How to Set Up Windows Autopilot in Microsoft Intune from Scratch

Before registering devices, you need to configure Entra ID for automatic enrollment. This ensures devices can join your organization and enroll in Intune automatically.

Sign into the Microsoft Intune admin center at endpoint.microsoft.com with your administrator account. Navigate to Devices > Enrollment > Windows > Automatic Enrollment.

Set the MDM user scope to either:

• All - All users can enroll devices automatically
• Some - Only specified groups can enroll (recommended for pilot deployments)

If you choose "Some", click Select groups and add your target user groups. Configure the MAM user scope similarly if you plan to use mobile application management.

Dynamic groups automatically assign devices to Autopilot profiles based on device properties. This eliminates manual group management as you scale your deployment.

In the Intune admin center, navigate to Groups > All groups > New group. Configure the following settings:

• Group type: Security
• Group name: Autopilot Devices
• Membership type: Dynamic Device

Click Add dynamic query and create a rule. For devices registered through Autopilot, use this query:

(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))

This rule automatically includes any device with a Zero Touch Deployment ID, which is assigned during Autopilot registration.

For more specific targeting, you can create groups based on device models or serial numbers:

(device.deviceModel -eq "Surface Laptop 5") or (device.serialNumber -startsWith "ABC")

Device registration is the foundation of Autopilot. You have two main options: OEM/partner registration (automatic) or manual registration using PowerShell.

Option A: OEM/Partner Registration (Recommended)

If you purchased devices from Dell, HP, Lenovo, or Microsoft Surface, request Autopilot registration during purchase. Provide your Entra ID tenant ID (found in Entra ID > Overview) to your vendor. Devices will appear in Intune within 24-48 hours.

Option B: Manual Registration with PowerShell

For existing devices or non-OEM purchases, capture the hardware hash manually. On the target device, open PowerShell as Administrator and run:

Install-Script -Name Get-WindowsAutoPilotInfo -Force
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Get-WindowsAutoPilotInfo -Online

When prompted, sign in with your Intune administrator credentials. The script uploads the device hash directly to your tenant.

For bulk registration, export to CSV first:

Get-WindowsAutoPilotInfo -OutputFile C:\AutopilotHashes.csv

Then import the CSV in Intune: Devices > Windows > Windows enrollment > Devices > Import.

The deployment profile defines how devices behave during the out-of-box experience (OOBE) and what settings are applied automatically.

In the Intune admin center, navigate to Devices > Windows > Windows enrollment > Deployment Profiles. Click Create profile > Windows PC.

Configure the Basics tab:

• Name: Standard Autopilot Profile
• Description: User-driven Entra ID joined deployment

On the Out-of-box experience (OOBE) tab, configure these critical settings:

• Deployment mode: User-driven
• Join to Microsoft Entra ID as: Microsoft Entra ID joined
• Microsoft Software License Terms: Hide
• Privacy settings: Hide
• Hide change account options: Hide
• User account type: Standard (not Administrator)
• Allow White Glove OOBE: No (unless you need pre-provisioning)

Configure the device naming template:

CORP-%SERIAL%

This creates device names like "CORP-ABC123456". Available variables include %SERIAL%, %RAND:x% (random digits), and static text.

Enable Convert all targeted devices to Autopilot to automatically register devices that join your domain.

The Enrollment Status Page shows users the progress of device setup and prevents them from using the device before all policies and apps are installed.

Navigate to Devices > Windows > Windows enrollment > Enrollment Status Page. Click Create profile.

Configure the Settings tab:

• Show app and profile installation progress: Yes
• Show an error when installation takes longer than specified number of minutes: 60
• Show custom message when time limit error occurs: "Setup is taking longer than expected. Please contact IT support."
• Allow users to collect logs about installation errors: Yes
• Only show page to devices provisioned by out-of-box experience (OOBE): Yes

Configure Device setup requirements:

• Block device use until all apps and profiles are installed: Yes
• Allow users to reset device if installation error occurs: Yes
• Allow users to use device if installation error occurs: No
• Block device use until these required apps are installed if they are assigned to the user/device: Select critical apps

Set User setup requirements similarly, focusing on user-assigned apps and policies.

Profile assignment determines which devices receive your Autopilot configuration. Proper assignment ensures consistent deployment across your organization.

Return to your deployment profile: Devices > Windows > Windows enrollment > Deployment Profiles. Select your profile and click Assignments.

Click Add groups and select your "Autopilot Devices" dynamic group created earlier. Set the assignment type to Include.

For the Enrollment Status Page, navigate to Devices > Windows > Windows enrollment > Enrollment Status Page. Select your ESP profile and assign it to the same device group.

You can also assign ESP profiles to user groups if you want different experiences based on user roles:

• IT Staff: Shorter timeouts, more technical error messages
• Standard Users: Longer timeouts, simplified messages
• Executives: Priority app installation, minimal blocking

Before deploying devices, configure the core policies and applications that should be installed during Autopilot. This ensures devices are fully configured when users receive them.

Create Configuration Profiles:

Navigate to Devices > Configuration profiles > Create profile. Create these essential profiles:

1. Wi-Fi Profile (if needed):

• Platform: Windows 10 and later
• Profile type: Wi-Fi
• Configure your corporate Wi-Fi settings including SSID, security type, and certificates

2. BitLocker Encryption:

• Platform: Windows 10 and later
• Profile type: Endpoint protection
• Configure BitLocker settings under Windows Encryption

3. Windows Update Ring:

• Navigate to Devices > Windows > Windows 10 and later updates > Update rings
• Create a ring with your preferred update schedule (e.g., defer feature updates by 30 days)

Deploy Essential Applications:

Navigate to Apps > All apps > Add. Add these critical apps:

• Microsoft 365 Apps: Use the built-in app suite
• Company Portal: Required for user self-service
• Security software: Microsoft Defender or third-party antivirus

For each app, set the assignment to Required for your Autopilot device group. This ensures apps install during ESP.

Testing validates your configuration before full deployment. A proper test catches configuration issues that could affect hundreds of devices.

Prepare Test Device:

Reset a registered Autopilot device to factory settings. On Windows 11, go to Settings > System > Recovery > Reset this PC > Remove everything. Choose "Remove files and clean the drive" for a complete reset.

Monitor the OOBE Process:

Boot the device and connect to the internet. The Autopilot process should begin automatically:

1. Initial Setup: Device downloads and applies updates
2. Autopilot Detection: "Setting up for work or school" appears
3. Device Rename: Device renames according to your template and reboots
4. User Sign-in: User enters Entra ID credentials
5. ESP Phase: Enrollment Status Page shows progress
6. Desktop: User reaches desktop with all apps and policies applied

Verify Deployment Success:

After deployment completes, verify these items on the device:

# Check Entra ID join status
dsregcmd /status

# Verify Intune enrollment
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Enrollments"

# Check installed apps
Get-AppxPackage | Where-Object {$_.Name -like "*Microsoft.Office*"}

# Verify BitLocker status
manage-bde -status

In the Intune admin center, check Devices > All devices to confirm the device appears with correct compliance status.

Ongoing monitoring ensures successful deployments and helps identify issues before they affect multiple devices.

Monitor Autopilot Deployments:

In the Intune admin center, use these monitoring locations:

• Devices > Monitor > Enrollment failures: Shows devices that failed during enrollment
• Devices > Windows > Windows enrollment > Devices: Lists all Autopilot devices and their assignment status
• Reports > Device enrollment: Provides detailed enrollment analytics

Common Issues and Solutions:

1. Device Not Detecting Autopilot Profile:

• Verify device is registered: Check hardware hash in device list
• Confirm profile assignment: Ensure device is in assigned group
• Check internet connectivity during OOBE

2. ESP Timeout Errors:

• Increase timeout values in ESP profile
• Remove non-critical apps from required installation list
• Check app deployment logs for specific failures

3. Profile Changes Not Applying:

• Reset device completely - profile changes require fresh deployment
• Verify group membership and assignment scope
• Check for conflicting profiles

Collect Diagnostic Information:

For failed deployments, collect these logs:

# Export Autopilot diagnostics
mdmdiagnosticstool.exe -area Autopilot -cab C:\AutopilotDiag.cab

# Check event logs
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-2)}