ℹ️
Prerequisites: Windows 10 v1703+, Azure AD Joined or Hybrid Azure AD Joined, Microsoft Intune + Azure AD Premium licenses, internet during OOBE, OEM supports Autopilot.
01
Enable Autopilot in Intune
Log in to endpoint.microsoft.com → Devices → Windows → Windows Enrollment → Autopilot → Devices. Import the hardware hash CSV file.
02
Obtain Device Hardware Hash
Run the script below on each device (or use OEM export). Upload the generated CSV to the Intune portal.
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile C:\HWID\DeviceID.csv
03
Create a Deployment Profile
Navigate to Windows Enrollment → Deployment Profiles → Create Profile. Set Platform: Windows PC, Type: User-Driven. Enable 'Convert all targeted devices to Autopilot'. Optionally skip privacy settings and EULA.
04
Assign Profile to Devices
Navigate to Windows Enrollment → Devices. Select the imported devices → Assign Profile → choose the deployment profile created above.
05
Create a Dynamic Azure AD Group
Azure AD → Groups → New Group → Dynamic Device. Use the rule below to automatically include all registered Autopilot devices.
(device.devicePhysicalIDs -any _ -contains "[ZTDId]")
06
Assign Apps & Policies
Intune → Apps → Windows → Assign required apps to the Autopilot group. Also assign Configuration Profiles (Wi-Fi, restrictions, compliance rules) targeting the same group.
07
User Enrollment Process
Device is delivered with factory-installed Windows. On first boot with internet, it pulls the Autopilot profile, auto-enrolls into Intune, configures all settings, and is ready for the user — with zero IT involvement.
💡
Pro tip: Use the Enrollment Status Page (ESP) profile to block the user from accessing the desktop until all critical apps and policies have applied — preventing support calls from users on half-configured devices.