MS Intune
Windows Autopilot deployment guide or setup guide
Here’s a step-by-step
Windows Autopilot deployment/setup guide using Microsoft Intune, suitable
for new and existing Windows devices. This process automates device
provisioning and configuration, ensuring a streamlined user experience for both
IT and end users.
Prerequisites
·
Supported Windows OS: Windows 11/10 Pro, Pro Education, Pro for Workstations,
Enterprise, Education (not LTSC/LTSB).
·
Licenses:
Microsoft Intune (Microsoft 365 Business Premium, E3/E5, EMS, or equivalent),
Azure AD Premium.
·
Network: Devices
must access the internet and required Microsoft service URLs/ports (HTTP,
HTTPS, NTP, DNS, etc.).
·
Azure AD/Intune configured: Setup is required for device management and deployment[1][2].
High-Level Deployment Steps
1. Verify Requirements
·
Ensure
devices meet Windows version and licensing requirements.
·
Confirm
network access and Intune/Azure AD licensing
2. Register Devices for Autopilot
·
Use a
PowerShell script to collect the device’s hardware ID (HWID) and serial number.
·
Export
this information as a .CSV file.
·
In the
Microsoft Intune admin center, go to Devices
> Device enrollment > Windows enrollment > Windows Autopilot
Deployment Program > Devices, and import your CSV file
3. Group Devices for Deployment
·
In Azure
AD, create a dynamic device group for Autopilot using the rule:
(device.devicePhysicalIDs
-any _ -contains "[ZTDId]")
·
This
ensures only registered Autopilot devices are included
3.A.How to Create a Dynamic
Device Group in Azure AD
·
Sign in
to the Microsoft Intune admin center (or Microsoft Entra admin center).
·
In the left menu, go to Groups.
·
Click on New
group.
·
For Group
type, choose Security.
·
Give your group a name (like “Autopilot Devices”).
·
For Membership
type, choose Dynamic Device.
·
Click Add
dynamic query.
·
In the rules editor, choose Edit and then Advanced rule.
·
Paste the following rule into the box:
·
(device.devicePhysicalIDs -any _ -contains
"[ZTDId]")
·
Click Save,
then Create.
·
What
Happens Next?
·
Any
device you upload/register for Autopilot (using its hardware ID or via a
vendor) will automatically join this group.
·
You can then assign your Autopilot deployment profile (or other policies/apps)
to this group, and it will always stay up-to-date.
4. Create and Assign Autopilot Deployment Profile
·
In
Intune, navigate to Devices > Windows
> Windows enrollment > Deployment Profiles.
·
Select Create Profile > Windows PC.
·
Configure
profile settings:
o Deployment
mode (e.g., User Driven)
o Join to
Azure AD (typically “Azure AD joined”)
o Hide
license terms, privacy settings, etc.
o User
account type (Standard/Admin)
o Assign the profile to your dynamic device group
5. Configure Enrollment Status Page (ESP)
·
In
Intune, set up the ESP: Windows
enrollment > Enrollment Status Page.
·
Choose
"All users and all devices" (recommended) and customize available ESP
settings.
·
This
shows progress of app/profile assignments during device setup
6. Brand and Customize OOBE
·
In Azure
AD, configure company branding (logos, colors, sign-in page details).
·
This
enhances the out-of-box experience for end users
7. Enable Automatic Enrollment (MDM)
·
In Azure
AD: Mobility (MDM and MAM) >
Microsoft Intune.
·
Set the
MDM user scope to All or a targeted
group
8. Test the Enrollment Process
·
Connect a
registered device to the internet and power it on.
·
The
device will start OOBE, prompt for Azure AD credentials, and apply all assigned
policies/apps through Autopilot.
·
On
success, the device is fully managed through Intune and visible in the admin
portal
Additional Resources
·
Advanced scenarios:
Integrating with Microsoft Configuration Manager (SCCM/MECM), hybrid Azure AD
join, deploying with pre-installed JSON profiles, etc. These are available for
complex or hybrid environments
·
Detailed Microsoft Docs: For every step and advanced configurations, consult the official
Microsoft docs and linked resources for troubleshooting and detailed workflow
explanations
Key Tips
·
Always test the process on a non-production
device or VM before rolling out broadly.
·
Regularly
monitor device assignment/status in
the Intune portal to ensure profiles deploy correctly (should show as
“Assigned” before device is shipped to the user).
·
Keep an
updated list of MAC addresses/hardware IDs and device group memberships to
avoid deployment delays.