Intune's Autopilot automates the configuration and setup of new devices, allowing users to start working with pre-configured settings, applications, and security policies as soon as they power on their device.
In this blog, we’ll explore how Microsoft Intune Autopilot works, let's get started.
Dynamic Group for Deployment Profile
From within Intune, browse to Groups and then click on New Group.
To ensure that every newly registered device is associated with Autopilot automatically you need to first create a dynamic Azure AD (Entra) Security Group.
Edit the Dynamic Query, then paste the following string and Save.
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))
Enrollment Configuration
From within Intune, browse to Devices, Windows, then Enrollment.
Device Platform Restrictions
Intune Device Platform Restrictions controls which types of device can access organizational resources based on their platform (e.g., Windows, iOS, Android, macOS). This feature helps enhance security by limiting access to only approved device types and blocking untrusted or unsupported platforms.
This step isn't necessary for Autopilot to work as the default is to allow all devices, however we will block Windows Personally owned devices.
Click on 'All Users' link.
Change Personally owned devices for Windows (MDM) to Block.
Deployment Profiles
Autopilot deployment profiles in Microsoft Intune are configuration templates that define how new devices are set up and managed during the out-of-box experience (OOBE). These profiles allow automated and customizable deployment processes, specifying settings like Azure AD join type, user-driven or self-deploying mode.
Navigate to Deployment Profiles within the Enrollment tab, then select Create Profile.
Provide name and select Yes for 'Convert all targeted devices to Autopilot', this enables all non-Autopilot, or current members of Entra to become Autopilot registered when they are assigned to the profile group.
Select User-Driven and any other pertinent settings.
Assign the Windows Autopilot group created earlier and then save the changes.
That covers the basics of configuring auto enrollment. I'll skip the Enrollment Status Page for now, as it's not essential for this introductory guide.
Enrollment of a Device
For the purposes of this blog, a Windows 11 23H2 OS has been installed on Hyper-V, and the setup has been progressed to the Region selection page.
Press Shift & F10 for an Administrative shell
Type the following to download the Autopilot PowerShell module.
Powershellinstall-script get-windowsautopilotinfoset-executionpolicy -ex bypassget-windowsautopilotinfo -onlineEnter Azure credentials to register the device.
Accept the permissions request.
Wait while the device completes the registration.
Go back to Autopilot under the Devices section and verify that the device has been successfully registered.
Restart the device, which will then connect to Intune and retrieve the assigned policies.
Enter your Azure credentials.
Once the device is ready, login, and after a brief wait, any assigned applications will begin to install.
That wraps up this quick configuration guide for Intune Autopilot.
Links:
Comments