anyweb Posted November 29, 2017 Report post Posted November 29, 2017 Introduction Microsoft describes Windows AutoPilot as “Windows AutoPilot is a suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs”. That roughly translates to a cloud based method of deploying new Windows 10 devices. To use Windows AutoPilot you'll need to fulfill some requirements namely: Devices must be registered to the organization Company branding needs to be configured Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later Devices must have access to the internet Azure AD Premium P1 or P2 Microsoft Intune or other MDM services to manage your devices Windows 7 is not going to gain access to this new technology and new devices are the target (from the OEM for example). There is a way to re-provision existing Windows 10 devices via a Windows Reset but I’ll cover that in another blog post. This post will explain how you can get around one obstacle that currently exists (29th of November 2017) with Windows AutoPilot, and that is the ability to connect to the Internet across a Proxy. Windows AutoPilot needs to be able to connect to the internet to do it's magic, and proxies can throw a spanner in that. In this post I assume you have already enrolled a Windows 10 device into Windows AutoPilot and that you plan on connecting the new Windows 10 device to the internet via a Proxy. All screenshots are from a Windows 10 version 1709 computer (Fall Creators Update). Windows AutoPilot default behavior (with direct connection to Internet) During OOBE (Out of Box Experience) on a Windows AutoPilot enrolled device, the following should be observed in the order listed below: 1. Vocal Intro from Cortana (unless it's a Hyper-v VM) 2. Let’s start with this region. Is this right? [United States] <Yes> 3. Is this the right keyboard layout? [US] <Yes> 4. Want to add a second keyboard layout? <Skip> 5. Now we can go look for updates…(takes some time to download things and do magic) 6. Welcome to [Tenant Name] <Next> Windows AutoPilot default behavior (with a proxy) When a Windows AutoPilot enrolled device is booted behind a Proxy, it goes through these steps in OOBE: 1. Vocal Intro from Cortana (unless it's a Hyper-v VM) 2. Let’s start with this region. Is this right? [United States] <Yes> 3. Is this the right keyboard layout? [US] <Yes> 4. Want to add a second keyboard layout? <Skip> 5. Let's connect you to a Network. In the above scenario, the Windows AutoPilot magic that should occur cannot take place due to a lack of direct Internet connectivity and therefore the following things will not happen: Automatically join devices to Azure Active Directory (Azure AD) Auto-enroll devices into MDM services, such as Microsoft Intune (Requires an Azure AD Premium subscription) Restrict the Administrator account creation Create and auto-assign devices to configuration groups based on a device’s profile Customize OOBE content specific to the organization In other words, Windows AutoPilot can't configure the device and you'll need to do those actions manually. Solution Before starting this step, download the following PowerShell script SetWindowsAutoPilotProxy.ps1 edit the highlighted variables below and replace them with your proxy details copy the edited script to your target Windows AutoPilot device. Next, boot the Windows 10 device that is enrolled into Windows AutoPilot, once OOBE starts it will take you to the Let's start with region question. Press Left shift and F10 keys together, a command prompt should appear. In the cmd prompt that appears type the following PowerShell then type the following Set-ExecutionPolicy UnRestricted Next, run the script by typing .\SetWindowsAutoPilotProxy.ps1 and press Enter. The script will run quickly and you'll see a reboot prompt, you can ignore it, if you look carefully you can see your proxy settings in the PowerShell output. This will gracefully reboot the computer with the Proxy settings in place and it will start the OOBE again except this time with a direct connection to the internet (via the Proxy). The OOBE experience after configuring proxy settings After the reboot you'll get prompted with the usual OOBE screens, followed by Is this the right keyboard layout ? and whether you Want to add a second keyboard layout ? and the License Agreement screen and now that the proxy settings are set, it will check directly with the Internet to verify for updates, after accepting the EULA you'll get to the Windows AutoPilot specific part of the process. You’ll know when that happens because your tenant name (and branding if configured) will appear. After entering your credentials Windows setup will configure your profile and depending on your settings, you may have to confirm Microsoft Verification for Windows Hello for Business (setup PIN) Enter and confirm your PIN after confirming the PIN you’ll see the Enrollment Status Screen (if configured in Windows Enrollment options in Intune), note that this is a Windows 10 version 1709 capability.. Once you click on Got it, Windows is ready to use and Intune policies are applied (such as Applications, start menu and more.) That’s it, job done. cheers niall Quote Share this post Link to post Share on other sites More sharing options...
pelmini Posted December 1, 2017 Report post Posted December 1, 2017 Very useful information. I do have one question though. How do you authenticate against your proxy? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted December 1, 2017 Report post Posted December 1, 2017 good point, I'm not authenticating against the proxy in this example (was not needed) but if you need to use the following in addition to the above reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyUser /t REG_SZ /d username reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyPass /t REG_SZ /d password Quote Share this post Link to post Share on other sites More sharing options...
KemilGhoghari Posted August 8, 2019 Report post Posted August 8, 2019 For some reason I can’t get to the SetWindowsAutoPilotProxy.ps1 script. Can you post the contents of the script? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted August 8, 2019 Report post Posted August 8, 2019 you can only download the script if you are logged on as a member of this site, so please do try again now that you are one Quote Share this post Link to post Share on other sites More sharing options...
MichalZyzak Posted July 30, 2021 Report post Posted July 30, 2021 Hi Is the WinHTTP actually required? What if we have proxy configuration delivered as PAC file. Netsh does not support PAC files. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 31, 2021 Report post Posted July 31, 2021 the only way I've found is to script around it on the client and get that script onto your autopilot images somehow..., or get your proxy guys to add a transparent proxy for it, or use Wi-fi connections that bypass the proxy, there probably are some other abilities but for now that's what we have Quote Share this post Link to post Share on other sites More sharing options...
soydlm Posted February 6, 2022 Report post Posted February 6, 2022 (edited) Hi, If my organization uses a proxy.pac, would this script also work to use Autopilot? Edited February 6, 2022 by soydlm Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted February 6, 2022 Report post Posted February 6, 2022 there's only one way to find out, try it ! i recommend trying it out using a virtual machine connected to the same network as the network you intend to test, that way you can try different settings in the script on the fly Quote Share this post Link to post Share on other sites More sharing options...
soydlm Posted February 9, 2022 Report post Posted February 9, 2022 Hello, I wanted to ask you some questions with the scenario that we are finding in a client. We are implementing Intune for Hybrid devices, communications use proxy, URLs and IPS for output to Azure, office 365, Intune are added to the allow list without proxy authentication. But they go through the organization's proxy. We do not use WPAD. We have come across two situations that we have had to configure in the equipment so that everything works correctly. 1. We have had to put the proxy configuration on Winhttp, so that the registration of the devices in AZURE AD works. and since we cannot proxy.pac at the Winhttp level, we have had to configure it as ipproxy:port. On this subject, why is it necessary to add the proxy in Winhttp at the system level? Is it really necessary to add the Winhttp? The computers have the proxy.pac added at the network configuration level > proxy > configuration script, is this not enough? 2. We also had to add the proxy address ipproxy:port , in the BITS service with the Bitsadmin /util command, at the localsystem, localservice and Networkservice levels, so that the win32 applications would download since they did not download without the configuration. Because apparently the BITS service was not able to exit through the proxy, if you do not add the configuration with the described command. 3. And finally about using Hybrid Autopilot, in this scenario I have read the article by MICHAEL NIEHAUS, https://oofhours.com/2019/07/19/windows-autopilot-and-the-joy-of-networking/ On the topic of autopilot using proxy, and it has caught my attention that one of the ways that can be done is to use the Autopilot profile using White Glove pre-provisioning on a different network, but at this point I have the doubt at what point of the Autopilot process the proxy configuration is loaded, and if the proxy configuration is assigned, wouldn't the process stop working since being on a different network, it would stop going out to the Internet when the proxy was applied until you weren't there? connected in the production network? I would like to know about your experience. Thank you. Quote Share this post Link to post Share on other sites More sharing options...
