Skip to main content

Autopilot Cheatsheet

Troubleshooting Autopilot

Collecting the log files

Load Command Prompt as an Administrator: This can be done with one of the following key combinations, Shift + F10, Alt + Shift + F10 or Fn + Shift + F10, it differs for each model of machine.

# Open Powershell in the admin cmd prompt
powershell
# Create a temp folder
New-Item -Path C:\ -Name Temp -ItemType Directory
# Collect the diagnostic logs
MdmDiagnosticsTool.exe -area Autopilot -zip C:\Temp\mdmDiag.zip

Parsing those MDM Logs

# Allow scripts to run
Set-Excutionpolicy remotesigned
# Install the script
Install-Script -Name Get-AutopilotDiagnosticsCommunity
# Run this against the mdm logs
# -Online will prompt for admin creds to get the app names from Intune
Get-AutopilotDiagnosticsCommunity -ZIP C:\Temp\mdmdiag.zip -Online

Review Intune Management Extension Logs

Review this snippet for a starting place to do this.

Issues Previously seen

Autopilot stuck installing apps

Applications in Intune that have a "Required" installation for users, devices or to a group, will be installed during the AutoPilot process.

Grab and review the logs from section above here. Use the Online switch to id the apps failed or stuck.

Remove them from being installed at autopilot if possible or ID any further problems with them.

Setting up Autopilot

  • Setup 3 Dynamic groups in Azure AD that cover the follolwing: All intune Devices (Dynamic Device), All Autopilot Devices (Dynamic Device) and All Intune Users (Dynamic User).
  • For each of the three groups, setup the expresssions; review this Microsoft documentation for how to do this.
  • Create a Conditional Access policy, that will only allow access if the devices is policy compliant, make sure this is applied to the all intune users dynamic group you've setup.

Users and Groups

The Autopilot profile targets a group that should contain your Windows devices.

Apps marked as "Required" and assigned to the same group will install automatically during Autopilot, increasing setup time.

Solution: Create two separate groups:

  • One for the Autopilot Profile
  • One for Application Installations & Patches

This ensures only selected apps install during Autopilot, streamlining the setup process.

Setup a third group called Intune - All Intune Users this should also be a Dynamic group.

Dynamic Queries

info

Check out this Microsoft documentation for referenc.

These can all be found in the MS link above.

  • To create a group that includes all of your Autopilot devices, enter: (device.devicePhysicalIDs -any (_ -contains "[ZTDID]")).
  • To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), enter: (device.devicePhysicalIds -any (_ -eq "[OrderID]:179887111881")).
  • To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter: (device.devicePhysicalIds -any (_ -eq "[PurchaseOrderId]:76222342342")).

Conditional Access

Conditional Access is one of your lines of defence against unauthorised access to company resources in the cloud; you'll need a policy to ensure only compliant devices are able to access the organisation.

  1. Sign in to the Microsoft Entra admin center.
  2. Browse to Protection > Conditional Access.
  3. Select + New policy, and then select Create new policy.

Create the following settings to ensure only compliant devices are allowed access:

Assignment:

  • Users: Include All Intune Users.
  • Target Resources: All Cloud Apps.
  • Conditions: DevicePlatforms (Windows), Locations (Include all, exclude Offices).

Access Controls:

  • Grant: Require Device to be compliant.