Skip to main content

1. Turn On the Device

  • The device is powered on for the first time (or after a reset).
  • The Out-of-Box Experience (OOBE) begins, presenting a welcome screen.

2. Network Connection

  • Wi-Fi Connection:
    • The device prompts for a Wi-Fi connection if it doesn’t automatically connect via Ethernet.
    • The user (or technician) selects the Wi-Fi network and enters the necessary credentials to connect.
  • Ethernet Connection (if available):
    • If the device is connected via Ethernet, it automatically connects to the network without user intervention.

3. Autopilot Profile Download

  • Device Contacts Autopilot Service:
    • Once connected to the internet, the device communicates with the Windows Autopilot deployment service using its hardware ID (Hardware Hash).
  • Profile Retrieval:
    • The device checks if an Autopilot profile is assigned to it.
    • The appropriate Autopilot profile, configured for Self-Deployment Mode, is downloaded and applied.
    • The device detects that the downloaded profile is configured for Self-Deployment Mode.

4. ESP Phase 1 : Device Preparation

  • Azure AD Join:
    • The device automatically joins the organization’s Azure Active Directory (AAD) without requiring user credentials.
  • Intune Enrollment:
    • Following the Azure AD join, the device automatically enrolls into Microsoft Intune.
    • The device starts receiving configuration policies, compliance policies, and any required applications from Intune.

5. ESP Phase 2: Device Targeted Policy and Application Deployment

  • Device Configuration Policies:
    • Configuration policies such as security settings, device restrictions, and network configurations are applied.
  • Compliance Policies:
    • The device is checked against compliance policies (e.g., encryption, antivirus status) to ensure it meets organizational standards.
  • Application Deployment:
    • Required applications specified in the Intune profile are automatically installed. TruU Windows Authenticator Application is installed.

6. TruU enrollment wizard

  • TruU enrollment wizard starts at the screen
  • User enters the information (login ID, Corporate email, etc. *configured by admin) and starts the enrollment process.
  • TruU processes the request by validating the user status and presents the enrollment workflow (IVW).
  • User selects the enrollment option, email/SMS.
  • TruU sends the enrollment code to email/SMS.
  • User enters the code in enrollment screen.
  • TruU processes the request and asks the user to set TruU PIN and/or biometric ( if the device has biometric capabilities).
  • User sets the PIN and/or biometrics.
  • TruU Fido2 key gets created in the backend automatically.
  • “Login using TruU” button is clicked to complete the initial Windows login.
  • Windows desktop screen shows up. (In the background, all the User assigned policies and apps will be deployed)
Note: Microsoft’s Autopilot does not support User ESP when login authentication is done via a FIDO2 key in Self-Deployment mode. However, the user targeted policies and apps are still deployed in the background. You can watch the complete TruU-Intune Self-Deployment Autopilot end-user experience in the following video.
Intune User-driven Autopilot Enrollment Workflow Package and Deploy TruU Windows Authenticator in Intune