Pre-provision Microsoft Entra join: Create and assign a pre-provisioned Microsoft Entra join Autopilot profile

Windows Autopilot for pre-provisioned deployment Microsoft Entra join steps:

  • Step 6: Create and assign Autopilot profile

For an overview of the Windows Autopilot for pre-provisioned deployment Microsoft Entra join workflow, see Windows Autopilot for pre-provisioned deployment Microsoft Entra join overview.

Create and assign a pre-provisioned Microsoft Entra join Autopilot profile

The Autopilot profile specifies how the device is configured during Windows Setup and what is shown during the out-of-box experience (OOBE).

When an admin creates an Autopilot profile for the pre-provisioned scenario, devices with this Autopilot profile are associated with the user enrolling the device. User credentials are required to enroll the device.

The difference between an Autopilot pre-provisioned Microsoft Entra join and an Autopilot Microsoft Entra hybrid join is that the pre-provisioned Microsoft Entra join scenario only joins Microsoft Entra ID during Autopilot. The Microsoft Entra hybrid join scenario joins both an on-premises domain and Microsoft Entra ID during Autopilot.

Tip

For Configuration Manager admins, the Autopilot profile is similar to some of the configuration that takes place during a task sequence via an unattend.xml file. The unattend.xml file is configured during the Apply Windows Settings and Apply Network Settings steps. Autopilot doesn't use unattend.xml files.

To create a pre-provisioned Microsoft Entra join Autopilot profile, follow these steps:

  1. Sign into the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left hand pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.

  5. In the Windows | Windows enrollment screen, under Windows Autopilot, select Deployment Profiles.

  6. In the Windows Autopilot deployment profiles screen, select the Create Profile drop down menu and then select Windows PC.

  7. The Create profile screen opens. In the Basics page:

    1. Next to Name, enter a name for the Autopilot profile.

    2. Next to Description, enter a description.

    3. Select Next.

      Note

      Microsoft recommends setting the option Convert all targeted devices to Autopilot to Yes. This tutorial concentrates on new devices where the device is manually imported as an Autopilot device using the hardware hash. However, this option can be helpful when assigning Autopilot profiles to device groups that contain existing devices. For example, this option is helpful when using the Windows Autopilot for existing devices scenario. With Windows Autopilot for existing devices, existing devices might need to be registered as an Autopilot device after the Autopilot deployment completes. For more information, see Register device for Windows Autopilot.

  1. In the Out-of-box experience (OOBE) page:

    • For Deployment mode, select User-driven.

    • For Join to Microsoft Entra ID as, select Microsoft Entra joined.

    • For Microsoft Software License Terms, select Hide to skip the EULA page.

    • For Privacy settings, select Hide to skip the privacy settings.

    • For Hide change account options, select Hide.

    • For User account type, select the desired account type for the user (Administrator or Standard user). If Administrator is chosen, the user is added to the local Admin group.

    • For Allow pre-provisioned deployment, select Yes.

    • For Language (Region), select Operating system default to use the default language for the operating system being configured. If another language is desired, select the desired language from the drop-down list.

    • For Automatically configure keyboard, select Yes to skip the keyboard selection page.

    • For Apply device name template, select No. Alternatively, Yes can be chosen to apply a device name template. Be aware of the following if the name template is selected to Yes:

      • Names must be 15 characters or less, and can have letters, numbers, and hyphens.
      • Names can't be all numbers.
      • Use the %SERIAL% macro to add a hardware-specific serial number.
      • Use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add.

    Note

    The above settings are selected to minimize needed user interaction during device setup. However, some of the settings that are hidden can instead be shown as desired. For example, some regions might require that Privacy settings always be shown.

    Note

    If the language/region and keyboard screens are set to hidden, they might still be displayed if there's no network connectivity at the start of the Autopilot deployment. When there's no network connectivity at the start of the deployment, the Autopilot profile, where the settings to hide these screens is defined, hasn't downloaded yet. Once network connectivity is established, the Autopilot profile is downloaded and any additional screen settings should work as expected.

  1. Once the options in the Out-of-box experience (OOBE) page are configured as desired, select Next.

  2. In the Assignments page:

    1. Under Included groups, select Add groups.

    Note

    Make sure to add the correct device groups under Included groups and not under Excluded groups. Accidentally adding the desired device groups under Excluded groups prevents devices in those device groups from receiving the Autopilot profile.

    1. In the Select groups to include window that opens, select the groups that the Windows Autopilot profile should be assigned to. These device groups are normally the device groups created in the previous Create device group step. Once done, select Select.

    2. Under Included groups > Groups, ensure the correct groups are selected, and then select Next.

  3. In the Review + Create page, verify that all settings are set correctly, and then select Create to create the Autopilot profile.

Verify device has an Autopilot profile assigned to it

Before deploying a device, ensure that an Autopilot profile is assigned to a device group that the device is a member of. Autopilot profile assignment to a device can take some time after the Autopilot profile is assigned to the device group or after the device is added to the device group. To verify that the profile is assigned to a device, follow these steps:

  1. Sign into the Microsoft Intune admin center.

  2. In the Home screen, select Devices in the left hand pane.

  3. In the Devices | Overview screen, under By platform, select Windows.

  4. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.

  5. In the Windows | Windows enrollment screen, under Windows Autopilot, select Devices.

  6. In the Windows Autopilot devices screen that opens:

    1. Find the desired device that Autopilot deployment profile assignment status needs to be checked.

    2. Once the device is located, its current status is listed under the Profile status column. The status has one of the following values:

      Before starting the Autopilot deployment process on a device, make sure that in the Windows Autopilot devices page:

      • The device's Profile status status is Assigned.
      • In the properties of the device, Date assigned has a value.
      • In the properties of the device, Assigned profile displays the expected Autopilot profile.

Note

Intune periodically checks for new devices in the assigned device groups, and then begins the process of assigning profiles to those devices. Due to several different factors involved in the process of Autopilot profile assignment, an estimated time for the assignment can vary from scenario to scenario. These factors can include Microsoft Entra groups, membership rules, hash of a device, Intune and Autopilot services, and internet connection. The assignment time varies depending on all the factors and variables involved in a specific scenario.

Next step: Assign Autopilot device to a user (optional) or Technician flow

If a user isn't being assigned to the device, then skip to Step 8: Technician flow.

For more information on configuring Autopilot profiles, see the following articles: