Edit

Configure Autopilot profiles

After the device group is created, a Windows Autopilot deployment profile can be applied to each device in the group. Deployment profiles determine the deployment mode, and customize the out-of-box (OOBE) for end users.

Autopilot profiles can be created via:

  1. Microsoft Admin Center
  2. Intune admin center
  3. Intune graph

For Intune managed devices, pre-provisioning, self-deploying, and co-management profiles can only be created and assigned in Intune.

Create an Autopilot deployment profile

Autopilot deployment profiles are used to configure the Autopilot devices. Up to 350 profiles can be created per tenant.

  1. In the Microsoft Intune admin center, choose Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile > Windows PC or HoloLens. This article explains how to set up Autopilot for Windows PC. For more information about Autopilot and HoloLens, see Windows Autopilot for HoloLens 2.

  2. On the Basics page, type a Name and optional Description.

    Screenshot of Basics page.

  3. If all devices in the assigned groups should automatically register to Autopilot, set Convert all targeted devices to Autopilot to Yes. All corporate owned, non-Autopilot devices in assigned groups register with the Autopilot deployment service. Personally owned devices aren't registered to Autopilot. Allow 48 hours for the registration to be processed. When the device is unenrolled and reset, Autopilot enrolls it again. After a device is registered in this way, disabling this setting or removing the profile assignment won't remove the device from the Autopilot deployment service. The device must instead be removed directly.

    Note

    Using the setting Convert all targeted devices to Autopilot doesn't automatically convert existing Microsoft Entra hybrid device in the assigned group(s) into a Microsoft Entra device. The setting only registers the devices in the assigned group(s) for the Autopilot service.

  4. Select Next.

  5. On the Out-of-box experience (OOBE) page, for Deployment mode, choose one of these two options:

    • User-driven: Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.

    • Self-deploying: Devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to enroll the device. When a device has no user associated with it, user-based compliance policies don't apply to it. When self-deploying mode is used, only compliance policies targeting the device are applied.

    Screenshot of OOBE page.

    Note

    Options that are dimmed or shaded in the selected deployment mode aren't currently supported.

  6. In the Join to Azure AD as box, choose Azure AD joined.

  7. Configure the following options:

    • Microsoft Software License Terms: Choose whether or not to show the EULA to users.

    • Privacy settings: Choose whether or not to show privacy settings to users.

      Important

      The default value for the Diagnostic Data setting is set to Full during the out-of-box experience. For more information, see Windows Diagnostics Data.

    • Hide change account options: Choose Hide to prevent change account options from displaying on the company sign-in and domain error pages. This option requires company branding to be configured in Microsoft Entra ID.

    • User account type: Choose the user's account type (Administrator or Standard user). We allow the user joining the device to be a local Administrator by adding them to the local Admin group. We don't enable the user as the default administrator on the device.

    • Allow pre-provisioned deployment (Prerequisites): Choose Yes to allow pre-provisioning support.

      Note

      When setting Allow pre-provisioned deployment to No, it's still possible to press the Windows key five times during OOBE to invoke pre-provisioning and progress down that path. However, Intune enforces this setting and a pre-provisioning failure with error code 0x80180005 occurs.

    • Language (Region): Choose the language to use for the device. This option is available in all Deployment modes.

    • Automatically configure keyboard: If a Language (Region) is selected, choose Yes to skip the keyboard selection page. This option is available in all Deployment modes.

      Note

      Language and keyboard settings requires ethernet connectivity. Wi-fi connectivity isn't supported because of the requirement to choose a language, locale, and keyboard to make that Wi-fi connection.

    • Apply device name template (requires Microsoft Entra join type): Choose Yes to create a template to use when naming a device during enrollment. Names must be 15 characters or less, and can have letters, numbers, and hyphens. Names can't be all numbers. Use the %SERIAL% macro to add a hardware-specific serial number. Or, use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add. Only a prefix can be provided for hybrid devices in a domain join profile.

  8. Select Next.

  9. On the Assignments page, choose Selected groups for Assign to.

    Screenshot of Assignments page.

    Note

    When the assignment All Devices is used, exclusions aren't supported. Attempting to exclude groups while targeting to all devices can cause assignment problems and can require uploading device hashes again.

  10. Choose Select groups to include, and choose the groups to include in this profile.

  11. To exclude any groups, choose Select groups to exclude, and choose the groups to exclude.

    Note

    When the assignment All Devices is used, exclusions aren't supported. Attempting to exclude groups while targeting to all devices might cause assignment problems and might require uploading device hashes again.

  12. Select Next.

  13. On the Review + Create page, choose Create to create the profile.

    Screenshot of Review page.

Note

Intune periodically checks for new devices in the assigned groups, and then begin the process of assigning profiles to those devices. Due to several different factors involved in the process of Autopilot profile assignment, an estimated time for the assignment can vary from scenario to scenario. These factors can include Microsoft Entra ID groups, membership rules, hash of a device, Intune and Autopilot service, and internet connection. The assignment time varies depending on all the factors and variables involved in a specific scenario.

Before deploying a device, ensure that this process is complete. To ensure the process is complete, check under Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program). The profile status changes from Unassigned to Assigning and finally to Assigned. Once the device is showing Assigned, open the properties of the device by selecting it, and then ensuring that Date assigned is populated. If Date assigned isn't yet populated, wait until it populates before deploying the device.

Edit an Autopilot deployment profile

After the Autopilot deployment profile is created, certain parts of the deployment profile can be edited.

  1. In the Microsoft Intune admin center, choose Devices > Windows > Windows enrollment > Deployment profiles.

  2. Select the profile to edit.

  3. Select Properties to change the name or description of the deployment profile. Select Save after making changes.

  4. Select Settings to make changes to the OOBE settings. Select Save after making changes.

    Note

    Changes to the profile are applied to devices assigned to that profile. However, the updated profile won't be applied to a device that is already enrolled in Intune until after the device is reset and enrolled again.

If a device is registered in Autopilot and a profile isn't assigned, it receives the default Autopilot profile. If a device shouldn't go through Autopilot, the Autopilot registration must be removed.

Alerts for Windows Autopilot unassigned devices

Alerts show how many Autopilot program devices don't have Autopilot deployment profiles. Use the information in the alert to create profiles and assign them to the unassigned devices. When an alert is selected, a full list of Windows Autopilot devices and detailed information about them is displayed.

To see alerts for unassigned devices, in the Microsoft Intune admin center, choose Devices > Overview > Enrollment alerts > Unassigned devices.

Autopilot profile priority

If a group is assigned to multiple Autopilot profiles, the device would receive the oldest created profile to resolve the conflict. If no other profile is applicable to the device and there's a default profile (any Autopilot profile assigned to all devices), then the default profile is applied. If a device is assigned to a security group that isn't assigned to Autopilot profile, then it would receive the default profile targeted to all devices. To see when an Autopilot profile is created:

  1. Sign in to the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left hand pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. In the Windows | Windows devices screen, select Windows enrollment.

  5. Under Windows Autopilot Deployment Program, select Deployment Profiles.

  6. In the Windows Autopilot deployment profiles screen, under Name, select the Autopilot profile name where the create date needs to be viewed.

  7. When the Windows Autopilot deployment profile screen opens, the date the Windows Autopilot deployment profile was created is displayed under Essentials and next to Created.

Autopilot deployments report

Details on each device deployed through Windows Autopilot can be seen through a report. To see the report, go to the Microsoft Intune admin center, choose Devices > Monitor > Autopilot deployments. The data is available for 30 days after deployment.

This report is in preview. Only new Intune enrollment events trigger device deployment records. Deployments that don't trigger a new Intune enrollment don't appear in this report. This case includes any kind of reset that maintains enrollment and the user portion of Autopilot pre-provisioning.

Autopilot profile tutorials

The following articles are tutorials on configuring and assigning a Windows Autopilot deployment profile for each of the Windows Autopilot scenarios via Intune: