Partnership that powers possibilities Let’s Build Together

LogoTechstern
Get A Quote

Automating Hybrid Azure AD Device Provisioning with Autopilot & Intune

Client Challenge

The client’s IT team faced slow and inconsistent device imaging processes, lacked centralized deployment visibility, and had no easy way to provision remote domain-joined devices or reset/reassign them to new users.

Project description

Automating Hybrid Azure AD Device Provisioning with Autopilot & Intune

We implemented an automated, scalable Windows device provisioning system using Microsoft Autopilot and Intune in a Hybrid Azure AD Join model. The solution enabled hardware ID-based deployment, department-wise policy control, script-driven configuration, and self-service onboarding for both on-site and remote users—drastically reducing IT overhead and provisioning time.

Solution Highlights

  • Hybrid Azure AD Join using Autopilot and Intune
  • Hardware ID-based enrollment and profile assignment
  • Department-specific groups for policy and app deployment PowerShell automation for local admin configuration
  • Win32 application packaging and detection logic for managed installs
  • Self-service onboarding with MFA, Intune auto-enrollment, and app push
  • Autopilot Reset for rapid device re-use

Modules

Deployment Approach

01

License Assignment

  • All employees were provisioned with Microsoft 365 Business Premium licenses, which is a prerequisite for Autopilot deployment via Intune.

02

High-Level Workflow (Hybrid Azure AD Join)

  • User receives Windows Autopilot-enabled device from OEM or IT.
  • Device boots and contacts Microsoft Autopilot service.
  • Downloads assigned Hybrid Autopilot profile.
  • Device performs offline domain join via Intune AD Connector.
  • Computer restarts and joins the on-premise domain.
  • Device is enrolled in Intune; policies and applications are deployed.
  • User logs in with domain credentials and begins using the device. Note: Device must be connected to on-prem network during initial provisioning.

03

Admin Setup Steps A. Importing Hardware ID

  • Hardware IDs are collected from new devices.
  • Imported into Intune (via Devices → Enroll Devices → Windows Enrollment).
  • Devices appear as Not assigned initially.
  • Assigning Device to Department Profile
  • Devices are added to department-specific Azure AD groups:
    • AdminStaff-Autopilot
    • EstimatingDept-Autopilot
    • FieldStaff-Autopilot
    • Within ~10 minutes, devices show Assigned status in Intune.

04

Employee Onboarding Process

  • Device powers on → user selects region and keyboard → signs in with corporate credentials. o MFA and PIN setup completed.
  • Device auto-enrolls in Intune and downloads assigned configurations and applications.
  • Application installation confirmation shown via toast notifications.

Techstern

Working experience

Reset/Repurpose Ready: Devices could be reset and redeployed easily using Windows Autopilot Reset.

PowerShell Script Deployment Admins configured script deployments to:

  • Enable and set password for local Administrator account
  • Add domain groups to the local Administrators group
Script Example:

$Password = ConvertTo-SecureString "YourPassword" -AsPlainText -Force Get-LocalUser -Name "Administrator" | Enable-LocalUser Set-LocalUser -Name "Administrator" -Password $Password Scripts were uploaded and assigned to relevant Autopilot groups via Intune Scripts interface.

Steps involved:

  • Wrapping .exe installers into. intunewin format using IntuneWinAppUtil.exe.
  • Creating install.cmd and uninstall.cmd files.
  • Uploading the packaged app into Intune under Windows app (Win32).
  • Assigning apps to device groups.
  • Configuring detection logic using registry keys.

  • Devices provisioned in under 30 minutes
  • Consistent and repeatable configuration across departments
  • VPN-free domain joining for remote users End-user onboarding with minimal IT intervention
  • Full lifecycle control from provisioning to reset/redeployment

  • Faster Device Provisioning: Devices were provisioned in under 30 minutes instead of taking hours.
  • Consistent Configuration: Each department received the correct policies and applications through assigned profiles.
  • Hybrid AD Support: Maintained the existing on-premises domain structure without the need for VPN or manual imaging.
  • Self-Service Ready: End users could set up their own devices with minimal IT involvement.