This post will describe how you setup Intune (MEM) via Autopilot.


Make sure you have checked the following things:

Setup basics

Domain DNS TXT records

Configure the domain name and required DNS TXT records.
You can follow the steps described on

User and licenses

Create a test user on your on-prem AD environment.
We need a AD users, as we want to create a co-managed MECM environment, on which we want to publish MECM application to AD groups of which this user is going to be member of.
If we would have created a native AAD user this will not work.

Assign a location to the user and make sure you assign the following license to this user to get a working Intune Autopilot setup with Office for the user:

  • Enterprise Mobility + Security E3
  • Intune
  • Office 365 E3

MDM Authority

If you just started with Azure and Intune you can skip this step, otherwise if you have a older tenant version (pre-1911) follow the steps on

Enable device enrollment

In the Intune portal go to Devices > Enroll Devices > Windows enrollment > Automatic Enrollment
Change the MDM user scope from None to All

Click [Save]


We want use autopilot so that devices which we add to the Autopilot database based on their hardware hash, get automatically enrolled into our Intune tenant and got all the applicable Intune profiles (policies) and applications installed for that device based on AAD Dynamic group memberships which we dynamically add via the Autopilot group tag.

Create Dynamic AAD groups for Autopilot devices

First create a AAD group “WP-Devices-AutoPilot-AllDevices”
Change the Membership type to Dynamic Device 

Click on Add dynamic query and copy/paste the following query under Rule syntax (Edit):

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")

[Save] and [Close]

Secondly create a AAD group “WP-Devices-AutoPilot-Laptops” which we will need for the Deployment Profile
Change the Membership type to Dynamic Device

Click on Add dynamic query and copy/paste the following query under Rule syntax (Edit):

(device.devicePhysicalIds -any (_ -match ".OrderId.:WP-.-LP"))

[Save] and [Create]

Create a Enrollment Status Page (ESP)

In the Intune portal go to Devices > Enroll devices > (General) > Enrollment Status Page

Click on [+ Create]


Toggle the “Show app and profile configuration progress” from No to Yes.
Change it to the following values:


For now we leave the “Block device use until required apps are installed if they are assigned to the user/device” set to all, once we have some application packaged and added to Intune, we will change this to Selected and select those applications we want to be 100% installed before a user can login and start using the device (for example a user needs Office and Chrome from the very first moment).

Assign this ESP to the “WP-Devices-AutoPilot-AllDevices” dynamic AAD group we just created.




The new ESP has been created, notice the priority of this being higher (1) as the Default one.

Create a Deployment Profile

In the Intune portal go to Devices > Enroll devices > (Windows Autopilot Deployment Program) > Deployment Profiles
Click on [+ Create profile] and select Windows PC


Configure the following settings (purple)


Assign to “WP-Devices-AutoPilot-Laptops”



Import device into Autopilot database

Install a clean “vanilla” Windows 11, do not sign on with your Microsoft account, just create a local account.

Open Powershell prompt (run as admin) and run the following cmdlets (accept all prompts with yes)

New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv

Copy the “AutopilotHWID.csv” file to a location from which you can import this into the Autopilot database via the Intune Management Portal (eg USB stick or Onedrive)

In the Intune portal go to Devices > Enroll devices > (Windows Autopilot Deployment Program) > Devices


Choose the exported CSV and click on [Import]
Intune is now importing the devices which can take a while 

(refresh after 5-10 minutes). Device is now imported.

Click on the device record and assign the group tag “WP-A-LP”

Click on refresh every 5 minutes.

It is very important to make sure the group tag is assigned and that the profile status changed to a assigned status!
This can take a while (up to 24 hours since it’s a complete new group, up to 30 minutes for new devices) as Azure AD needs to update the dynamic AAD group for the laptop.

Empty for now… just wait for it…

If you go to Dynamic membership rules, you can check via the Validate Rules if the Autopilot device status is passed as green OK:

After 1 hour the device got added automatically:

Notice the profile status has changed to Assigned to the Laptop Deployment Profile:

Reset device

Now that the Windows 11 device is imported in Autopilot and assigned to the deployment profile and ESP, we can reset it.

Wait 2 hours first, as processing by Microsoft can take some time…

On the Windows 11 device launch Powershell prompt (run as Admin) and type:

systemreset –factoryreset

[Remove everything]

[Just remove my files]


After a while Windows will automatically restart

Login with the username mail address 

Now you can see the Autopilot enrollment kicking off

After this is done, the device will reboot

Approve MFA

Setup a PIN

All done and set ! 🤠

In the Intune portal you will see the newly enrolled windows device

Comments are closed.