Hardware
Intune and Autopilot require a trusted platform module or pluton security processor for Intune and Autopilot to manage the devices. Minimum support is TPM 1.2 but it's recommended to have 2.0 or newer so all Intune and autopilot management features are available.
Trusted platform module
Pluton Security Processor
tpm 2.0 (Tpm 1.2 limited Support)
Pluton security processor version 1.0
TPM 2.0 / Pluton Overview
TPM 2.0 is a hardware-based security feature that provides a secure area to store keys, passwords, and digital certificates. It is used to protect data by encrypting it and ensuring that only authorized users can access it. Microsoft Pluton is a security processor that supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard. Devices using the Pluton TPM 2.0 offer all the same features provided by other TPMs but benefit from the CPU integrated security posture, the design for renewability, and Windows TPM based features that are validated to run seamlessly on Pluton.
Autopilot Hardware Hash
The hardware hash is a unique identifier that is generated by the device manufacturer and is used to identify the device during Windows Autopilot deployment. The hardware hash changes each time it’s generated because it includes details about when it was generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes to the device's hardware. If to many changes occur such as a new motherboard the device will have to be reimported into the autopilot service.
The benefits of using Autopilot hardware hash include
• Simplifies the Windows device lifecycle, for both IT and end users, from initial deployment to end of life.
• Reduces the time IT spends on deploying, managing, and retiring devices.
• Reduces the infrastructure required to maintain the devices.
• Allows IT administrators to enforce operating system installations.
• Allows IT administrators to reset and enroll devices almost anywhere an internet connection exists.
• Allows IT administrators to use Group Tags to simplify and automate the enrollment / deployment processes.
• Reduces the time IT spends on deploying, managing, and retiring devices.
• Reduces the infrastructure required to maintain the devices.
• Allows IT administrators to enforce operating system installations.
• Allows IT administrators to reset and enroll devices almost anywhere an internet connection exists.
• Allows IT administrators to use Group Tags to simplify and automate the enrollment / deployment processes.
operating systems
Supported
Windows 10 Pro / Enterprise / Education
Windows 11 Pro / Enterprise / Education
Surface Laptop SE (Cloud OS)
Apple (Apple Mac OS)
Apple (IOS)
Linux (UbuntU)
Google (Android)
Google (Chromebook)
Hardware Considerations
It's important to understand that there are various management components when securing devices for an organizational environment. When preparing for large device purchases it's important to work closely with the partner / vendor selling the devices. This ensures automation and workflow processes are followed for a successful deployment. Don't hesitate to also reach out to your Microsoft representative for assistance.
Autopilot Hardware Hash
When ordering new devices, it's important to work with the Reseller / Partner. Be sure to confirm they understand you plan on managing the devices with Intune / Autopilot and that they need to either import or give IT Administrators the hardware hash files.
Corporate Ready Image
When ordering devices for the first time it's important to understand when ordering devices other than Microsoft Surface its best to request a corporate ready image from the vendor your purchasing devices from. This ensures the device doesn't come pre-installed with bloatware or other software that may be harmful to staff and students such as TikTok and other security questioning installations. K-12 institutions may be eligible for a discount program called shape the future which can reduce device costs. Microsoft Surface Enterprise / Education devices come pre-installed with a corporate ready image and don't need custom orders or modifications.
BIOS / UEFI Management
When ordering new devices or managing existing ones it's important to understand how to ensure staff and students can't load their own operating systems, change how devices operate, or remove what IT administrators have installed. Microsoft Surface devices support DFCI (Device Firmware Configuration Interface) which allows management of the UEFI system within Intune via policy. OEM devices require either BIOS / UEFI lockdown at the factory when built or modification after purchase via services such as white glove. These additional services usually come with increased cost please consult your Partner / Reseller for confirmation.
Warranty Repair Procedure
When devices are repaired by the OEM it's important to take into consideration that the device may come back with new components breaking the autopilot hardware hash. Microsoft Surface devices that are repaired through the Intune Surface Warranty portal will be automatically re-uploaded the autopilot service. OEM's must remove the previous autopilot device and import a new hardware hash when major repairs are performed. Contact your Partner / Reseller to confirm support and proper procedure to limit autopilot re-deployment issues.
