logo
💡
Managing Autopilot through the Zip Console is now available in beta! See here for more details.
Stage 1: Configure the Windows Autopilot Group and ProfileStage 2: Add devices to the Autopilot Intune groupStage 3: Verify Autopilot enrollment

Stage 1: Configure the Windows Autopilot Group and Profile

  1. Create an Intune group that will have the Autopilot profile assigned to it. Intune managed devices that should be enrolled in autopilot will later be added to this group.
    1. Navigate to the Intune groups pane
    2. Choose New group from the top menu
    3. Use the following settings
      1. Group type: Security
      2. Group name: Zip Security: Windows Autopilot Devices
      3. Group description: Group used to enroll Corporate devices into Autopilot. Managed by the Zip Security console, go to zipsecinc.cc to make changes.
      4. Microsoft Entra roles can be assigned to the group: No
      5. Membership type:
        1. If an organization wants to manually decide which devices will be Autopilot enrolled: Assigned
        2. If an organization is confident that “Ownership” information is correct for each device and they want to enroll all eligible devices: Dynamic with a ruleset of (device.deviceOwnership -eq "Company") and (device.deviceTrustType -eq "AzureAD") and (device.deviceOSType -eq "Windows") and (device.managementType -eq "MDM")
      6. Owners: None
      7. Members: None
    4. Create the group. Once you are redirected back to the Intune groups pane, it may take a moment for the new group to appear.
  1. Create the Autopilot enrollment profile
    1. Navigate to the Windows Autopilot deployment profiles pane
      1. From the Intune admin center home page:
        1. Devices → Device onboarding → Enrollment → Deployment Profiles
    2. Choose Create profile from the top menu, then Windows PC
    3. Use the following settings
      1. Name: Windows PC Autopilot Profile Automatically Set by Zip Security
      2. Description: Windows PC Autopilot profile managed by the Zip Security console. Go to zipsecinc.cc to make changes.
      3. Convert all targeted devices to Autopilot: Yes
    4. Next
    5. Use the following settings
      1. Deployment mode: User-Driven
      2. Join to Microsoft Entra ID as: Microsoft Entra joined
          3. 💡
          Because we should already have configured Automatic Enrollment and users should already be a member of an Intune licensed group, using this setting in conjunction with the User-driven enrollment setting should automatically enroll all new or wiped devices in Intune MDM during the OOBE. - Automatic enrollment:
          - Licenses:
      3. Microsoft Software License Terms: Hide
      4. Privacy settings: Hide
      5. Hide change account options: Hide
          6. 💡
          This setting won’t take effect until we have configured Company Branding in Azure AD.
      6. User account type:
        1. Set this to Administrator if the company currently allows and deploys laptops with the end user as an Administrator and is not planning on fully managing laptops in the near future.
        2. Set this to Standard if the company does not want to permit end users to make system level configuration changes or to install applications that require administrator privileges. This may substantially disrupt user workflow if the laptops are not fully managed and correctly configured for the user. Limiting users to standard accounts is atypical for companies without a dedicated desktop IT admin/team.
      7. Allow pre-provisioned deployment: No
      8. Language (Region): Operating system default or the company’s preferred region.
        1. In most cases OS default should be fine as long as the company purchased the laptop or OS media for/in the same region that they operate in.
      9. Automatically configure keyboard: Yes
      10. Apply device name template: Yes
        1. Enter a name: For small companies with a single Autopilot config, we recommend using the universal template ORG-%SERIAL%, where ORG is a 1 to 6 character abbreviation of the organization name. For example, ZIP-%SERIAL% would result in device hostnames like ZIP-MJ0JHYD9.
        2. In more advanced setups with per-department or role autopilot configurations, this can instead be set to uniquely identify the devices managed by this Autopilot config. The final name can be no more than 15 characters long, so instead of using the 8-digit SERIAL macro it may be necessary to use the %RAND:x% macro. E.g. ZIP-ENG-%RAND:7% or ACME-SALES-%RAND:4%, resulting in hostnames like ZIP-ENG-0432.
    6. Next
    7. Select Add groups from the top menu
      1. Search for and select the Zip Security: Windows Autopilot Devices group
      2. Click Select
    8. Next
    9. Create

Stage 2: Add devices to the Autopilot Intune group

💡
This step is only necessary if the decision as made to use a statically Assigned group membership in Step 1 of Stage 1: Configure the Windows Autopilot Group and Profile. When using automatically assigned groups, instead review the membership of the Zip Security: Windows Autopilot Device to verify that it contains all expected devices. Dynamic group rules can be tested against specific devices in the rule editor for the group.
  1. Navigate to the Intune groups pane
  1. Click on the Zip Security: Windows Autopilot Device group
  1. Select the Members section on the left menu
    1. Search for and select each device that should be enrolled in Autopilot. Windows devices are only eligible for Autopilot enrollment if:
      1. The device is running an eligible version of Windows
          2. 💡
          Eligible versions include:
          • Windows 10/11 Pro
          • Windows 10/11 Pro Education
          • Windows 10/11 Pro for Workstations
          • Windows 10/11 Enterprise
          • Windows 10/11 Education
      2. The device is company-owned (variously displayed or described as “Corporate” or “Company” in Intune)
          3. 💡
          This can be updated for each device via the Intune console if it is incorrect. We recommend doing so as it is also important for enabling the deployment of advanced device config and compliance policies.
      3. The device is MDM managed by Intune
      4. The device is Azure AD joined (not Azure AD registered)
    2. Click Select at the bottom of the overlay pane
    3. Wait ~15 seconds, then click Refresh in the top menu to populate the list with the newly added members

Stage 3: Verify Autopilot enrollment

  1. Wait. It may take 24 to 48 hours for the group changes to replicate, the Intune devices to checkin, and the Autopilot service registration to update.
  1. Navigate to the Autopilot devices pane in Intune
  1. Compare the list of devices to the population of the Zip Security: Windows Autopilot Devices group to confirm that all devices have checked in and been enrolled in Autopilot.
    1. The “profile status” column for each device should be “Assigned”, and the details pane for the device (opened by clicking on the device entry) should list Assigned Profile: Windows PC Autopilot Config Automatically Set by Zip Security
  1. If any devices are missing you can try to force a checkin by issuing an Intune sync command from the console, issuing a sync from the “Access work or school > Connected > Info” pane on the device, or rebooting the device.
Upgrading from Windows 11 Home to Windows 11 Pro
Creating a Windows re-installation drive
Powered by Notaku
Share
Content
Setting up Autopilot for Windows via Intune
Stage 1: Configure the Windows Autopilot Group and Profile
Stage 2: Add devices to the Autopilot Intune group
Stage 3: Verify Autopilot enrollment