3. Assigning profiles to individual Windows Autopilot registered devices
Aim: To understand the various methods used to apply profiles instructing Windows Autopilot registered devices how to enrol the device.
The Windows Autopilot deployment profile provides the instructions to enrol the device to Intune. The profile customises the Windows out-of-box experience (OOBE) for your end users depending on the deployment mode used (user-driven or self-deploying).
- When using self-deploying mode (typically used for kiosk devices), only compliance policies targeting the device will be applied. As such, it is not appropriate for devices intended for end users. For shared devices, consider implementing Shared PC mode, which was covered in the Level 100 Intune course.
A Windows Autopilot profile can be assigned to a device in one of two ways:
- Create a device security group in Azure Active Directory with assigned membership (not dynamic membership) and assign a Windows Autopilot deployment profile to that group. All devices in that group will get the profile assigned. Allow 15 minutes to 48 hours for the registration to be processed.
- Link a Windows Autopilot deployment profile directly to a device from the Microsoft 365 admin center at admin.microsoft.com/#/PrepareWindows (note there is no option to link a profile to a registered device from the Microsoft Endpoint Manager admin center). In practice, this completes within 15 minutes.
When an Internet-connected Windows device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. The Autopilot profile is downloaded as soon as possible, and again after each reboot. If no profile is assigned to the device, Windows out-of-box experience will load as usual as there are no further instructions for the device to complete. Once the device is enrolled to Intune, it can be managed with targeted apps and profiles.
Best practice is to create a security group for your Autopilot devices with assigned membership. You can then Autopilot registered devices to the group manually (“Autopilot devices that aren’t yet enrolled are devices where the name equals the serial number of the device.”) and wait (15 minutes to 48 hours) for the profile assigned to the group to be assigned to each device.
Related:
- https://learn.microsoft.com/en-us/mem/autopilot/profiles
- https://learn.microsoft.com/en-us/mem/intune/enrollment/tutorial-use-autopilot-enroll-devices#create-an-autopilot-device-group
- https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-targeting-apps-and-policies-with-windows-autopilot/bc-p/3707824/