How to Setup Windows Autopilot V1 in Microsoft Intune

Autopilot automatically configures your laptops and computers with all the necessary software and settings. It even integrates with manufacturers like Dell, allowing you to order a brand-new device and have it shipped directly to the end user. When they receive the laptop, all they need to do is connect it to the internet, enter their Microsoft 365 username and password, and all the applications and settings will be applied. It’s seamless and efficient.

You might think this sounds expensive, but it’s not. All you need is an Entra ID Plan 1 license. Or, if you follow my recommendation, a Microsoft 365 Business Premium license, which includes Autopilot.

Now, let’s dive into the demo. First, we’ll prepare by creating Entra ID groups to organize the devices and look at company branding to personalise the experience.

1. Sign in to the Entra Admin Center.
2. Navigate to Devices > All devices > Device settings.
3. Set Users may join devices to Microsoft Entra to All.

For setting up device conditions, use the following query to filter Windows devices based on OS type and version:

Copy code
(device.deviceOSType -eq "Windows") and ((device.deviceOSVersion -startsWith "10.0.1") or (device.deviceOSVersion -startsWith "10.0.22"))

This filter applies to devices running Windows with OS versions starting with 10.0.1 or 10.0.22.

Create an Autopilot Deployment Profile

The next step is to create an Autopilot deployment profile, which customizes the Out-of-Box Experience (OOBE) and deployment mode for end users. This profile controls how devices are configured when users first power them on. You can create up to 350 deployment profiles in a single Intune tenant.

To create an Autopilot deployment profile, follow these steps:

1. Sign in to the Intune Admin Center.
2. Navigate to Devices > Windows > Windows enrollment > Deployment Profiles.
3. Click on Create Profile at the top.
4. Select Windows PC as the profile type.
5. Enter a profile name (e.g., “Sales Department Profile”) and click Next.
6. Configure the Out-of-Box Experience (OOBE) settings:
   • Deployment mode: Choose between User-driven or Self-deploying. For most cases, selecting User-driven means the user will enter their credentials during setup.
   • Join to Microsoft Entra ID: Choose Microsoft Entra joined to automatically join devices to your Entra ID. If you’re in a hybrid environment, you can select Hybrid Azure AD Join instead.
   • Microsoft Software Licensing Terms and Privacy Settings: Choose whether to Hide these during setup for a smoother user experience.
   • User account type: Set to Standard to prevent users from having administrative rights on their devices.
   • Allow pre-provisioned deployment: You can choose No to skip this step, or Yes if you want to pre-configure devices.
   • Region and language settings: Choose the appropriate region (e.g., English United Status) to ensure the device’s region matches your needs.
   • Device template name: Set a naming convention for your devices (e.g., Autopilot-XXX, where “XXX” is a random string of numbers).
7. Assign groups: Add the groups you created earlier to the profile, and select any groups you want to exclude if necessary.
8. Click Next and then Create to finalize the deployment profile.

Once created, you can go back to Devices > Windows and refresh the device list to check the profile assignment status. It may take a few minutes for the profile to be assigned.

Add Hardware Hash to Intune

It’s time to load the hardware hashes into Intune. A hardware hash is a unique identifier for each laptop or computer. If you’re purchasing devices directly from manufacturers like Dell, you can set up a relationship with them to provide the hardware hashes of the devices you’re buying, which can then be loaded into Intune.

There are a couple of ways to add hardware hashes into Intune. The first method is through a PowerShell script that generates a CSV file containing the hardware hash, stored on your C drive. You can then navigate to the folder and view the hardware hash of the computer you’re working on.

For the Demo i just using powershell ISE but you can use powershell administrator only 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory -Path "C:HWID"
Set-Location -Path "C:HWID"
$env:Path += ";C:Program FilesWindowsPowerShellScripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv

Once you have the hardware hash, you need to upload it to Intune via the Microsoft 365 Admin Center. In Endpoint Manager, go to Devices, then Device Onboarding and Enrollment, and navigate to Windows Autopilot. You can import the hardware hash CSV file here, and after a few minutes, your device will appear in Intune.

Its another way to upload the Hardware Hash 

powershell.exe

Already undergone Windows Setup and OOBE:

Sign into the device.

Open an elevated Windows PowerShell prompt.

At the PS PowerShell command prompt, run the following PowerShell commands:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
 Install-Script -Name Get-WindowsAutopilotInfo -Force
 Get-WindowsAutopilotInfo -Online

If prompted to do so, agree to install NuGet from the PSGallery.

When the last command of Get-WindowsAutopilotInfo -Online runs, a Microsoft Entra ID sign-on prompt is displayed. Sign in with an account that is at least an Intune Administrator Privilege or Global account.

After the sign-in is successful, the device hash uploads automatically.

Verify that the hardware hash uploaded successfully and the device is showing as a registered Windows Autopilot device using the instructions in the section Verify the hardware hash uploaded.

For devices undergoing Windows Setup and OOBE, restart the device. The device should pick up the Windows Autopilot profile and OOBE should run through the Windows Autopilot provisioning process.

In this example, I am using a Windows 10 and 11 virtual machine in Hyper-V, so the serial number and manufacturer details may appear unfamiliar or generic. You might see placeholder values for the serial number or manufacturer such as “Microsoft Corporation” for Hyper-V virtual machines.

However, when you’re working with real physical devices, you’ll see accurate details like proper serial numbers and manufacturer names such as Dell, HP, or Lenovo. This is especially useful when managing devices in Autopilot or similar deployment scenarios where device information helps you track and manage inventory accurately.

So, even though my virtual machine might display a generic manufacturer, keep in mind that the deployment process is the same for both virtual and physical devices.

Lest do the Final output while doing device onboard 

I personally prefer using Sysprep because it allows me to choose the “Out-of-Box Experience (OOBE)” for system cleanup, making it a more customizable and thorough process. Here’s how to proceed:

1. Start by pressing Win + R to open the Run dialog box, and type sysprep, then hit Enter.

2. In the Sysprep folder, double-click on the sysprep.exe program.

3. Ensure that both of the following options are selected:

   • Enter System Out-of-the-Box Experience (OOBE)
   • Generalize (This option will remove any system-specific information, preparing the device for deployment.)

4. Finally, click the OK button to begin the process.

Once initiated, Sysprep will prepare the system for the OOBE, and the device will restart, ready for a fresh configuration based on your deployment settings.

Windows 11

Enter the organization’s email address and click Next. Then, input the password and click Sign in. This step is part of setting up a Windows device for work or school, ensuring proper configuration and security.

In our Autopilot Deployment profile, we’ve hidden the Privacy Terms and Microsoft Software License Agreement screens. If configured, you’ll see your company’s branding, such as the logo and color theme.

Once setup completes, Windows will check for updates and apply final configurations. This process may take a few minutes before the desktop appears. During this, Windows Hello is set up for secure sign-in using a PIN.

After everything is finalized, you’ll land on your home screen, ready to start using your device.

Windows 11

To check your Microsoft Intune join status, navigate to:

Intune -> Devices -> Windows

You can directly access this via Intune Windows Devices.

Here, you’ll see new machines, such as TWNIFAN-7568 and TWNIFAN-8334, listed as joined to Intune.

Conclusion

In this article, we’ve walked through the process of setting up and configuring a Windows device with Autopilot and Intune, including the Sysprep procedure, Autopilot deployment profiles, and checking device enrollment. By following these steps, you can ensure a smooth, efficient, and secure onboarding experience for your devices.

The ability to customize the Out-of-Box Experience (OOBE) and streamline device setup helps in maintaining a consistent and professional user experience across your organization. With the configurations applied and updates completed, your devices will be ready for immediate use.

If you notice any discrepancies or have questions about the setup process, feel free to reach out. I am openly available for feedback and eager to learn from any insights or corrections you may have. Your input is valuable in improving and refining these processes.

Thank you for reading, and happy configuring!