Getting Started with Windows Autopilot – Intune - Checklist

Windows Autopilot is a powerful tool for streamlining the deployment of new Windows devices—automating the configuration process and reducing IT overhead. But before jumping into testing or production use, it’s essential to ensure your environment is properly prepared.

 This guide provides a step-by-step checklist to help you establish a solid foundation for Autopilot in a lab or pilot environment. Whether you're just testing or building toward a larger rollout, these are the key setup steps you don’t want to miss.

 

 ✅ 1. Licensing: Don’t Skip This Step

Before anything else, your users must be properly licensed. Autopilot functionality depends on Microsoft 365 licenses such as:

 * Microsoft 365 Business Premium

* Microsoft 365 E3 / E5

* Education SKUs (A3/A5)

 Best Practice:

Create a security group (e.g., `Licensed Users`) and assign licenses to the group. This simplifies license management at scale.

 Steps:

 1. Go to [admin.microsoft.com](https://admin.microsoft.com)

2. Navigate to Billing > Licenses

3. Select your license (e.g., Microsoft 365 E5)

4. Choose Assign to Groups

5. Select your `Licensed Users` group

  🔐 2. Configure Enrollment Settings

Autopilot relies on Microsoft Entra ID (Azure AD) and Intune for enrollment.

# Entra ID Device Settings:

 1. Visit [entra.microsoft.com](https://entra.microsoft.com)

2. Go to Devices > Device Settings

3. Set Users may join devices to Entra ID → `All`

4. (Optional but Recommended) Enable Require Multi-Factor Auth

 # Intune Automatic Enrollment:

1. Go to Devices > Enrollment > Automatic Enrollment

2. Set MDM User Scope to `All`

3. Click Save

 

 🌐 3. Verify CNAME Validation (For Custom Domains)

 

If you're using a branded domain (e.g., `yourcompany.com`), a CNAME DNS record is required for seamless MDM enrollment.

 Check CNAME Validation:

 1. In Intune, go to Devices > Enrollment > CNAME Validation

2. Enter your domain and click Test

3. A green check = success

 

📌 *This step is typically handled by whoever manages your domain and DNS records.*

 

 🔒 4. Set Platform Restrictions & Device Limits

 You want to make sure only corporate-managed devices are being enrolled—especially in a test or production scenario.

 Steps:

 1. Go to Devices > Enrollment > Platform Restrictions

2. Edit the default policy under All Users

3. Block personally owned Windows devices

4. Set device limit (e.g., 3–5 devices per user)

 

 🧭 5. Create an Autopilot Deployment Profile

 Deployment profiles define the user experience during device setup.

 Steps:

 1. Go to Devices > Windows > Windows Enrollment > Deployment Profiles

2. Click + Create Profile

3. Choose Windows PC and User-Driven Mode

4. Hide OOBE elements (e.g., EULA, privacy settings) for simplicity

5. Assign to a dynamic device group

 🔁 Example:

Create a group like `Autopilot Devices` with a dynamic membership rule based on the device's Autopilot tag.

 

 ⚙️ 6. Apply Basic Device Configuration

 Enforce baseline security and usability settings.

 To Configure:

 1. Go to Devices > Windows > Configuration Profiles

2. Create a policy using Device Restrictions

3. Apply to your Autopilot group

 Recommended Settings:

 * Disable developer mode

* Block Game DVR

* Prevent adding personal Microsoft accounts

* Block manual unenrollment

* Disable removable storage and internet sharing

 

 📦 7. Deploy Test Applications

 Add essential apps to verify app deployment and ESP functionality.

 Steps:

 1. Go to Apps > Windows > Add > Store App (New)

2. Use WinGet to deploy:

    * Firefox

   * Visual Studio Code

   * Company Portal

 

💡 *Company Portal is key for self-service app access.*

 

 🔄 8. Set Up Windows Update Rings

 Ensure devices stay up to date—but on your terms.

 Steps:

 

1. Go to Devices > Windows > Windows Update > Update Rings

2. Create a profile (e.g., `Lab Update Ring`)

3. Key settings:

    * Feature updates deferral: 0 days

   * Quality updates deferral: 7 days

   * Disable preview builds

 

Apply the ring to your Autopilot group.

 

 📋 9. Define Device Compliance Policies

 

Compliance policies help track device health and enforce Conditional Access.

 Steps:

 1. Go to Devices > Compliance Policies

2. Choose Windows 10/11

3. Set rules like:

    * Require BitLocker

   * Enforce Secure Boot

   * Require storage encryption

Apply this policy to your Autopilot devices.

 

 🧪 10. Configure the Enrollment Status Page (ESP)

 

ESP ensures required policies and apps are installed before the user reaches the desktop.

 

1. Navigate to Devices > Enrollment > Windows Autopilot > Enrollment Status Page

2. Edit the default profile

3. Turn ESP ON

4. Enable block device use until setup completes

5. Select required apps to install before allowing access

 📌 Example:

 

* Required: Firefox, Company Portal

* Optional: Visual Studio Code

 

 🏁 Wrapping Up: A Solid Foundation

 With these 10 steps, your Autopilot lab (or pilot deployment) is ready for real testing. This isn't just a configuration guide—it's a practical starting point for modern provisioning.

 You'll likely tweak and expand on this as your environment evolves, but if you follow this checklist, you’ll avoid the most common roadblocks and be well-positioned for success.

  💬 Your Turn

 Have your own favorite tweaks or additions to Autopilot setup? Drop them in the comments or share how your tenant is structured—we all benefit from shared insights.