Configure an Autopilot profile in a lab Intune

Creating an Autopilot Profile

I created a new profile by navigating to "Devices > Enrollment > Deployment profiles".

I named the profile and left the "No" option to avoid converting all devices to "Autopilot".

I configured the OOBE for the profile with the following settings:

• Deployment mode: User-Driven
• Join to Microsoft Entra ID as: Microsoft Entra joined (Full Cloud)
• Microsoft Software License Terms: Hide
• Privacy settings: Hide
• Hide change account options: Hide
• User account type: Standard
• Allow pre-provisioned deployment: Yes
• Language (Region): Operating system default
• Automatically configure keyboard: Yes
• Apply device name template: Yes
• Enter a name: FRLAB-%SERIAL%

For groups, I didn’t assign any for now; I’ll do that later.

The Autopilot profile was successfully created.

First Attempt to Enroll a VM

To create a dynamic group that will include all devices with the "FRLAB" category, the device must first exist in Intune.

So, I powered on my Windows 11 VM (running on Hyper-V) and pressed Shift + F10 to open a command prompt on the VM.

Then, I switched the terminal to PowerShell.

Next, I installed the "WindowsAutopilotInfo" script and executed the command to associate the "FRLAB" group tag with the device.

Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo -Online -GroupTag 'FRLAB'

After running the command "Get-WindowsAutopilotInfo -Online -GroupTag 'FRLAB'", I logged in with my global admin account and approved the request to set up an Enterprise App "MS Graph Command Line Tools".

According to the output, the VM was successfully enrolled!

The VM is also visible in the Intune console.

Now that there’s a device in Intune, I added it to the "FRLAB-FullCloud-StaticGroup" group to later assign the Autopilot profile to it.

I then assigned the "FRLAB-FullCloud-StaticGroup" group to the Autopilot profile.

After about 15 minutes of waiting, the "Profile status" changed to "Assigned", and the Autopilot profile was applied!

Once the Autopilot profile was applied, I started the "White Glove Deployment" by pressing the "Windows" key 5 times.

Then I clicked on "Next".

And I got stuck with this error message.

Error TPM attestation timed out

According to Microsoft’s article, it’s not possible to perform Pre-provisioning with Windows Autopilot on virtual machines (VMs).

Second Attempt to Enroll a VM

Even though Pre-provisioning isn’t possible on a VM, standard provisioning with Windows Autopilot is entirely feasible.

First, I reverted to a previous checkpoint of my VM.

I also deleted the device from the Intune console.

I reinstalled the script and reran the Get-WindowsAutopilotInfo command.

I added the device to the group.

After 15 minutes of waiting, the "Profile status" changed to "Assigned", and I could see the "FRLAB" GroupTag.

I returned to the VM and restarted it.

After restarting, I logged in once with my account.

Then, I configured Windows Hello.

I successfully enrolled the first VM in my Intune lab!

The device is also visible in the Intune console with the name "FRLAB-%SERIAL%". The serial number wasn’t fully included due to a 15-character limit.

Creating a Dynamic "Autopilot" Group

I created a dynamic group to include all devices with the "FRLAB" category.

I used the "FRLAB" category, so I configured the dynamic group with this rule: (device.devicePhysicalIds -any "_ -startsWith "[OrderID]:FRLAB")

I can see my first VM in it.

Assigning the Autopilot Profile to the Dynamic Group

By navigating to "Devices > Enrollment > Windows Autopilot deployment profiles", I configured the "Autopilot Full Cloud" profile.

Then, I added the dynamic group to the "Included groups".

This means that when I enroll another VM with the "FRLAB" category, the dynamic group will automatically pick up the device, and the Autopilot profile will be assigned to it.