Windows Device enrollment

https://portal.azure.com/#blade/Microsoft_Intune_Enrollment/EnrollmentMenu/windowsEnrollment

Automatic Enrollment

– MDM and MAM on “Some”
– Select a group
– Save

If you have not yet created an autopilot group, you can find the instructions here.

Windows Hello for Business

– Properties
– Congigure Windows Hello for Business: Enabled
– Use a Trusted Platform Module (TMP:) Preferred
– Minimum PIN length: 6
– Maximum PIN length: 127
– Lowercase letters in PIN: Not allowed
– Uppercase letters in PIN: Not allowed
– Special characters in PIN: Not allowed
– PIN expirations (days): Never
– Remember PIN history: No
– Allow biometric authentication: Yes
– Use enhanced anti-spoofing when avaiable: Yes
– Allow phone sign-in: Yes
– Use security keys for sign-in: Disabeld
– Save

CNAME Validation
TypeHostnaamPoints toTTL
CNAMEEnterpriseEnrollmententerpriseenrollment.manage.microsoft.com.1 uur
CNAME EnterpriseRegistrationEnterpriseRegistration.windows.net.1 uur
Enrollment Status Page

– Select Default
– Settings
– Show app and profile installation progress: Yes
– Show time limit error when installations takes longer than specifed numbers of minutes
– Show custom message when time limit error occurs: Yes > Helpdesk contact info
– Allow users to collect logs about installation errors: No
– Block device use until all apps and profile are installed: Yes
– Allow users to reset device if installation error occurs: Yes
– Allow users to use device if installation error occurs: Yes
– Block device use until these required apps are installed if the are assigned to the users/device: Selected or All

Deployment Profiles

Create profile
– Name: Autopilot profile
– Convert all targedted devices to Autopilot: Yes
– Deyloyment mode: User-Drive
– Join to Azure AD as: Azure AD joined
– Microsoft Software License Terms: Hide
– Privacy settings: Hide
– Hide change account options: Hide
– User account type: Choose Administrator or Standard
– Allow White Glove OOBE: Yes
– Apple device name template: Yes
Companyname-%RAND:x%
– Change x to digit to add any string of numbers, where x stands for the number of digits to be added.
– Next > Next
– Select groups to include: Autopilot groups
– Next
– Create

Devices

– Import > Import

Add all computer that you want in Autopilot/Intune. You can import a .CSV file. You can generate this .CSV file with a PowerShell command.

AutoPilot.ps1

# om als administrator uit te voeren
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File "$PSCommandPath"" -Verb RunAs; exit }

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force

$path = "C:\AutoPilotCSV"
If(!(Test-path $path)) {New-Item -type Directory -Force -Path $path}
Save-Script -Name Get-WindowsAutoPilotInfo -Path $path -Force

. "$path\Get-WindowsAutoPilotInfo.ps1" -OutputFile c:\AutoPilotCSV\$env:UserName.csv

The .CSV file is saved in C:\AutoPilotCSV

At the screen above, press SHIFT + F10

NewPCAutoPilot.ps1

# om als administrator uit te voeren
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File "$PSCommandPath"" -Verb RunAs; exit }

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force

$path = "C:\AutoPilotCSV"
If(!(Test-path $path)) {New-Item -type Directory -Force -Path $path}
Save-Script -Name Get-WindowsAutoPilotInfo -Path $path -Force

. "$path\Get-WindowsAutoPilotInfo.ps1" -OutputFile c:\AutoPilotCSV\newpc.csv

Type: Powershell and press enter
Run the above NewPCAutoPilot.ps1 script
cd c:\AutoPilotCSV\
copy newpc.csv X:\ (Change X:\ to USB letter)
shutdown /s /t 0