Windows Hello for Business, and the other setting is used to configure the use of certificates for on-premises authentication.

You also have additional Windows Hello for Business GPO settings available to manage your Windows Hello for Business deployment. These policies can be found in this node: Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.

There are ten settings that allow you to configure hardware security devices, such as TPM. These settings also allow you to configure smart cards, biometrics settings, and more.

Need More Review? Windows Hello Biometrics in the Enterprise

To review further details about using Windows Hello in the enterprise, refer to the Microsoft website at https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.

Manage Windows Hello for Business with Intune

Windows Hello for Business can be deployed using a device configuration profile, which allows you to configure various settings on Windows 10.

With Intune device configuration profiles, you can permit or block the use of Windows Hello for Business, and you can configure the following settings:

• Minimum PIN Length
• Maximum PIN Length
• Lowercase Letters In PIN
• Uppercase Letters In PIN
• Special Characters In PIN
• PIN Expiration (Days)
• Remember PIN History
• Enable PIN Recovery
• Use A Trusted Platform Module
• Allow Biometric Authentication
• Use Enhanced Anti-Spoofing When Available
• Certificate For On-Premises Resources

You can also use Intune device enrollment policies to configure Windows Hello for Business settings during the initial device enrollment into management.

Configure PIN

To avoid sign in using passwords, Microsoft provides an authentication method that uses a PIN in association with Windows Hello. When you initially set up Windows Hello, you’re first asked to create a PIN. This PIN enables you to sign in using the PIN as an alternative—such as when you can’t use your preferred existing biometric method because of an injury, because the sensor is unavailable, or because the sensor is not working properly. The PIN provides the same level of protection as Windows Hello.

Windows Hello PIN provides secure authentication without sending a password to an authenticating authority, such as Azure AD or an AD DS domain controller. Windows Hello for Business provides enterprises compliance with the latest FIDO 2.0 (Fast Identity Online) framework for end-to-end multifactor authentication.

If the user does not use Windows Hello for Business, then the user cannot use an associated PIN. Within a domain environment, a user cannot use a PIN on its own. (This method of sign-in is known as a Convenience PIN.) You will see from the user interface displayed in Figure 1-20 that the PIN settings are within the Windows Hello section of the Sign-In Options. A user must first configure Windows Hello and be already signed in using a local account, a domain account, a Microsoft account, or an Azure AD account. The user is then able to set up PIN authentication, which is associated with the credential for the account.

Figure 1-20 Configuring Windows sign-in options

After a user has completed the registration process, Windows Hello for Business performs the following operations to secure the credentials:

1. Generates a new public-private key pair on the device known as a protector key.
2. If installed in the device, the TPM is used to generate and store this protector key.
3. If the device does not have a TPM, the Windows 10 operating system encrypts the protector key and stores it within the file system.
4. Windows Hello for Business also generates an administrative key that is used to reset credentials if necessary.

Note Pairing of Credentials and Devices

Windows Hello for Business pairs a specific device and a user credential. Consequently, the PIN the user chooses is associated only with the signed-in account and that specific device. A user is unable to sign in on another device unless he or she initiates the Windows Hello setup on the device.

The user now has a PIN gesture defined on the device and an associated protector key for that PIN gesture. The user can now securely sign in to their device using the PIN; also, the user can add support for a biometric gesture as an alternative for the PIN. The gesture can be facial recognition, iris scanning, or fingerprint recognition, depending on available hardware in the device. When a user adds a biometric gesture, it follows the same basic sequence as mentioned earlier. The user authenticates to the system by using the PIN and then registers the new biometric. Windows generates a unique key pair and only stores this on the device. There is no Windows Hello biometric data stored in the Microsoft Cloud.

You can create and implement policies for using Windows Hello for Business in your organization. For example, you can configure a policy that enables or disables the use of biometrics on devices affected by the policy. If allowed to use Windows Hello for Business, a user can then sign in using the PIN or a biometric gesture.

Need More Review? Windows Hello for Business

To review further details about Windows Hello for Business, refer to the Microsoft website at https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification.

You can use MDM policies or GPOs to configure settings for Windows Hello for Business.

Note Enhancing the Security of a Pin

When we think of a PIN, we generally think of ATM cash machines and four-digit PINs. When securing Windows 10 with Windows Hello for Business, you can significantly increase the level of security by imposing rules on PINs. For example, a PIN can require or block special characters, uppercase characters, lowercase characters, and digits. A PIN such as t496A? could be a complex Windows Hello PIN. The maximum length that can be set is 127 characters.

To configure PIN complexity with Windows 10 (with and without Windows Hello for Business), you can use the eight PIN Complexity Group Policy settings that allow you to control PIN creation and management.

These policy settings can be deployed to computers or to users. If you deploy Group Policy settings to both, then the user policy settings have precedence over computer policy settings, and GPO conflict resolution is based on the last applied policy. The policy settings included are as follows:

• Require Digits
• Require Lowercase Letters
• Maximum PIN Length
• Minimum PIN Length
• Expiration
• History
• Require Special Characters
• Require Uppercase Letters

In Windows 10, the PIN complexity Group Policy settings are located at Administrative Templates > System > PIN Complexity, under both the Computer and User Configuration nodes.

Configure Dynamic Lock

Users with smartphones can take advantage of a feature introduced with the Creators Update for Windows 10 Version 1703, which allows users to automatically lock their devices whenever they’re not using them. (At the time of this writing, iPhone devices do not support this feature.)

This feature relies on a Bluetooth link between your PC and paired smartphone.

To configure Windows 10 Dynamic Lock, use the following steps:

1. Open the Settings app and select Accounts.
2. Select Sign-in options and scroll to Dynamic lock.
3. Select the Allow Windows to lock your device automatically when you’re away check box.
4. Select the Bluetooth & other devices link.
5. Add your smartphone using Bluetooth and pair it.
6. Return to the Dynamic lock page, and you should see your connected phone.
7. Your device will be automatically locked whenever Windows detects that your connected smartphone has moved away from your desk for 30 seconds.

You can configure Dynamic Lock functionality for your devices using the Configure Dynamic Lock Factors GPO setting. You can locate the policy setting at Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.

Configure VPN client

In Windows 10, you can create a VPN that enables data to be transferred through a virtual private network using a secured connection (known as a tunnel) over a public network, like the internet, as displayed in Figure 1-21.

Figure 1-21 Using a VPN to connect locations securely over the internet

VPN protocols

Windows 10 supports four commonly used VPN protocols. Each protocol offers different characteristics:

• Point-to-Point Tunneling Protocol (PPTP) The oldest and what is considered one of the least secure of all supported VPN protocols. However, it can be used successfully in low-security scenarios because it is very easy to set up and still offers more protection than using PPP over the internet. PPTP creates the tunnel and then can use several authentication methods, including the Microsoft Challenge Handshake Authentication Protocol versions 1 and 2 (MS-CHAP v1 and MS-CHAP v2), Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). If EAP is used, certificates can be used with PPTP; otherwise, they are not necessary.
• Layer 2 Tunneling Protocol (L2TP) This protocol uses the IP security extensions (IPsec) for encryption and encapsulation. L2TP encapsulates the messages with IPsec, and then encrypts the contents using the Data Encryption Standard (DES) or Triple DES (3DES) algorithm. The encryption keys are provided by IPsec using Internet Key Exchange (IKE). L2TP/IPsec can use pre-shared keys or certificates for authentication. Using a pre-shared key is useful during testing and evaluation, but should be replaced with a certificate in a production environment.
• Secure Socket Tunneling Protocol (SSTP) This protocol encapsulates PPP traffic using the Secure Sockets Layer (SSL) protocol, which is widely supported on the internet and passes through TCP port 443, which is the same as SSL. Using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication protocol together with certificates makes SSTP a very versatile and widely used protocol.
• Internet Key Exchange, Version 2 (IKEv2) IKEv2 is most useful for mobile users and is the default protocol for Windows 10 when trying to connect to remote access servers. This protocol supports IPv6 traffic and the IKEv2 Mobility and Multi-homing (MOBIKE) protocol through the Windows VPN Reconnect feature, which allows automatic reconnection if a VPN connection is lost. Authentication is provided by using EAP, PEAP, EAP-MSCHAPv2, and smart cards. IKEv2 will not support older authentication methods, such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), which offer low protection.

Authenticating remote users

Windows users authenticate using Kerberos when accessing the local network, but for remote authentication, this is not suitable; a separate protocol, which protects against network intrusion, must be used. During the initial negotiation sequence (using PPP), when a client connects to the remote computer, each party must agree on a shared authentication protocol to use. By default, Windows 10 will use the strongest protocol that both parties have in common.

In the Add A VPN Connection Wizard, Windows 10 offers three sign-in options when configuring a VPN, such as:

• Username and password
• Smart card
• One-time password

In addition to these options, you can also configure Windows 10 to use the common authentication protocols:

• EAP-MS-CHAPv2 This is a protocol that uses Extensible Authentication Protocol (EAP), which offers the default and most flexible authentication option for Windows 10 clients. It offers the strongest password-based mechanism for the client side, with certificates being used on the server side. Authentication can be negotiated based on certificates or smart cards, and EAP-MS-CHAPv2 is likely to be further extended and developed as technology advances. Windows 10 aims to use this method for authentication connections where possible. IKEv2 connections must use EAP-MS-CHAPv2 or a certificate.
• MS-CHAP v2 Stronger than the CHAP protocol, with significantly improved security when partnered with EAP to enable encryption of the password.
• CHAP Used for down-level client compatibility and has been surpassed by MS-CHAP v2. This protocol uses a pre-shared key between the client and server to enable encryption to take place.
• PAP This is the least secure protocol as it uses plaintext passwords. It is not considered secure and should only be used whenever other authentication methods cannot be negotiated.

Creating a VPN connection in Network and Sharing Center

To create a VPN in Windows 10, from the Network and Sharing Center, under Change your network settings, select Set up a new connection or network and then select Connect to a workplace.

To configure your VPN connection, in the Connect to a Workplace wizard, provide the following information:

• How do you want to connect? You can connect by using an existing internet connection or by dialing directly to your workplace.
• Internet address This is the name or IP address of the computer that you connect to at your workplace, as shown in Figure 1-22. Typically, this is an FQDN, such as remote.adatum.com.

Figure 1-22 The Connect to a Workplace wizard

• Destination name This is the name of this VPN connection.

After you have created the VPN connection, from the Network And Sharing Center, select Change adapter settings, right-click your VPN connection, and select Properties. As shown in Figure 1-23, you can then configure additional options as required by your organization’s network infrastructure.

Figure 1-23 The Security tab of a VPN connection

These settings must match the remote access device that your device connects to, and includes the following options:

• Type of VPN Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with IPsec (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), or Internet Key Exchange version 2 (IKEv2).
• Data encryption None, Optional, Required, or Maximum Strength.

In the Authentication section, you choose either Use Extensible Authentication Protocol (EAP) or Allow These Protocols. If you choose to use EAP, you then configure one of the following:

• Microsoft: EAP-AKA (Encryption Enabled)
• Microsoft: EAP-SIM (Encryption Enabled)
• Microsoft: EAP-TTLS (Encryption Enabled)
• Microsoft: Protected EAP (PEAP) (Encryption Enabled)
• Microsoft: Secured Password (EAP-MSCHAP v2) (Encryption Enabled)
• Microsoft: Smart Card Or Other Certificate (Encryption Enabled)

If you choose Allow These Protocols, you then configure the following options:

• Unencrypted Password (PAP)
• Challenge Handshake Authentication Protocol (CHAP)
• Microsoft CHAP Version 2 (MS-CHAP v2)
• Automatically Use My Windows Log-on Name And Password (And Domain, If Any)

Using the Settings app to create and configure a VPN

You can also use the Settings app to create and configure VPN connections. Use the following procedure:

1. Select Start and then select Settings.
2. In Settings, select Network & Internet.
3. Select the VPN tab, and then, in the details pane, select Add a VPN connection.
4. On the Add a VPN connection page, enter the following information:

• VPN provider: Windows (Built-In).
  • Connection name
  • Server name or address
  • VPN type: Automatic (Default). You can also choose PPTP, L2TP/IPsec With Certificate, L2TP/IPsec With Pre-Shared Key, SSTP, or IKEv2.
  • Type of sign-in info: Username and password, Smart card, One-off password, or Certificate.
  • Username and Password, although these options are only configurable if you selected Username And Password as the Type of sign-in info.

5. Select Save.

After you have created the VPN, you can manage it from Network Connections in Control Panel. Alternatively, on the VPN page in the Network & Internet node in Settings, you can select the VPN and then choose Advanced Options. From there, you can reconfigure the VPN’s settings.

VPN profiles

Although manually configuring VPN connections is relatively simple, completing the process on many computers, with the same or similar settings, is very time-consuming. In these circumstances, it makes sense to create a VPN profile and then distribute the profile to your users’ computers.

When you use VPN profiles in Windows 10, you can take advantage of a number of advanced features. These are:

• Always On This feature enables Windows to automatically connect to a VPN. The Always On feature can be triggered by sign-in when the desktop is unlocked, and on network changes. When the Always On profile is configured, VPN remains always connected unless the user disconnects manually or logs off the device. The profile is optimized for power and performance, and the profiles can be pushed and managed on devices using MDM tools.
• App-Triggered VPN You can configure the VPN profile to respond to a specific set of apps; if a defined app loads, then the VPN initiates.
• Traffic Filters To protect the server from a remote attack, an administrator can configure policies on a Windows 10 device to inspect and, if necessary, filter VPN traffic before it is enabled to travel over the VPN. There are two types of Traffic Filter rules available:
  • App-based rules An app-based rule will only enable VPN traffic originating from applications that have been marked as being allowed to traverse the VPN interface.
  • Traffic-based rules Enterprise-level traffic-based rules enable fine-tuning of what type of traffic is allowed. By using the industry-standard rules covered by five tuple policies (protocol, source/destination IP address, source/destination port), administrators can be very specific on the type of network traffic that is allowed to travel over the VPN interface.

An administrator can combine both app-based rules and traffic-based rules.

• LockDown VPN The LockDown VPN profile is used to enforce the use of the VPN interface. In this scenario, the device is secured to only allow network traffic over the VPN, which is automatically always on and can never be disconnected. If the VPN is unable to connect, then there will be no network traffic allowed. The LockDown profile overrides all other VPN profiles and must be deleted before other profiles can be added, removed, or connected.

You can create and distribute Windows 10 VPN profiles with these advanced settings by using Microsoft Intune and/or Endpoint Configuration Manager.

Need More Review? VPN Connections in Microsoft Intune

To review further details about VPN connections in Microsoft Intune, refer to the Microsoft website at https://docs.microsoft.com/intune/vpn-settings-configure.

Need More Review? How to Create VPN Profiles in Configuration Manager

To review further details about creating VPN profiles in Configuration Manager, refer to the Microsoft website at https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/create-vpn-profiles

Enable VPN Reconnect

VPN Reconnect uses the IKEv2 protocol with the MOBIKE extension to automatically re-establish a lost VPN connection without user intervention. For mobile users, the prevalence of dropped WiFi or LTE connections can be frequent because of volatile signal strength. It is best to use and configure VPN Reconnect for your mobile users because this will reduce the frustration of having to reconnect manually, and it will also increase productivity.

The network outage time can be configured from five minutes up to an interruption of eight hours. To enable VPN Reconnect, follow these steps:

1. On the taskbar, in the search box, enter VPN.
2. Select VPN settings from the returned list.
3. In the Settings app, select Change adapter options.
4. Select the appropriate VPN adapter, and then select Change settings of this connection, as shown in Figure 1-24.

Figure 1-24 Configuring the Network Outage Time for VPN Reconnect

5. Select the Security tab in the VPN Properties dialog box, and select Advanced Settings.
6. In the Advanced Properties dialog box, check the Mobility option on the IKEv2 tab.
7. Modify the Network outage time as necessary.
8. Select OK twice.

Windows Autopilot deployment scenarios

Windows Autopilot simplifies and automates the customization of the Out-Of-Box Experience (OOBE) and seamlessly enrolls your devices to management. Once enrolled into Microsoft Intune, devices are secured, configured, and further managed.

There are several usage scenarios currently available with Windows Autopilot, and additional functionality will be added in the future. You should understand the scenarios shown in Table 1-10 that show when you would use Windows Autopilot as part of your Windows 10 deployment strategy.

TABLE 1-10 Windows Autopilot scenarios

When comparing Autopilot to traditional on-premises deployment methods, such as imaging, there are clear advantages:

• Windows images are not required.
• Drivers are included with Windows 10 and are pre-installed on the device.
• No on-premises deployment infrastructure is required (except if using Windows Autopilot for existing devices).

In the next section, you will learn that devices must have a connection to the internet to use Window Autopilot. If internet access is not available for the Windows Autopilot deployment, then you will need to select an alternative deployment method.

As long as an organization uses cloud-based services—such as Microsoft 365, which includes Azure AD and Microsoft Intune—they will be able to benefit from

• Joining devices to Azure AD automatically.
• Auto-enrolling your devices into Microsoft Intune.
• Lower provisioning costs.
• Restricted Administrator account creation during OOBE.
• Agile deployment of Windows 10 devices.
• Accelerating user productivity.

Windows Autopilot requirements

There are several requirements and prerequisites that you need to put in place before you can use Windows Autopilot with your Windows 10 devices. If your organization already has a Microsoft 365 subscription, then you will already meet the licensing requirements:

Licensing Requirements

The following licensing requirements must be met:

• Devices must be pre-installed with Windows 10 Pro, Pro Education, Pro for Workstations, Enterprise, or Education.
• Azure AD Premium P1 or P2.
• Microsoft Intune or another MDM solution to manage your devices.

Exam Tip

You can use the Microsoft Store for Business to manage Windows Autopilot profile deployments.

Networking Configuration

The following network configuration requirements must be met:

• Devices must have access to the internet.
• Devices must be able to access cloud services used by Windows Autopilot:
  • Using DNS name resolution.
  • Firewall access through port 80 (for HTTP), port 443 (for HTTPS), and port 123 (for UDP and NTP).
• The following URLs must be accessible:
  • https://go.microsoft.com
  • https://login.microsoftonline.com
  • https://login.live.com
  • https://account.live.com
  • https://signup.live.com
  • https://licensing.mp.microsoft.com
  • https://licensing.md.mp.microsoft.com
  • https://ztd.dds.microsoft.com
  • https://cs.dds.microsoft.com
  • ctldl.windowsupdate.com
  • download.windowsupdate.com

Azure AD Configuration Prerequisites

The following Azure AD configuration prerequisites must be met:

• Azure AD company branding must be configured.
• Azure AD automatic enrollment must be configured.
• A device must be registered with Azure AD.
• Users must have permissions to join devices into Azure AD.

Windows Autopilot Configuration

The following Windows Autopilot configuration prerequisites must be met:

• Devices must have their device hardware IDs known by Windows Autopilot.
• Devices must have a Windows Autopilot deployment profile assigned.

Implement pilot deployment

Windows Autopilot is not complex to configure and use, although there are several services that need to work together for your users to see a seamless OOBE. After completing the prerequisites needed for Windows Autopilot, you may want to practice using Windows Autopilot to provision Windows 10 in your test lab using virtual machines.

Once you have the basic functionality working, you can explore the additional features that are available; these features can be used to streamline the deployment process or personalize the experience for the user. These enhancements currently include the following:

• Device Groups Creating device groups with Azure AD allows you to separate devices into logical groupings.
• Dynamic Groups You can use Azure AD Dynamic Groups to simplify device group management. Devices are automatically added to the dynamic group if they meet the group membership criteria outlined in the rules. Dynamic groups are an Azure AD premium feature.
• Deployment Profiles You can create a single default deployment profile for your whole organization, or you can create additional deployment profiles and assign them to device groups.
• Personalization Windows Autopilot allows you to assign a username and a friendly name to a specific device. During OOBE, the friendly name is then shown to the user.
• Enrollment Status Page During device enrollment into Microsoft Intune, users can be shown a progress status page. This is configurable.

After you have configured your Windows Autopilot processes and successfully provisioned devices in your test lab, you are ready to deploy Windows Autopilot in your production environment. You should follow best practices for any new technology deployment, and you should first pilot the processes to a small group of new devices and their users.

The pilot phase of the Windows Autopilot rollout should be closely monitored, and feedback should be sought from all stakeholders. Any problems with the pilot deployment should be thoroughly resolved before proceeding to a larger scale rollout.

Note Windows Autopilot Roadmap

Windows Autopilot is a comparatively new technology and is likely to have additional functionality added frequently. To ensure that you are up to date with the most recent Windows Autopilot features, you should review the reference information on the Microsoft website at https://docs.microsoft.com/mem/autopilot/windows-autopilot.