All insights
ProtectMicrosoft 365How-To Guide

Enrolling your first Windows laptops in Intune (and setting up Autopilot)

Set the MDM authority, build a compliance policy and baseline configuration profiles, enroll a Windows laptop, then register devices for Autopilot so a new machine provisions itself on first boot.

Wired CIOJune 6, 2026
The short version
  • Set the MDM authority to Intune and turn on Windows automatic enrollment.
  • Define health with a compliance policy and set it with configuration profiles.
  • Register devices via hardware hash, your reseller, or Autopilot device preparation.
  • A deployment profile gives new laptops a hands-free first boot.
Bottom line: Intune plus Autopilot turns a pile of laptops into encrypted, compliant machines that set themselves up on first sign-in.

Microsoft Intune is the device management service in Microsoft 365 (included in Business Premium), and Windows Autopilot is the feature that lets a brand-new laptop set itself up the first time someone signs in, with no IT person touching it. This guide takes you from an unmanaged pile of laptops to enrolled, compliant, managed devices, and then to a zero-touch first boot. It's for the admin setting this up for the first time on a small fleet. By the end you'll have the MDM authority set, a compliance policy and baseline profiles in place, one device enrolled and reporting compliant, and an Autopilot deployment profile ready to provision the next machine on its own.

Intune and Autopilot setup AUTHORITY Set MDM to Intune BASELINE Compliance + config profiles REGISTER Register for Autopilot PAYOFF Zero-touch first boot
From an unmanaged pile to a laptop that sets itself up.

Before you start

  • Global Administrator (or Intune Administrator) access.
  • Microsoft 365 Business Premium or a standalone Intune plan, with Intune licenses assigned to the users whose devices you'll enroll.
  • Windows 10 or Windows 11 Pro (or Enterprise) on the laptops. Home edition can't be managed this way.
  • A test laptop you can wipe, so you can watch a clean enrollment.
  • Your hardware vendor or reseller contact, if you want them to register new devices for Autopilot at purchase.

Step 1: Set the MDM authority to Intune

The MDM (mobile device management) authority tells Microsoft 365 which service manages devices. On most modern tenants it's already Intune, but confirm it.

  1. Sign in to the Microsoft Intune admin center (intune.microsoft.com).
  2. Go to Tenant administration, then look for the MDM authority indicator (newer tenants default to Intune and don't require a manual change).
  3. If it's anything other than Intune, set it to Intune.

Step 2: Turn on automatic enrollment for Windows

This makes Windows devices enroll into Intune automatically when a user joins them to your Microsoft Entra ID.

  1. In the Intune admin center, go to Devices, then Enrollment.
  2. Open the Windows tab and select Automatic Enrollment.
  3. Set MDM user scope to All (or to a pilot group while you test).
  4. Save.

Step 3: Create a compliance policy

A compliance policy defines what "healthy" means for a device. Conditional Access can then require compliance before granting access.

  1. Go to Devices, then Compliance, then Create policy.
  2. Choose platform Windows 10 and later, then Create.
  3. Set rules such as: require BitLocker, require Secure Boot, require a minimum OS version, and require Microsoft Defender Antimalware. Require a password or PIN to unlock.
  4. On Actions for noncompliance, keep the default of marking the device noncompliant (you can add a grace period and an email warning).
  5. Assign the policy to your users or device group, and create it.

Step 4: Create configuration profiles for the baseline

Where the compliance policy checks settings, configuration profiles set them. Create a couple of baseline profiles.

  1. Go to Devices, then Configuration, then Create, then New Policy.
  2. For BitLocker and screen lock, choose platform Windows 10 and later and the Settings catalog (or the Endpoint protection template), then configure BitLocker drive encryption and a screen-lock timeout.
  3. For Microsoft Defender, configure the antivirus and firewall settings you want enforced.
  4. Assign each profile to your group and create it.
Start With a Boring Baseline

Start with a small, boring baseline: BitLocker on, screen lock after a few minutes, Defender on, Secure Boot required. You can always add more controls later. A tight, ambitious first profile is the fastest way to lock yourself out of a test device and spend an afternoon untangling why. Get the basics green first.

Step 5: Enroll your first Windows device

Now join a test laptop and watch it enroll.

  1. On the test laptop, go to Settings, then Accounts, then Access work or school, then Connect, and choose Join this device to Microsoft Entra ID. (On a fresh out-of-box setup, you sign in with the work account during the initial Windows setup, which does the same thing.)
  2. Sign in with a licensed work account.
  3. Back in the Intune admin center, go to Devices, then Windows, and confirm the device appears.
  4. Give it time to check in, then confirm it shows the assigned policies and eventually reports as Compliant.

This is the manual path. Autopilot, next, removes the hands-on steps for future devices.

Step 6: Register devices for Windows Autopilot

Autopilot needs to know a device belongs to you before it can auto-provision it. There are two main paths in 2026.

Path A: Classic Autopilot with a hardware hash

The established method registers each device by its hardware identity.

  1. Have your reseller register devices to your tenant at purchase (the easiest route), or
  2. Collect the hardware hash yourself: on the device, run the Get-WindowsAutopilotInfo PowerShell script to export a CSV, then in the Intune admin center go to Devices, then Enrollment, then Windows, then Devices, and import the CSV.

Path B: Autopilot device preparation (the newer model)

Microsoft's newer Autopilot device preparation does not require a pre-collected hardware hash. Instead, a device provisions when a user signs in with their work account during setup, and a corporate identifier (manufacturer, model, serial number) distinguishes company devices from personal ones. This removes the hardware-hash collection step entirely.

Step 7: Build a deployment profile

The deployment profile controls what the out-of-box experience looks like (skip privacy screens, set the device naming, join to Entra ID).

  1. For classic Autopilot: go to Devices, then Enrollment, then Windows, then Deployment Profiles, then Create profile, then Windows PC.
  2. Choose Microsoft Entra joined, set the out-of-box experience options (hide license terms, hide privacy settings, set a naming template like "LAPTOP-%SERIAL%"), and assign the profile to your device group.
  3. For Autopilot device preparation: create the device preparation policy under the device preparation area, set the deployment settings and the security group that new devices land in, and assign it.

Step 8: Watch a zero-touch first boot

This is the payoff. Take a registered (or device-preparation-eligible) laptop, freshly reset.

  1. Power it on and connect it to the internet.
  2. At the sign-in screen, the user enters their work email and password.
  3. From there it provisions on its own: it joins Microsoft Entra ID, enrolls in Intune, pulls down your compliance policy and configuration profiles, installs assigned apps, and lands on a desktop that's already managed and encrypted.
  4. No IT person had to image it, name it, or configure it by hand.

Verify it worked

  1. In the Intune admin center, confirm the new device appears under Devices, then Windows, and shows as managed.
  2. Confirm it reports Compliant after it finishes checking in.
  3. On the device, check BitLocker is on (Settings, then the device encryption status) and that the screen-lock timeout matches your profile.
  4. If you've wired Conditional Access to compliance, confirm the user can reach the gated apps now that the device is compliant.

What to do next

You've gone from manual setup to a laptop that provisions itself, encrypted and compliant, the first time someone signs in. From here, common next steps are adding app deployment so key software installs automatically, setting up Windows Update rings to control patching, and connecting device compliance to your Conditional Access policies so only healthy laptops reach sensitive apps. If you'd like us to stand up Intune, build the baseline, and get Autopilot provisioning your next batch of laptops hands-free, that's a routine project for us, so reach out and we'll set it up with you.

Filed under
How-To Guide
Read more insights
Free strategy session

See where you stand. Then move forward.

Book a free intro call. We'll talk through where you are today and map a strategic plan for growth, protection, automation, and alignment.

A 30-minute discovery call, no obligationA full team of specialists at a fraction of in-house costA clear next step before you spend a dollar
Loading scheduler…