How to use Autopilot with Smart Cards

Your organization may have a hard requirement to use smart cards (or PIV, CAC, etc.) for authentication. Maybe they’re also using ADFS, disabling passwords, and really don’t want to let anyone have a temporary password. In a previous blog post we explored the types of Authentication methods supported in Autopilot (AD FS Authentication Methods supported during Autopilot) and basically stated – you’re out of luck if you want to use a smartcard because OOBE outright doesn’t support them. Well, after a lot of testing, I think we’ve found a way around that problem. We need to skip OOBE.

Before we dive in, this blog post is mostly for anyone who was blocked from using Autopilot because of a smart card requirement. If this is your first time exploring Autopilot for your organization, feel free to read on ahead, but we’re skipping the set up and just covering the method (there’s a great How-to guide on the Microsoft Docs that explains the basic setup). Unfortunately much of the content won’t make too much sense unless you’ve already worked with Autopilot.

With that said – let’s dive in!

The trick is that you’ll need to deploy a Autopilot Pre-Provisioning profile (or White Glove, as it used to be called) that uses Hybrid Azure AD join. If you haven’t set that up yet, here are the instructions for setting up Autopilot for Hybrid Azure AD join.

Enable the white glove setting in the profile you’re testing by going to Microsoft Endpoint Manager > Devices > Windows Autopilot deployment profiles > your profile > Allow White Glove OOBE > Yes:

Target the profile to a device (VMs aren’t supported unfortunately). On the device, press the Windows key 5 times:

Then click Windows Autopilot provisioning > Continue. The device will attempt to pull down the white glove profile it was assigned. If the organization and deployment profile look correct, click Provision.

Pre-provisioning mode uses the Enrollment Status Page to complete the device preparation and device setup steps. Because we’re doing a Hybrid Azure AD join, during the Device setup the domain-join profile will be applied. That’s the crucial step – once the device is resealed, and the user opens it to complete Autopilot, they’ll be at the Windows 10 login screen to complete the domain join, which will accept a smart card.

After the first two steps complete, and the device reboots, you should be greeted with the completed pre-provisioning screen:

Click Reseal. The device is now ready to be shipped to the end user – or for you to continue testing. Once you turn it on again, you’ll be greeted with the normal OOBE experience, where you click through keyboard settings and connect to WiFi. But when it normally gets to the branded OOBE login screen, instead you get:

And if you click Sign-in options….

Smart Card sign-in! Well, as long as you have a smart card plugged in, that is. Remember that in order to complete the sign-in off your domain network, you’ll need to be connected to a VPN during this step.

Once you enter the smart card pin, the enrollment state page will take over to complete the Account setup:

And in just a few moments, you’ll have a Hybrid Azure AD join device that you enrolled via Autopilot with a smart card!

So to answer your first question right off the bat: Unfortunately this only works with Hybrid Azure AD join profiles. That’s because after resealing, an Azure AD join device leverages the OOBE login page, which doesn’t support smart card login:

I’ve been looking for a solution for the smart card Autopilot problem for years, so hopefully if you’re coming across this blog post it helps you too! Please comment any questions below, or if you have any additional information/testing that you think could help others. Happy deploying! 📦