About the Autopilot window

To see this window, click Tools > Modern Device Management > Windows Autopilot.

About the Create Azure AD group page

Name and Description: These items appear in the main Groups list view and in Azure. They help you organize your groups.
Mail nickname: Microsoft requires that each Azure AD group has a unique mail nickname. The nickname can't begin with a period character. For more information on how nicknames are handled, see this microsoft.com article.
Group membership type: Can be Assigned, Dynamic: User or Dynamic: Device. Selecting Assigned means you will manually assign devices to the new group as part of a deployment profile. Selecting a Dynamic type shows the Dynamic membership rule builder, where you will need to configure the rules that determine which devices will be part of the group.
Group classification: Can be Security or Microsoft365. Autopilot only supports Security groups (the default).

About the Create deployment profile > Basics page

Name and Description: These items appear in the main Deployment profiles list view and in Azure. They help you organize your deployment profiles.
Convert all targeted devices to Autopilot: If a device isn't already registered with Autopilot, this will register it if it meets the Autopilot system requirements. Once registered, if the company resets that device, it will go through the configured out-of-box Autopilot experience.

About the Create deployment profile > Out-of-box experience (OOBE) page

The OOBE page pre-configures the settings for each of the user-displayed interface options shown during a typical Windows setup experience.

Pre-provisioned deployment (white glove): Specifies that the device image has been pre-provisioned by an OEM. This option is disabled if you haven't entered an MDM Application ID on the Credential settings page.
Active directory join type: Can be Azure AD only joined or Hybrid Azure AD joined. Once a deployment profile has been created, this option isn't editable.

If you selected hybrid, provide the Computer name prefix, Domain name, and Organizational unit. The prefix you provide will prefix all provisioned computer names. The remaining characters will be random.
Hide Microsoft software license terms (EULA):Hides the end-user license agreement.
Hide privacy settings: Hides the privacy settings.
Hide change account options: Hides the option to change accounts during sign-in or on domain error pages.
User account type: Select whether you want the account for the user logging in to be configured as a Standard user or as an Administrator.
Language (Region): The default is to let the operating system choose the region automatically based on location. You can also choose User select or you can specify the region.
Skip keyboard selection page if Language is set: If you selected a Language (Region), this option skips the Windows keyboard selection interface during setup.
Use device naming template: Selecting this opens a Device name template field (you may have to scroll down to see it). Follow the template naming guidelines shown above the field. This field overrides any changes you made in the hybrid joined Computer name prefix.

About the Create deployment profile > End-user status page

The end-user status page appears during initial device setup and during the first user sign in. Endpoint Manager Autopilot always shows this page. If there's a failure during deployment, the following options are available.

Show an error when installation takes longer than the specified number of minutes:. If selected, users will see the default Windows message: "Installation exceeded the time limit set by your organization. Try again or contact your IT support person for help." We recommend you set this to at least 60 minutes. If provisioning takes longer than the time you set, this error will show, even if the provisioning could complete successfully if given more time.
Show custom message when time limit error occurs: If you want users to see a custom message instead of the default message described above, enter it here. This text appears at the bottom of the window.
Allow users to collect logs when a time limit error occurs: If selected and something goes wrong during configuration, this option shows users a Collect logs button. Clicking this button prompts users to save an MDMDiagReport.cab log file.
Allow device use if application installation error occurs: If selected and something goes wrong during configuration, users can press a Continue anyway button.
Allow device reset on application install failure: If selected and an application fails to install, users can click a Reset device button.
Block end-user device setup retry: If selected and provisioning fails for some reason, no Try again button will be available. We recommend selecting this option so users won't be able to use Try again, which can lead to unpredictable results.

About the Create deployment profile > Group assignment page

To send a deployment profile to a device, assign it to a group. All devices in that group will receive the profile. Once a group has a profile and one or more devices assigned to it, Azure will assign the profile to the device.

No devices: The deployment profile won't be assigned to a group. You'll need to assign the profile to a group for it to deploy.
All devices: The deployment profile applies to all devices. If you select this you don't need to configure groups, but it also means your tenant can have only one active deployment profile.
Selected groups: Selecting this option shows the Included groups list. Click the box next to the groups you want to include.

About the Create deployment profile > Overview page

The overview page summarizes your deployment profile configuration. After reviewing it, click Create profile to save your changes and create the profile. Created profiles appear on the main Deployment profiles page.

About the Applications > Basics page

Applications you create here are uploaded to Azure Blob storage.

The application file must be in the ManagementSuite\landesk\files folder on the core server. The supported formats are .exe, .msi, and .intunewin.

The upload process also requires that Microsoft's Win32 Content Prep Tool, IntuneWinAppUtil.exe, be in that same folder. You can download IntuneWinAppUtil.exe from here: https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool.

Name and Description: These items appear in the main Applications list view. They help you organize your applications.
Select package file: Click to select the package file that installs the application you're configuring.

If you edit an existing application, you won't be able to modify the package file or path. To change these you need to create a new application.

About the Applications > Install behavior page

Install command: The default is the package file's filename. Add other command parameters as necessary
Install behavior: The package can be installed by the System account or the logged-in user account.
Force reboot after install: If the application requires a reboot, select this option.

About the Applications > Requirements page

(This page is also used in Create a Microsoft 365 App >Requirement rules.)

Use this page to define PowerShell or registry key requirements for this package's installation.

For example, you may want to create a registry requirement that detects if the package is already installed. In this case you would provide a unique Registry key path that the application creates, and set the Registry key requirement type to Key does not exist.

Requirement rules are optional. If you don't specify any the application will always be installed. If any requirement rule fails the application won't be installed.

Create PowerShell rule

Script file: Browse for the PowerShell script file that this rule will use. The script you select must generate an output.
Output type: Select the PowerShell script output type that the rule will look for. Can be Boolean, Date Time, Float, Integer, String, or Version.
Operator: Select whether the rule requires an Equal or NotEqual value for the output.
Value: Enter the output value to match against.

Create registry rule

Use 32-bit registry hive on 64-bit clients: Select this if you're checking specifically for a 32-bit registry key. The same key can exist in both the 32-bit and 64-bit hives, but they can have different values. In most cases you can leave this cleared.
Registry key path: The full key path, which can start with HKLM, COMPUTER\HKEY_LOCAL_MACHINE, or HKEY_LOCAL_MACHINE.
Registry key value: Optional, only necessary if there's a specific value you're looking for.
Registry key requirement type: Can be Key exists, Key does not exist, String comparison, Integer comparison, or Version comparison. [What is version comparison]

To create requirements

Enter the Registry key path and Registry key requirement type. Optionally, enter a Registry key value.
Click Add requirement.
Repeat the process for additional requirements.

About the Applications > Detection rules page

(This page is also used in Create a Microsoft 365 App >Detection rules.)

Autopilot uses the combination of installation return codes and detection rules that you can create to identify whether an application was installed successfully. Detection rules are optional in Autopilot, even though Microsoft Intune requires them for its deployments. If you don't want to rely on return codes from an application installation, create your own detection rules to improve the Application install status reporting accuracy.

You can add multiple detection rules. Not all rules have to be a match.

Otherwise this page works the same as the Requirements page described above.

MSI detection rules

Version 2022 SU1 added MSI detection rule support. MSI packages have product codes, and this option automatically detects the code of the file selected on the Basics page and uses it in the rule. If that specific product code is found in the client device's registry at the end of the Autopilot provisioning process, Endpoint Manager will indicate that the application is installed in the Autopilot Application install status page.

If the file no longer exists in that path, you'll see a message saying the package file wasn't found and you won't be able to create an MSI rule. You could instead create a registry rule that detects the product code.

If the file in this path was updated after the application was originally added, the retrieved product code may not match the original file and the detection rule won't work. You can create a new application for the updated MSI or you can create a registry rule that detects the updated product code.

About the Applications > Group assignments page

(This page is also used in Create a Microsoft 365 App >Group assignment.)

To send an application to a device, assign it to a group. All devices in that group will receive the application.

No devices: The application won't be assigned to a group. You'll need to assign the application to a group for it to deploy. Use this option if you aren't ready to deploy the application.
All devices: The application deploys to all devices. [[Is this a group?]]
Selected groups: The application deploys to devices in groups you select. Selecting this option shows the Included groups list. Click the box next to the groups you want to include.

About the Applications > Overview page

The Overview page summarizes your application configuration. After reviewing it, click Create application to save your changes and create the application. Created applications appear on the main Applications page.

Using the Dynamic membership rule builder

Use the Dynamic membership rule builder to create Active Directory group membership rules for devices and users. These rules will determine which devices or users will automatically be added to the Active Directory group you are creating.

Each rule consists up to five rule expressions. Each rule expression consists of a Property, Operator, and Value.

Use the Refresh rule button to update the rule text box with changes you've made to an existing rule expression. Each time you click the Add additional rule link it refreshes the rule text box.

Use the Edit rule button if you want to manually enter your rules. This enables editing in the rule text box. Initially you can use a combination of rules from the query editor and rule edits you've manually entered, but once you click Save rule the query editor will no longer display and you'll have to make any subsequent changes manually. Any changes you make manually must match Microsoft's AD rule syntax. The editor doesn't do syntax checking.

To save changes you made in the rule text box after clicking the Edit rule button, click Save rule. If you didn't edit the rule manually, the Save rule button is dimmed. In this case, when you're done editing the group properties and rule expressions, click the page's Save button to save all your changes.

Manually extracting .CSV device information

If you have physical access to a device, you can manually extract a .CSV file that you can import into Azure.

To manually extract .CSV device information

Boot the new device, and at the first dialog box that waits for user-input, press <shift>-F10, which will bring up a command prompt. From there, complete the remaining steps.
Create a C:\temp folder.
Run the following command. Choose an appropriate name for the .CAB file to keep track of the virtual machine or physical device it is associated with.

mdmdiagnosticstool.exe -area Autopilot -cab c:\temp\device.cab
Unzip the .CAB file and retrieve the DeviceHash_<identifier>.csv file
Copy the .CSV file to a thumb drive or mapped network share.
In Endpoint Manager Autopilot, on the Devices page click the Upload CSV button and upload the file.
Wait up to fifteen minutes for Azure to process the changes, then click the Refresh button to see if the device has imported. Since this is a new operating system installation there's no machine name yet, so the device name in the list is either a serial number or some variation of a serial number.