Overview
What you'll learn in this guide
Windows Autopilot
Zero-touch device provisioning — ship a laptop directly to a user and have it configure itself automatically on first boot.
Microsoft Intune
Cloud-based Mobile Device Management (MDM) — manage policies, apps, compliance and security across your entire device fleet.
Compliance & Security
Enforce BitLocker encryption, Windows Defender, password policies and conditional access across all managed devices.
App Deployment
Push Win32 apps, Microsoft 365, Store apps and custom software silently to device groups without any manual installation.
How this guide works
Follow the sections in order — Prerequisites first, then Autopilot setup, then Intune. Each section builds on the last.
Prerequisites
What you need before you start
Licensing
| License | What it covers | Required? |
|---|---|---|
| Microsoft Intune (standalone) | Device management, compliance, app deployment | Required |
| Azure AD Premium P1 | Auto-enrollment, dynamic groups, Autopilot | Required |
| Azure AD Premium P2 | Identity protection, Privileged Identity Management | Optional |
| Microsoft 365 Business Premium | Bundles Intune + AAD P1 + Defender | Recommended |
Device Requirements
Windows 10 Pro / Enterprise (1809+)
Windows 11 Pro / Enterprise
TPM 2.0 chip (for Autopilot)
Secure Boot capable
Internet access on first boot
Windows Home is not supported
Autopilot and Intune MDM enrollment requires Windows Pro, Enterprise, or Education. Home edition cannot enrol.
Admin Portals You'll Use
| Portal | URL | Used for |
|---|---|---|
| Intune Admin Center | intune.microsoft.com | Everything — devices, policies, apps, scripts |
| Azure Active Directory | aad.portal.azure.com | Groups, users, conditional access |
| Microsoft 365 Admin | admin.microsoft.com | Licensing, user management |
What is Windows Autopilot?
Zero-touch provisioning explained
Windows Autopilot lets you ship a brand-new laptop directly to an end user. When they power it on and connect to the internet, the device automatically joins Azure AD, enrolls into Intune, installs apps, and applies all your policies — with no IT intervention needed on-site.
Autopilot Deployment Modes
| Mode | Who sets it up? | Best for |
|---|---|---|
| User-Driven | End user logs in with their Azure AD account during OOBE | Most deployments — remote workers, new hires |
| Self-Deploying | No user interaction needed — device provisions itself | Kiosks, shared devices, meeting room PCs |
| Pre-provisioned (White Glove) | IT pre-stages the device, user finishes setup | When you want apps installed before user receives device |
| Hybrid Azure AD Join | Requires on-prem AD + VPN or Intune Connector | Organisations still using on-premises AD |
Start with User-Driven
For most organisations, User-Driven Azure AD Join is the simplest to set up and works entirely in the cloud. Start here, then explore other modes once it's working.
Register Devices
Get hardware hashes into Intune
Before Autopilot can provision a device, it needs to know that device exists in your tenant. This is done by uploading the device's hardware hash — a unique fingerprint of the hardware.
Method 1: Run the Script on the Device
This is the most common method for existing devices or lab testing. Boot the device (or use OOBE Shift+F10 to open a command prompt):
1
Open PowerShell as Administrator
On the device you want to register. If in OOBE, press Shift + F10 to open a command prompt, then type
powershell.2
Install the AutopilotInfo module and capture the hash
PowerShell
# Install module (requires internet) Install-Script -Name Get-WindowsAutoPilotInfo -Force # Capture hash and upload directly to Intune Get-WindowsAutoPilotInfo -Online
-Online flag opens a browser sign-in to your tenant and uploads directly. You'll need Global Admin or Intune Admin credentials.
3
Or save the hash to a CSV for bulk upload
PowerShell
# Save to CSV file instead Get-WindowsAutoPilotInfo -OutputFile C:\AutopilotHWID.csv
Method 2: Via OEM / Reseller
Most major OEMs (Dell, HP, Lenovo, Microsoft Surface) can register devices into your Autopilot tenant at time of purchase. Give your reseller your Microsoft tenant ID and they'll handle the hash registration before the device ships.
Find your Tenant ID
Azure Portal > Azure Active Directory > Overview. Your Tenant ID is shown at the top of the page.
Verify Registration in Intune
After upload, devices appear at: Intune Admin Center > Devices > Windows > Windows Enrollment > Devices. It can take up to 15 minutes to sync.
Deployment Profiles
Configure what happens during OOBE
A Deployment Profile controls the out-of-box experience (OOBE) — what screens the user sees, what the device is named, and how it joins your organisation.
1
Navigate to Deployment Profiles
Intune Admin Center > Devices > Windows > Windows Enrollment > Deployment Profiles > + Create profile > Windows PC
2
Basics — Name your profile
Give it a descriptive name like "Standard User-Driven - Azure AD Join". Add a description for future reference.
3
Out-of-box experience (OOBE) settings
| Setting | Recommended value |
|---|---|
| Deployment mode | User-Driven |
| Join to Azure AD as | Azure AD joined |
| Microsoft Software License Terms | Hide |
| Privacy settings | Hide |
| Hide change account options | Hide |
| User account type | Standard (not Administrator) |
| Allow pre-provisioned deployment | Yes (optional, for White Glove) |
| Language | OS default or specify |
| Automatically configure keyboard | Yes |
| Apply device name template | Yes — e.g. CORP-%SERIAL% |
4
Assignments — assign to a group
Assign the profile to an Azure AD device group that contains your registered Autopilot devices. Create a dynamic group with rule:
device.devicePhysicalIds -any (_ -eq "[ZTDId]") to auto-include all Autopilot-registered devices.
Device naming convention
Use
%SERIAL% in the name template to include the serial number, e.g. CORP-%SERIAL%. This makes devices easy to identify in Intune and AD without needing manual naming.
Enrollment Status Page
Show setup progress to users
The Enrollment Status Page (ESP) shows the user a progress screen during device setup, preventing them from using the device until all required apps and policies have been applied.
1
Navigate to ESP settings
Intune Admin Center > Devices > Windows > Windows Enrollment > Enrollment Status Page > + Create
2
Configure the profile
| Setting | Recommended value |
|---|---|
| Show app and profile configuration progress | Yes |
| Show error when installation takes longer than (minutes) | 60 |
| Show custom message when time limit error occurs | Yes — add your IT helpdesk number |
| Allow users to collect logs | Yes |
| Only show page to devices provisioned by OOBE | Yes |
| Block device use until all apps/profiles are installed | Yes |
3
Assign to the same group as your Autopilot profile
The ESP and the Autopilot Deployment Profile should target the same Azure AD device group so both apply during provisioning.
Assign & Test
Deploy a profile and test the full flow
1
Create a dynamic Azure AD device group
Azure AD > Groups > New Group
- Group type: Security
- Membership type: Dynamic Device
- Rule:
(device.devicePhysicalIds -any (_ -eq "[ZTDId]"))
2
Assign your profile to the group
Go back to your Deployment Profile > Assignments > add the dynamic group under Included groups. Save. Sync can take up to 15 minutes.
3
Test with a physical or virtual machine
For a VM test (Hyper-V or Azure VM):
After reset, connect to Wi-Fi at OOBE and sign in with a test Azure AD user account. The Autopilot profile and ESP should kick in automatically.
PowerShell — Reset a physical device for testing
# Run on the test device — wipes and re-runs Autopilot Reset-Computer -WhatIf # Or via Settings > System > Recovery > Reset this PC # Choose "Remove everything"
4
Monitor deployment in Intune
Intune Admin Center > Devices > Monitor > Autopilot deployments — see real-time status of device provisioning, including any failures and at which step they occurred.
Always test in a lab first
Run through the full Autopilot flow on a test device before deploying to end users. A misconfigured profile can leave devices in an unusable state mid-setup.
What is Microsoft Intune?
Cloud-based endpoint management
Microsoft Intune is a cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAM) solution. It lets you manage Windows PCs, Macs, iOS and Android devices from a single web portal — no on-premises infrastructure required.
Compliance Policies
Define minimum security standards — BitLocker, firewall, antivirus, OS version — and mark devices as compliant or non-compliant.
Configuration Profiles
Push settings to devices — Wi-Fi, VPN, certificates, browser policies, Windows Update rings and hundreds more MDM policies.
App Deployment
Deploy Win32 apps, Microsoft 365, Store apps and web links silently to users or device groups.
Scripts
Run PowerShell scripts on enrolled devices — once or on a schedule. Perfect for configuration tasks that don't have a native MDM policy.
Device Enrollment
Getting devices managed by Intune
Enable Auto-Enrollment (Required)
Before any device can enroll, you must enable automatic MDM enrollment in Azure AD.
1
Open Azure AD Mobility settings
Azure AD Portal > Mobility (MDM and MAM) > Microsoft Intune
2
Set MDM user scope
Set to All (every user who joins a device gets auto-enrolled) or Some to target a specific Azure AD group. For most orgs, start with All.
3
Save
Now when a user Azure AD-joins a device (including via Autopilot), it will automatically enroll into Intune.
Enrollment Methods
| Method | How | Best for |
|---|---|---|
| Autopilot | Device registered in Autopilot, user logs in at OOBE | New devices, clean deployments |
| Azure AD Join + Auto-enroll | Settings > Accounts > Access work or school > Connect | Existing devices you want to enroll manually |
| Company Portal | User downloads and signs into Company Portal app | BYOD, personal devices, MAM-only |
| Bulk Enrollment | Provisioning package via Windows Configuration Designer | Kiosks, shared devices without user accounts |
| Group Policy (co-management) | GPO pushes MDM enrollment to hybrid-joined devices | Migrating from SCCM/on-prem management |
Compliance Policies
Define your security baseline
Compliance policies define the minimum security requirements a device must meet to be considered "compliant". Non-compliant devices can be blocked from accessing company resources via Conditional Access.
1
Create a new compliance policy
Intune Admin Center > Devices > Compliance policies > + Create policy — Platform: Windows 10 and later
2
Configure compliance settings
| Category | Setting | Recommended |
|---|---|---|
| Device Health | Require BitLocker | Yes |
| Device Health | Require Secure Boot | Yes |
| Device Health | Require code integrity | Yes |
| System Security | Require password | Yes |
| System Security | Minimum password length | 8 |
| System Security | Firewall | Require |
| System Security | Antivirus | Require |
| System Security | Antispyware | Require |
| OS Version | Minimum OS version | 10.0.19041 (Win10 2004) |
| Defender | Real-time protection | Require |
3
Actions for non-compliance
Set what happens when a device fails compliance. Recommended: Mark device non-compliant: immediately, then optionally send an email to user after 1 day and retire after 30 days.
4
Assign to an Azure AD group
Assign to All Devices or a specific device group. A compliance policy not assigned to anyone does nothing.
Pair with Conditional Access
Create a Conditional Access policy in Azure AD that requires "Device marked as compliant" to access Microsoft 365, Teams, and SharePoint. This ensures non-compliant devices are blocked automatically.
Configuration Profiles
Push settings to managed devices
Configuration profiles push settings to devices. Unlike compliance (which checks settings), configuration profiles actively apply them.
Common Profile Types
| Profile type | Use case |
|---|---|
| Device Restrictions | Disable USB storage, restrict Control Panel, block camera |
| Endpoint Protection | Configure Windows Defender, BitLocker encryption, Firewall rules |
| Wi-Fi | Push corporate Wi-Fi SSIDs and credentials silently |
| VPN | Deploy Always-On VPN or per-app VPN profiles |
| Certificate | Deploy root/intermediate certs and SCEP/PKCS user certs |
| Windows Update Ring | Control when feature updates and quality patches are installed |
| Administrative Templates (ADMX) | Apply Group Policy-like settings via MDM — Office, Edge, Windows |
| Settings Catalog | Search-driven access to thousands of MDM policies in one place |
| Custom (OMA-URI) | Apply any MDM CSP setting not exposed in the UI |
Create a Windows Update Ring
1
Navigate to Update Rings
Intune Admin Center > Devices > Windows > Windows 10 update rings > + Create
2
Recommended settings
| Setting | Value |
|---|---|
| Servicing channel | General Availability Channel |
| Quality update deferral (days) | 7 |
| Feature update deferral (days) | 30 |
| Automatic update behaviour | Auto install and restart at maintenance time |
| Active hours start/end | 08:00 - 18:00 |
| Restart grace period | 2 days |
App Deployment
Push software to devices silently
App Types in Intune
| App type | Format | Best for |
|---|---|---|
| Win32 | .intunewin (wrapped .exe or .msi) | Most traditional Windows apps — Chrome, 7-Zip, custom software |
| Microsoft 365 Apps | Built-in | Word, Excel, Outlook, Teams — easiest method |
| Microsoft Store (new) | Store search | WinGet-based store apps — Company Portal, Notepad++, etc. |
| Line of Business (LOB) | .msi or .msix | Simple MSI packages without complex dependencies |
| Web link | URL | Pin a website to Start Menu or taskbar |
Packaging a Win32 App
1
Download the IntuneWinAppUtil tool
Download IntuneWinAppUtil.exe from the Microsoft GitHub repository: microsoft/Microsoft-Win32-Content-Prep-Tool
2
Wrap your installer
Command Prompt
IntuneWinAppUtil.exe -c "C:\Source\MyApp" -s "setup.exe" -o "C:\Output"
-cSource folder containing installer-sSetup file name-oOutput folder for the .intunewin file
3
Add the app in Intune
Apps > Windows > + Add > Windows app (Win32) — upload your .intunewin file and fill in the details.
4
Set install / uninstall commands
Example — Silent install / uninstall
# Install command setup.exe /S /silent # Uninstall command "C:\Program Files\MyApp\uninstall.exe" /S
5
Set a detection rule
Tell Intune how to confirm the app is installed. Common options:
- Registry key — check HKLM\Software\MyApp exists
- File — check C:\Program Files\MyApp\app.exe exists
- MSI product code — for MSI-based installers
6
Assign to a group
Set assignment type: Required (force install) or Available (user can install from Company Portal). Assign to a device or user group.
PowerShell Scripts
Run scripts on managed devices
Intune can deploy and run PowerShell scripts on enrolled Windows devices. Scripts run silently in the background — great for configuration tasks that don't have a built-in MDM policy.
1
Navigate to Scripts
Intune Admin Center > Devices > Windows > PowerShell scripts > + Add
2
Upload your script
Upload a .ps1 file. Script size limit is 200 KB. For larger scripts, use a Win32 app wrapper instead.
3
Configure script settings
| Setting | Options | Notes |
|---|---|---|
| Run this script using the logged on credentials | Yes / No | No = runs as SYSTEM; Yes = runs as the logged-in user |
| Enforce script signature check | Yes / No | No for most internal scripts; Yes for production security |
| Run script in 64-bit PowerShell host | Yes / No | Yes recommended for compatibility with 64-bit operations |
4
Assign to a group and monitor
Assign to a device or user group. Monitor results at Devices > Monitor > PowerShell script status — see per-device success / failure and any output.
Example: Map a Printer via Intune Script
PowerShell — Map-Printer.ps1
# Deploy via Intune PowerShell Scripts
# Run as: Logged on credentials (user context)
$server = "printserver01"
$printer = "Secure Print"
$unc = "\\$server\$printer"
try {
Add-Printer -ConnectionName $unc -ErrorAction Stop
Write-Output "Mapped: $unc"
} catch {
if ($_.Exception.Message -like "*already exists*") {
Write-Output "Already mapped: $unc"
} else {
Write-Error "Failed to map $unc`: $_"
}
}
Scripts run once by default
Intune PowerShell scripts run once per device by default. If you need them to re-run (e.g. for re-enrollments), delete and re-add the script assignment, or use a scheduled task deployed via a Win32 app instead.
Output is limited
Intune only captures the first 2048 characters of Write-Output. For debugging, write logs to a file (e.g. C:\ProgramData\IntuneScripts\) and collect via Intune's Log Analytics or endpoint diagnostics.