Skip to main content

Prerequisite

  1. Windows 10/11 device with Trusted Platform Module (TPM) 2.0
  2. Intune Administrator account to configure the setup.
  3. Microsoft Intune and Entra ID P1 license
  4. MDM user scope should be set.

Step 1: Create a dynamic device group with the Group tag for Self-deployment devices

  1. Sign in to the Microsoft Intune admin center > Groups > New Group.
Screenshot of delete policy
  1. Select Security for Group type, give a name. (eg. Self-deployment devices)
  2. For Membership type, choose Dynamic Device.
  3. Select Add dynamic query.
(device.devicePhysicalIds -any ( -eq “[OrderID]:SelfDeployment”))_ In the above query, ‘SelfDeployment’ stands for GroupTag. Any device that has group tag ‘SelfDeployment’ will automatically be member of this group.
  1. Save the created group.

Step 2: Create Self-Deployment mode Autopilot Profile

You can refer to the Microsoft article and create the self-deployment Autopilot profile as per your organization requirement. Self-deploying Autopliot profile#Create and assign self-deploying-autopilot profile Note: Assign the created Self-Deployment Autopilot Profile to the dynamic device group which was created in the previous step.

Step 3: Register devices as Autopilot devices

  1. Collect the HardwareID/hash from the devices which needs to be enrolled in self-deployment mode by referring the /autopilot/add-devices#collect-the-hardware-hash
  2. Sign into the Microsoft Intune admin center.
  3. In the Home screen, select Devices in the left hand pane.
  4. In the Devices | Overview screen, under By platform, select Windows.
  5. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.
  6. In the Windows | Windows enrollment screen, under Windows Autopilot, select Devices.
  7. In the Windows Autopilot devices screen that opens, select Import.
  1. Import the .csv(hardware hash) file of the all devices which needs to be enrolled.
  2. After the import is complete, select Sync. (A message displays saying that the sync is in progress. The sync process might take a few minutes to complete, depending on how many devices are being synchronized.)
  3. Click on the newly added devices and add the Group tag as ‘SelfDeployment’
  4. Once the GroupTag has been assigned, wait for the Profile status to change from Unassigned to Assigned state.

Step 4: Package and Deploy TruU Windows Authenticator in Intune

Complete this step by following the instructions in the link Package and Deploy TruU Windows authenticator in Intune

Step 5: Configure and assign Autopilot Enrollment Status Page (ESP)

  1. Sign into the Microsoft Intune admin center.
  2. In the Home screen, select Devices in the left hand pane.
  3. In the Devices | Overview screen, under By platform, select Windows.
  4. In the Windows | Windows devices screen, under Device onboarding, select Enrollment.
  5. In the Windows | Windows enrollment screen, under Windows Autopilot, select Enrollment Status Page.
  6. In the Enrollment Status Page screen that opens, select Create.
  7. The Create profile screen opens. In the Basics page:
  8. Next to Name, enter a name for the ESP profile. Eg; Self-deployment ESP
  9. Next to Description, enter a description.
  10. Select Next.
  11. In the Settings page, toggle the option Show app and profile configuration progress to Yes.
  12. Configure the settings as desired. However, make sure that you select the latest TruU for Windows application which was created in step 4 under “Block device use until these required apps are installed if they are assigned to the user/device:”
  1. Assign this ESP profile to the dynamic device group created earlier.

Step 6: Enable the Security Keys (FIDO2) sign-in

To enable the use of security keys using Intune, complete the following steps:
  1. Sign in to the Microsoft Intune admin center.
  2. Browse to Devices > Enroll Devices > Windows enrollment > Windows Hello for Business.
  3. Set Use security keys for sign-in to Enabled.
  4. Configure Windows Hello for Business shall be Not configured or Disabled state.
Note: This will not enable security keys on already provisioned devices. In that case use the next method (Targeted Intune deployment) To target specific device groups to enable the credential provider, use the following custom settings via Intune:
  1. Sign in to the Microsoft Intune admin center.
  2. Browse to Devices > Windows > Configuration profiles > Create profile.
  3. Configure the new profile with the following settings:
  • Platform: Windows 10 and later
  • Profile type: Templates > Custom
  • Name: Security Keys for Windows Sign-In
  • Description: Enables FIDO Security Keys to be used during Windows Sign In
  1. Select Next > Add and in Add Row, add the following Custom OMA-URI settings:
  • Name: Turn on FIDO Security Keys for Windows Sign-In
  • Description: (Optional)
  • OMA-URI: ./Device/Vendor/MSFT/PassportForWork/SecurityKey/UseSecurityKeyForSignin
  • Data Type: Integer
  • Value: 1
  1. Assign the Policy to the device group which was created in step 1.
Now your Self-Deployment Intune Autopilot along with TruU setup is complete. To understand the Enrollment workflow and User experience refer to the following link TruU-Intune+Self-Deployment+mode+Autoliot+Enrollment+Workflow
Intune User Driven Autopilot Setup Intune User-driven Autopilot Enrollment Workflow