Post

Intune Enrollment Guide

How STRSI enrolls and stages Windows devices for Intune compliance when laptops ship directly to users or are prepped at HQ.

Posted Updated
By Trever Ehrfurth
5 min read
Intune Enrollment Guide

Overview

This guide explains how to enroll Windows devices into STRSI Intune when:

  1. Remote employees receive laptops directly from the vendor (no hardware hash was supplied).
  2. An admin stages the laptop at HQ before shipping to the end user.

Both workflows rely on the same Intune/Autopilot configuration:

  • Group Tag: Standard
  • Dynamic Security Group: SG-Sec-IntuneDevices
  • Autopilot Profile: assigns STRSI compliance baseline, security policies, and required applications.

Prerequisites

  • Device must be running Windows 10/11 Pro or Enterprise (22H2+ preferred).
  • Internet access with the ability to reach Microsoft endpoints.
  • STRSI user account with Azure AD credentials.
  • Admin credentials with permissions to register Autopilot devices and assign group tags.
  • PowerShell 5.1+ (already on Windows 10/11) and the Get-WindowsAutopilotInfo script.

Scenario A – Remote User with Shipped Device

Use this flow when a user receives a sealed laptop directly from the OEM and the hardware hash was never captured.

Step 1: End user prep (self-service)

  1. Power on the device and walk through the Windows OOBE screens until you reach the “Sign in with Microsoft” prompt.
  2. Sign in with the user’s STRSI work email (user@strsi.com).
  3. Connect to a reliable network.
  4. Once at the Windows desktop, have the user open Microsoft Teams, start a video call with the IT admin, and keep the session active.

Step 2: Admin remote session

  1. Use Quick Assist, Intune Remote Help if available, otherwise use Teams and Take Control.
  2. Launch an elevated PowerShell session (Run as administrator).

  3. Install the Autopilot info script:

    1

    Install-Script -Name Get-WindowsAutopilotInfo -Force

  4. Register the machine with the Standard tag and reboot:

    1

    Get-WindowsAutopilotInfo -Online -GroupTag "Standard" -Assign -Reboot
    • -Online uploads the hash directly to Intune.
    • -GroupTag "Standard" ensures the device joins SG-Sec-IntuneDevices.
    • -Assign binds the device to the STRSI Autopilot profile.
    • -Reboot restarts into Autopilot OOBE.

If you get an error that you can’t run scripts on the machine, use this command to temporarily allow.

1

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

Running this will prompt you to sign in with your admin credentials and tells the device which tenant to attach to.

The reboot flag is hit or miss. If you see “waiting to import” in the terminal for more than 10 minutes, proceed to manual reboot or reset if needed.

Step 3: Confirm registration

  1. In the Microsoft Intune admin center, go to Devices → Device Onboarding → Enrollment → Windows Autopilot → Devices and verify you see the device.
  2. Confirm it shows Group Tag = Standard and assign the intended user.
  3. Check Azure AD → Groups → SG-Sec-IntuneDevices to verify the device object is present.

Step 4: Guide the user through the Autopilot Reset

  1. After reboot on the Windows lock screen, press Ctrl + Windows + R.
  2. Authenticate if prompted, then you should see Reset this device” or “Autopilot Reset”.
  3. Confirm the reset, this will now enroll the device into Intune
  4. The Autopilot profile applies automatically, installing security baselines, Endpoint Security policies, and required apps.

Instruct the user to keep the device powered and online, it might take a few hours and a couple reboots before the device shows compliant in Intune.

Scenario B – Admin Stages Device at HQ

Use this when IT has the device on the bench (returns, depot spares, or stock delivered to HQ) and just needs to capture the Autopilot hardware hash before shipping.

Step 1: Access the device

  1. Power on the laptop.
  2. Choose the access method:
    • Fresh/OOBE device: At the first setup screen press Shift + F10, run powershell.exe, and continue in that elevated shell.
    • Previously used device: Sign in with the local staging/admin account, then open PowerShell as administrator.

  3. Remove OEM bloatware or trial software (HP Support Assistant, Dell/Lenovo utilities, etc.) while you still have local access.

    Our Intune policies do not have 100% success rate with all manufacturers applications yet.

Step 2: Capture and assign Autopilot data

  1. Install or update the Autopilot info script (skip if the module is already present):

    1

    Install-Script -Name Get-WindowsAutopilotInfo -Force

  2. Register the machine with the Standard tag:

    1

    Get-WindowsAutopilotInfo -Online -GroupTag "Standard" -Assign -Reboot
    • -Online uploads the hash directly to Intune.
    • -GroupTag "Standard" ensures the device joins SG-Sec-IntuneDevices.
    • -Assign binds the device to the STRSI Autopilot profile.
    • -Reboot returns to Autopilot OOBE automatically. Use it when you are still in OOBE; omit it if you plan to run a manual reset later.

If you get an error that you can’t run scripts on the machine, use this command to temporarily allow.

1

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

Running this will prompt you to sign in with your admin credentials and tells the device which tenant to attach to.

The reboot flag is hit or miss. If you see “waiting to import” in the terminal for more than 10 minutes, proceed as needed.

Step 3: Confirm registration

  1. In the Microsoft Intune admin center, go to Devices → Device Onboarding → Enrollment → Windows Autopilot → Devices and verify you see the device.
  2. Confirm it shows Group Tag = Standard. If this is intended for a specific user, assign them.
  3. Check Azure AD → Groups → SG-Sec-IntuneDevices to verify the device object is present.
  4. If you ran everything from OOBE, no further wipe is required—shut down once you are back at the first screen. Otherwise, run Reset this PC → Remove everything → Cloud download to clear any residual profiles/bloat and return to OOBE.

Step 4: Post-shipment follow-up

After the user has signed in for a bit, verify the device shows Enrolled and Compliant in Intune.

It might take a few hours and a couple reboots before the device shows compliant in Intune.

Troubleshooting & Tips

  • Autopilot hash upload fails: Ensure the device has outbound access to *.microsoft.com endpoints and that you are using an account with Intune Device Administrator permissions.
  • Device not joining SG-Sec-IntuneDevices: Check the dynamic membership rule and confirm the Group Tag is exactly Standard (case-sensitive).
  • Policies stuck at pending: From the Intune portal, issue a Sync command; locally ask the user to open Settings → Accounts → Access work or school → Connected account → Info → Sync.
  • Need to retag: Use Get-WindowsAutopilotInfo -Online -GroupTag "Standard" -Assign -Force to overwrite an incorrect tag.
  • Emergency bypass: In rare cases you can manually enroll through Settings → Accounts → Access work or school, but Autopilot gives the consistent naming, BitLocker, and security baselines we require.

Contact

Questions or escalations: Trever Ehrfurthtehrfurth@strsi.com.

Microsoft, Intune
intune autopilot windows provisioning security
This post is licensed under CC BY 4.0 by the author.