User-driven Microsoft Entra join: Create and assign user-driven Microsoft Entra join Autopilot profile
Autopilot user-driven Microsoft Entra join steps:
- Step 1: Set up Windows automatic Intune enrollment
- Step 2: Allow users to join devices to Microsoft Entra ID
- Step 3: Register devices as Autopilot devices
- Step 4: Create a device group
- Step 5: Configure and assign Autopilot Enrollment Status Page (ESP)
- Step 6: Create and assign Autopilot profile
- Step 7: Assign Autopilot device to a user (optional)
- Step 8: Deploy the device
For an overview of the Windows Autopilot user-driven Microsoft Entra join workflow, see Windows Autopilot user-driven Microsoft Entra join overview.
Create and assign user-driven Microsoft Entra join Autopilot profile
The Autopilot profile specifies how the device is configured during Windows Setup and what is shown during the out-of-box experience (OOBE).
When an admin creates an Autopilot profile for the user-driven scenario, devices with this Autopilot profile are associated with the user enrolling the device. User credentials are required to enroll the device.
The difference between an Autopilot user-driven Microsoft Entra join and an Autopilot Microsoft Entra hybrid join is that the user-driven Microsoft Entra join scenario only joins Microsoft Entra ID during Autopilot. The Microsoft Entra hybrid join scenario joins both an on-premises domain and Microsoft Entra ID during Autopilot.
Tip
For Configuration Manager admins, the Autopilot profile is similar to some of the configuration that takes place during a task sequence via an unattend.xml
file. The unattend.xml
file is configured during the Apply Windows Settings and Apply Network Settings steps. Note however that Autopilot doesn't use unattend.xml
files.
To create a user-driven Microsoft Entra join Autopilot profile, follow these steps:
Sign into the Microsoft Intune admin center.
In the Home screen, select Devices in the left hand pane.
In the Devices | Overview screen, under By platform, select Windows.
In the Windows | Windows devices screen, under Device onboarding, select Enrollment.
In the Windows | Windows enrollment screen, under Windows Autopilot, select Deployment Profiles.
In the Windows Autopilot deployment profiles screen, select the Create Profile drop down menu and then select Windows PC.
The Create profile screen opens. In the Basics page:
Next to Name, enter a name for the Autopilot profile.
Next to Description, enter a description.
Select Next.
Note
Microsoft recommends setting the option Convert all targeted devices to Autopilot to Yes. This tutorial concentrates on new devices where the device is manually imported as an Autopilot device using the hardware hash. However, this option can be helpful when assigning Autopilot profiles to device groups that contain existing devices. For example, this option is helpful when using the Windows Autopilot for existing devices scenario. With Windows Autopilot for existing devices, existing devices might need to be registered as an Autopilot device after the Autopilot deployment completes. For more information, see Register device for Windows Autopilot.
In the Out-of-box experience (OOBE) page:
For Deployment mode, select User-driven.
For Join to Microsoft Entra ID as, select Microsoft Entra joined.
For Microsoft Software License Terms, select Hide to skip the EULA page.
For Privacy settings, select Hide to skip the privacy settings.
For Hide change account options, select Hide.
For User account type, select the desired account type for the user. The options are either Administrator or Standard user. If Administrator is chosen, the user is added to the local Administrator group for the device.
For Allow pre-provisioned deployment, select No.
Note
For the Windows Autopilot for pre-provisioned deployment Microsoft Entra join scenario, see Step by step tutorial for Windows Autopilot for pre-provisioned deployment Microsoft Entra join in Intune
For Language (Region), select Operating system default to use the default language for the operating system being configured. If another language is desired, select the desired language from the drop-down list.
For Automatically configure keyboard, select Yes to skip the keyboard selection page.
For Apply device name template, select No. Alternatively, Yes can be chosen to apply a device name template. Be aware of the following if the name template is selected to Yes:
- Names must be 15 characters or less, and can have letters, numbers, and hyphens.
- Names can't be all numbers.
- Use the %SERIAL% macro to add a hardware-specific serial number.
- Use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add.
Note
The above settings are selected to minimize needed user interaction during device setup. However, some of the settings that are hidden can instead be shown as desired. For example, some regions might require that Privacy settings always be shown.
Note
If the language/region and keyboard screens are set to hidden, they might still be displayed if there's no network connectivity at the start of the Autopilot deployment. The settings to hide these screens are defined in the Autopilot profile. However, if there's no network connectivity, the Autopilot profile with the settings hasn't downloaded yet which results in the screens being displayed. Once network connectivity is established, the Autopilot profile is downloaded and any additional screen settings should work as expected.
Once the options in the Out-of-box experience (OOBE) page are configured as desired, select Next.
In the Assignments page:
- Under Included groups, select Add groups.
Note
Make sure to add the correct device groups under Included groups and not under Excluded groups. Accidentally adding the desired device groups under Excluded groups prevents devices in those device groups from receiving the Autopilot profile.
In the Select groups to include window that opens, select the groups that the Windows Autopilot profile should be assigned to. These device groups are normally the device groups created in the previous Create device group step. Once done, select Select.
Under Included groups > Groups, ensure the correct groups are selected, and then select Next.
In the Review + Create page, verify that all settings are set correctly, and then select Create to create the Autopilot profile.
Verify device has an Autopilot profile assigned to it
Before deploying a device, ensure that an Autopilot profile is assigned to a device group that the device is a member of. Autopilot profile assignment to a device can take some time after the Autopilot profile is assigned to the device group or after the device is added to the device group. To verify that the profile is assigned to a device, follow these steps:
Sign into the Microsoft Intune admin center.
In the Home screen, select Devices in the left hand pane.
In the Devices | Overview screen, under By platform, select Windows.
In the Windows | Windows devices screen, under Device onboarding, select Enrollment.
In the Windows | Windows enrollment screen, under Windows Autopilot, select Devices.
In the Windows Autopilot devices screen that opens:
Find the desired device that Autopilot deployment profile assignment status needs to be checked.
Once the device is located, its current status is listed under the Profile status column. The status has one of the following values:
Not assigned: An Autopilot deployment profile isn't assigned to the device.
Assigning: An Autopilot deployment profile is being assigned to the device.
Assigned: An Autopilot deployment profile is assigned to the device.
Fix pending: When a hardware change occurs on a device, this status displays while Intune tries to register the new hardware. When the link for the Fix pending status is selected, the following message appears:
We've detected a hardware change on this device. We're trying to automatically register the new hardware. You don't need to do anything now; the status will be updated at the next check in with the result.
If Intune is able to successfully register the new hardware, Intune updates the profile status when the device next checks into Intune. For more information on the Fix pending status, see the following articles:
Attention required: If Intune is unable to register the new hardware after a hardware change occurs on a device, the device can't receive the Autopilot profile until the device is reset and the device re-registers. For more information on this status and how to deregister/re-register a device, see the following articles:
Before starting the Autopilot deployment process on a device, make sure that in the Windows Autopilot devices page:
- The device's Profile status status is Assigned.
- In the properties of the device, Date assigned has a value.
- In the properties of the device, Assigned profile displays the expected Autopilot profile.
Note
Intune periodically checks for new devices in the assigned device groups, and then begins the process of assigning profiles to those devices. Due to several different factors involved in the process of Autopilot profile assignment, an estimated time for the assignment can vary from scenario to scenario. These factors can include Microsoft Entra groups, membership rules, hash of a device, Intune and Autopilot services, and internet connection. The assignment time varies depending on all the factors and variables involved in a specific scenario.
Next step: Assign Autopilot device to a user (optional)
If a user isn't being assigned to the device, then skip to Step 8: Deploy the device.
Related content
For more information on configuring Autopilot profiles, see the following articles: