Windows 10 AutoPilot - Part 2



  • Run Windows 10 with the October 2018 Update.
  • Have access to the Internet.
  • Have access to your Active Directory domain (VPN connection not supported).
  • Provide the OOBE (Out-of-Box Experience) user experience.

Enable Windows 10 automatic enrollment

  1. Connect to Azure portal > Azure Active Directory.
  2. Select Mobility > Microsoft Intune.

3. Configure the Scope of users. You must specify the users' devices that must be managed by Intune.

  • No - Automatic MDM registration disabled.
  • Some : select them groupes who can automatically enroll their Windows 10 devices.
  • All : All users can automatically register their Windows 10 devices.

For the URL part, leave the values by default, then validate by Save.

Grant access to the Intune connector to Active Directory

The Intune connector for your Active Directory creates computers registered by Autopilot in the local Active Directory domain. The computer that hosts the Intune connector must have the necessary rights to create computer objects in the domain.

In some areas, computers do not have the rights to create computers. In addition, domains have a built-in limit (10 by default) that applies to all users and computers to whom rights to create computer objects have not been delegated. Therefore, the rights must be delegated to the computers hosting the Intune connector on the OU where the Azure AD Hybrid domain joined devices are created.


  1. Open Active Directory Users and Computers (DSA.msc).
  2. Right-click the organizational unit that you want to use to create computers joined to an Azure AD Hybrid domain, and then select Delegate control.

3. Add In Wizard Delegation of control, select Next > Add > Types of objects.
4. In the pane Types of objects, Check the box computers, then select OK.

5. Select Check the names to validate your entry, select OK, then select Next.

6. Select Create a custom task to delegate > Next.

7. Check the box Only following objects in the folder, then check the boxes Computer objectsCreate the selected objects in this folder et Delete selected objects in this folder. Then click on Next.

8. Under Permissions, Check the box Total control.
This action selects all other options, validate by Next and finish.

Installing the Intune connector for Active Directory

  1. Connect to Intune management portal (Microsoft 365 Device Management).
  2. Go in Registration of devices > Windows Registration > Intune Connector for Active Directory (Preview).

3. Click on Add.

4. Download the local Intune connector for AD.

5. Start the installation, once finished, click on Set up now.

6. Authenticate on Intune, by clicking on the button Sign in.

7. Once the operation is complete, a message tells us that everything went well.

8. Functional control from the Microsoft 365 Device Management Portal.

Creating a device group

1. In Intune, select Groups > New group.

2. In the pane Group, do this:

  • To Group type, select Safety.
  • Fill in the fields Name of the group et Group description.
  • Select a Membership type.

If you have selected Dynamic devices for the type of membership, in the Group, select Dynamic device members then, in the zone Advanced rule, do one of the following:

To create a group that includes all your Autopilot devices, enter (device.devicePhysicalIDs -any _ -contains "[ZTDId]").

To create a group that includes all your Autopilot devices with a specific order ID, enter (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881").

To create a group that includes all your Autopilot devices with a specific purchase order ID, enter (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342").

Select Add a request and Create.

Create and assign an Autopilot deployment profile

1. In Intune, select Registration of devices > Windows Registration > Deployment profiles > Create a profile.

2. Click on Create a profile.

3. Configure the following options:

  • Enter a Name and (possibly) a Description.
  • To Deployment mode, select User driven.
  • In the zone Join Azure AD like, select Attached to Azure AD Hybrid (pre-release).
  • Select OOBE (Out-Of-Box Experience), configure the options as needed, and select Save.

Create and assign a domain join profile

Create Profile

1. In Intune, select Device configuration Profils > Ccreate a profile.

2. Enter the following information:

  • Name : Enter a descriptive name for the new profile.
  • Description : Enter the profile description.
  • Plateforme : Select Windows 10 and later.
  • Profile type : Select Domain Junction (Preview).
  • Select Parameters, then enter a Computer name prefix, for an Domain Name and (optional) a Organizational unit in DN Format.

Validate by clicking on OK, And then Create.

Assign Profile

1. In Intune, select Device configuration Profils > Select the profile created previously.

2. Click on Assignments, choose Include ou Exclude groups, and then select groups to assign.

3. Once these operations are done, select Save.

Part of this folder


Steven Bart

Founder of - Vevey, Switzerland. I have been in IT since 2001, I work as a Workplace Architect and mainly deal with the administration of MEMCM (SCCM), the mass deployment of workstations and applications. Learn more about me.

    Leave a comment

    Your email address will not be published. Required fields are marked with *