Enroll Windows devices in Intune by using Windows Autopilot
The Windows Autopilot simplifies enrolling devices in Intune. Building and maintaining customized operating system images is a time-consuming process. You might also spend time applying these custom operating system images to new devices to prepare them for use before giving them to your end users. With Microsoft Intune and Autopilot, you can give new devices to your end users without the need to build, maintain, and apply custom operating system images to the devices. When you use Intune to manage Autopilot devices, you can manage policies, profiles, apps, and more after they're enrolled. For an overview of benefits, scenarios, and prerequisites, see Overview of Windows Autopilot.
There are four types of Autopilot deployment:
- Self Deploying Mode for kiosks, digital signage, or a shared device
- White Glove enables partners or IT staff to pre-provision a Windows 10 PC so that it's fully configured and business-ready
- Autopilot for existing devices enables you to easily deploy the latest version of Windows 10 to your existing devices
- User Driven Mode for traditional users.
This article explains how to set up Autopilot for Windows PC. For more information about Autopilot and Hololens, see Windows Autopilot for HoloLens 2.
- Intune subscription
- Windows automatic enrollment enabled
- Azure Active Directory Premium subscription
How to get the CSV for Import in Intune
For more information, see the understanding PowerShell cmdlet.
You can add Windows Autopilot devices by importing a CSV file with their information.
In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program > Import.
Under Add Windows Autopilot devices, browse to a CSV file listing the devices that you want to add. The CSV file should list the serial numbers, Windows product IDs, hardware hashes, optional group tags, and optional assigned user. You can have up to 500 rows in the list. For information about how to get device information, see Adding devices to Windows Autopilot. Use the header and line format shown below:
Device Serial Number,Windows Product ID,Hardware Hash,Group Tag,Assigned User
When you use CSV upload to assign a user, make sure that you assign valid UPNs. If you assign an invalid UPN (incorrect username), your device may be inaccessible until you remove the invalid assignment. During CSV upload the only validation we perform on the Assigned User column is to check that the domain name is valid. We're unable to perform individual UPN validation to ensure that you're assigning an existing or correct user.
Choose Import to start importing the device information. Importing can take several minutes.
After import is complete, choose Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program > Sync. A message displays that the synchronization is in progress. The process might take a few minutes to complete, depending on how many devices are being synchronized.
Refresh the view to see the new devices.
Create an Autopilot device group
In the Microsoft Endpoint Manager admin center, choose Groups > New group.
In the Group blade:
- For Group type, choose Security.
- Type a Group name and Group description.
- For Membership type, choose either Assigned or Dynamic Device.
If you chose Assigned for Membership type in the previous step, then in the Group blade, choose Members and add Autopilot devices to the group. Autopilot devices that aren't yet enrolled are devices where the name equals the serial number of the device.
If you chose Dynamic Devices for Membership type above, then in the Group blade, choose Dynamic device members and type any of the following code in the Advanced rule box. Only Autopilot devices are gathered by these rules, because they target attributes that are only possessed by Autopilot devices. Creating a group based off non-autopilot attributes won't guarantee that devices included in the group are actually registered to Autopilot.
- If you want to create a group that includes all of your Autopilot devices, type:
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))
- Intune's group tag field maps to the OrderID attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices with a specific group tag (the Azure AD device OrderID), you must type:
(device.devicePhysicalIds -any (_ -eq "[OrderID]:179887111881"))
- If you want to create a group that includes all of your Autopilot devices with a specific Purchase Order ID, type:
(device.devicePhysicalIds -any (_ -eq "[PurchaseOrderId]:76222342342"))
After adding the Advanced rule code, choose Save.
- If you want to create a group that includes all of your Autopilot devices, type:
Create an Autopilot deployment profile
Autopilot deployment profiles are used to configure the Autopilot devices. You can create up to 350 profiles per tenant.
In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile > Windows PC or HoloLens. This article explains how to set up Autopilot for Windows PC. For more information about Autopilot and Hololens, see Windows Autopilot for HoloLens 2.
On the Basics page, type a Name and optional Description.
If you want all devices in the assigned groups to automatically convert to Autopilot, set Convert all targeted devices to Autopilot to Yes. All corporate owned, non-Autopilot devices in assigned groups will register with the Autopilot deployment service. Personally owned devices will not be converted to Autopilot. Allow 48 hours for the registration to be processed. When the device is unenrolled and reset, Autopilot will enroll it. After a device is registered in this way, disabling this option or removing the profile assignment won't remove the device from the Autopilot deployment service. You must instead remove the device directly.
On the Out-of-box experience (OOBE) page, for Deployment mode, choose one of these two options:
- User-driven: Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.
- Self-deploying (preview): (requires Windows 10, version 1809 or later) Devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to enroll the device. When a device has no user associated with it, user-based compliance policies don't apply to it. When using self-deploying mode, only compliance policies targeting the device will be applied.
Options that appear dimmed or shaded are currently not supported by the selected deployment mode.
In the Join to Azure AD as box, choose Azure AD joined.
Configure the following options:
- End-user license agreement (EULA): (Windows 10, version 1709 or later) Choose if you want to show the EULA to users.
- Privacy settings: Choose if you want to show privacy settings to users.
The default value for the Diagnostic Data setting varies between Windows versions. For devices running Windows 10, version 1903, the default value is set to Full during the out-of-box experience. For more information, see Windows Diagnostics Data
- Hide change account options (requires Windows 10, version 1809 or later): Choose Hide to prevent change account options from displaying on the company sign-in and domain error pages. This option requires company branding to be configured in Azure Active Directory.
- User account type: Choose the user's account type (Administrator or Standard user). We allow the user joining the device to be a local Administrator by adding them to the local Admin group. We don't enable the user as the default administrator on the device.
- Allow White Glove OOBE (requires Windows 10, version 1903 or later; additional physical requirements): Choose Yes to allow white glove support.
- Apply device name template (requires Windows 10, version 1809 or later, and Azure AD join type): Choose Yes to create a template to use when naming a device during enrollment. Names must be 15 characters or less, and can have letters, numbers, and hyphens. Names can't be all numbers. Use the %SERIAL% macro to add a hardware-specific serial number. Or, use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add. You can only provide a pre-fix for hybrid devices in a domain join profile.
- Language (Region)*: Choose the language to use for the device. This option is only available if you chose Self-deploying for Deployment mode.
- Automatically configure keyboard*: If a Language (Region) is selected, choose Yes to skip the keyboard selection page. This option is only available if you chose Self-deploying for Deployment mode.
On the Scope tags page, optionally add the scope tags you want to apply to this profile. For more information about scope tags, see Use role-based access control and scope tags for distributed IT.
On the Assignments page, choose Selected groups for Assign to.
Choose Select groups to include, and choose the groups you want to include in this profile.
If you want to exclude any groups, choose Select groups to exclude, and choose the groups you want to exclude.
On the Review + Create page, choose Create to create the profile.
Intune will periodically check for new devices in the assigned groups, and then begin the process of assigning profiles to those devices. This process can take several minutes to complete. Before deploying a device, ensure that this process has completed. You can check under Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program where you should see the profile status change from "Unassigned" to "Assigning" and finally to "Assigned."
Edit an Autopilot deployment profile
After you've created an Autopilot deployment profile, you can edit certain parts of the deployment profile.
- In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Deployment profiles.
- Select the profile you would like to edit.
- Select Properties on the left to change the name or description of the deployment profile. Click Save after you make changes.
- Click Settings to make changes to the OOBE settings. Click Save after you make changes.
Changes to the profile are applied to devices assigned to that profile. However, the updated profile won't be applied to a device that has already enrolled in Intune until after the device is reset and reenrolled.
Edit Autopilot device attributes
After you've uploaded an Autopilot device, you can edit certain attributes of the device.
- In the Microsoft Endpoint Manager admin center,select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program.
- Select the device you want to edit.
- In the pane on the right of the screen, you can edit the device name, group tag, or User Friendly Name (if you've assigned a user).
- Select Save.
Device names can be configured for all devices, but are ignored in Hybrid Azure AD joined deployments. Device name still comes from the domain join profile for Hybrid Azure AD devices.
Alerts for Windows Autopilot unassigned devices
Alerts will show how many Autopilot program devices don't have Autopilot deployment profiles. Use the information in the alert to create profiles and assign them to the unassigned devices. When you click the alert, you see a full list of Windows Autopilot devices and detailed information about them.
To see alerts for unassigned devices, in the Microsoft Endpoint Manager admin center, choose Devices > Overview > Enrollment alerts > Unassigned devices.
Autopilot deployments report
You can see details on each device deployed through Windows Autopilot. To see the report, go to the Microsoft Endpoint Manager admin center, choose Devices > Monitor > Autopilot deployments. The data is available for 30 days after deployment.
This report is in preview. Device deployment records are currently triggered only by new Intune enrollment events. This means that any deployment that doesn't trigger a new Intune enrollment will not be picked up by this report. This includes any kind of reset that maintains enrollment and the user portion of Autopilot White glove.
Assign a user to a specific Autopilot device
You can assign a user to a specific Autopilot device. This assignment pre-fills a user from Azure Active Directory in the company-branded sign-in page during Windows setup. It also lets you set a custom greeting name. It doesn't pre-fill or modify Windows sign-in. Only licensed Intune users can be assigned in this manner.
Prerequisites: Azure Active Directory Company Portal has been configured and Windows 10, version 1809 or later.
Assigning a user to a specific Autopilot device doesn't work if you are using ADFS.
In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program > choose the device > Assign user.
Choose an Azure user licensed to use Intune and choose Select.
In the User Friendly Name box, type a friendly name or just accept the default. This string is the friendly name that displays when the user signs in during Windows setup.
Delete Autopilot devices
You can delete Windows Autopilot devices that aren't enrolled into Intune:
- Delete the devices from Windows Autopilot at Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program. Choose the devices you want to delete, then choose Delete. Windows Autopilot device deletion can take a few minutes to complete.
Completely removing a device from your tenant requires you to delete the Intune device, the Azure Active Directory device, and the Windows Autopilot device records. This can all be done from Intune:
If the devices are enrolled in Intune, you must first delete them from the Intune All devices blade.
Delete the devices in Azure Active Directory devices at Devices > Azure AD devices.
Delete the devices from Windows Autopilot at Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program >. Choose the devices you want to delete, then choose Delete. Windows Autopilot device deletion can take a few minutes to complete.
Using Autopilot in other portals
If you aren't interested in mobile device management, you can use Autopilot in other portals. While using other portals is an option, we recommend you only use Intune to manage your Autopilot deployments. When you use Intune and another portal, Intune isn't able to:
- Display changes to profiles created in Intune, but edited in another portal
- Synchronize profiles created in another portal
- Display changes to profile assignments done in another portal
- Synchronize profile assignments done in another portal
- Display changes to the device list that were made in another portal
Windows Autopilot for existing devices
You can group Windows devices by a correlator ID when enrolling using Autopilot for existing devices through Configuration Manager. The correlator ID is a parameter of the Autopilot configuration file. The Azure AD device attribute enrollmentProfileName is automatically set to equal "OfflineAutopilotprofile-<correlator ID>". This allows arbitrary Azure AD dynamic groups to be created based off correlator ID by using the enrollmentprofileName attribute.
Because the correlator ID is not pre-listed in Intune, the device may report any correlator ID they want. If the user creates a correlator ID matching an Autopilot or Apple ADE profile name, the device will be added to any dynamic Azure AD device group based off the enrollmentProfileName attribute. To avoid this conflict:
- Always create dynamic group rules matching against the entire enrollmentProfileName value
- Never name Autopilot or Apple ADE profiles beginning with "OfflineAutopilotprofile-".
After you configure Windows Autopilot for registered Windows 10 devices, learn how to manage those devices. For more information, see What is Microsoft Intune device management?