Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide applies to Windows devices
Windows Autopilot lets new Windows 11 devices enroll in Iru Endpoint during the out-of-box experience (OOBE). After you connect your Microsoft Entra ID tenant and register Iru as the MDM authority, users sign in with their Microsoft Entra ID credentials and the device completes enrollment without the manual enrollment portal.

About Windows Autopilot

Autopilot targets corporate devices that are registered with the Windows Autopilot service and assigned an Autopilot deployment profile through Intune. Iru Endpoint supplies the MDM Terms of Use URL, MDM Discovery URL, and enrollment defaults (including Blueprint assignment) in the wizard under IntegrationsWindows. Device registration in Intune and Autopilot deployment profiles are Microsoft-side steps; they determine OOBE behavior before the user reaches the sign-in that triggers management enrollment.

How It Works

Run the Autopilot configuration wizard in Iru Endpoint to create or bind the Entra app registration and verify an Iru-managed domain. When a registered device comes online, Windows runs OOBE, applies your Autopilot deployment profile from Intune, then continues to Entra sign-in. Successful authentication enrolls the device into Iru Endpoint using the default Blueprint or Blueprint Routing, depending on what you configured in the final wizard step.

Prerequisites

  • Windows platform enabled for your tenant. If it is not on yet, turn it on in Organization first. See Windows Setup.
  • Microsoft Entra ID permissions: Ability to add custom domains, configure Mobility (MDM and WIP), and create or edit app registrations (including API permissions and admin consent)
  • Microsoft Entra admin center access for your tenant
  • Microsoft licensing that covers Windows Autopilot and MDM auto-enrollment for your scenario
  • Windows 11 devices that meet Iru Endpoint Windows requirements (24H2 or 25H2 only; supported editions)
  • Autopilot registration path in place for your devices (OEM pre-registration, partner/CSP registration, or manual import) and Intune access to assign an Autopilot deployment profile

Create the MDM application and enter credentials

Entra guidance appears on the left of the wizard; credential and flow fields are on the right. Start in Iru Endpoint, use the Microsoft Entra ID tab for the Microsoft Entra admin center steps, then return to Iru Endpoint when the steps below tell you to.

Prepare the Autopilot wizard

1

Open Integrations

In Iru Endpoint, open Integrations.
2

Select Windows

Under Platform integrations, select Windows.
3

Configure Autopilot

Click the Configure Autopilot button.
4

Copy the MDM URLs from Instructions

On the Autopilot wizard page, use Instructions to locate Step 6, then copy the MDM Terms of Use URL and MDM Discovery URL shown there. Use the copy control next to each URL in the wizard. Manual typing often breaks enrollment discovery. Keep the values where you can paste them after you switch to the Microsoft Entra ID tab.
Switch to the Microsoft Entra ID tab and continue with Creating the MDM application in Entra.

Enter MDM credentials in the Autopilot wizard

When Grant admin consent is done on the Microsoft Entra ID tab, return here and paste Application (client) ID, Directory (tenant) ID, Secret value, and Secret ID from the Microsoft Entra admin center into the wizard.
1

Paste IDs and secret

On the right side of the wizard, enter:
  • Application (client) ID
  • Directory (tenant) ID
  • Secret value
  • Secret ID
Use the values you copied while working in the Microsoft Entra ID tab. The MDM URLs must already be saved in Entra, and the client secret and Graph permissions must be in place with admin consent granted before Next will succeed.
2

Select Next

Select Next.
3

Update pasted values after Entra changes

If Entra fields change later, including secret rotation, return to Creating the MDM application in Entra or Client secret and Graph permissions for the MDM app to generate new values, then update these fields before continuing.
After Next succeeds, switch to the Microsoft Entra ID tab and complete Verify Custom Domain.

Blueprint settings and finish setup

After the Application ID URI is saved in Entra (Application ID URI in Entra), use the steps below to set Default Blueprint or Blueprint Routing for Autopilot enrollments, then Finish Setup. If that Entra step is not done yet, switch to the Microsoft Entra ID tab first.
1

Select Next after Application ID URI

Select Next.
2

Choose default Blueprint or Blueprint Routing

Select the Default Blueprint for Autopilot enrollments, or choose Blueprint Routing if you use dynamic Blueprint assignment during enrollment.If Blueprint Routing is not set up yet, the wizard shows this warning: Blueprint Routing has not been set up. Configure to save this setting. Select Configure Blueprint Routing and complete Blueprint Routing before you can save.
3

Finish setup

Select Finish Setup.

Microsoft Intune: device registration and deployment profiles

For how these Microsoft-side steps fit the full Autopilot flow with Iru Endpoint, see ConsiderationsMicrosoft Intune and Autopilot end-to-end.

Register devices with Windows Autopilot

Registration associates the device hardware hash with your tenant so Windows knows to run Autopilot OOBE. When a registered device first connects to the internet, Windows identifies it as an Autopilot device and starts that flow. Depending on how devices are purchased, you may not need to register devices manually at all. Common registration paths:
  • OEM pre-registration: Hardware manufacturers can register devices with Autopilot at purchase time.
  • Partner (CSP) registration: Cloud Solution Providers can register devices for you.
  • Manual registration: For existing devices, you can capture hardware hashes with PowerShell, export to CSV, and import into Intune.
For procedures, see Microsoft’s Register devices in Windows Autopilot.

Configure an Autopilot deployment profile

The deployment profile controls which OOBE screens appear, including privacy settings, EULA, Windows Hello, and personal Microsoft account blocking. In Intune, create the profile and assign it to a Microsoft Entra device group whose members are your Autopilot-registered devices. The profile must be targeted at devices, not at users only, so Windows can apply it during OOBE before Microsoft Entra sign-in. The device does not need an active Intune MDM enrollment for Autopilot to hand off to Iru Endpoint as your MDM; the profile shapes OOBE only. Deployment mode options: On the Out-of-box experience (OOBE) page in Intune, set Deployment mode to one of the following values:
  • User-driven: The device is associated with the user who enrolls it. That user must supply their credentials during OOBE before enrollment can complete.
  • Self-deploying: The device is not associated with a user for that enrollment path, and user credentials are not required to enroll the device through Autopilot. With no user on the device in that state, user-based compliance policies do not apply; only compliance policies targeted at the device apply.
If Deployment mode is Self-deploying, the device enrolls through that Microsoft flow into Microsoft Intune. It does not enroll into Iru Endpoint with the Autopilot configuration described here.
Iru Endpoint does not support Autopilot self-deploying mode. Use User-driven deployment mode only: users sign in with Microsoft Entra ID during OOBE before MDM enrollment completes into Iru Endpoint. Microsoft documents each mode in Windows Autopilot user-driven mode and Windows Autopilot self-deploying mode. For creating a profile in Intune, including the Deployment mode control on the OOBE page, see Configure Windows Autopilot profiles. Common profile options:
  • Privacy settings: Hide or show the privacy settings page.
  • End user license agreement (EULA): Skip the license screen when appropriate for your policy.
  • Account change: Block switching to a personal Microsoft account during setup.
  • Windows Hello: Skip or defer Hello setup.
  • OEM registration: Skip manufacturer-specific prompts.
On the deployment profile Assignments tab in Intune, add that Microsoft Entra device group as the assignment target, not a user group, so the profile applies during OOBE before Microsoft Entra sign-in and MDM enrollment.

Considerations

For Autopilot to work end to end with Iru Endpoint, two Microsoft Intune responsibilities must be satisfied in addition to the Iru wizard:
  • Autopilot device registration: Devices are registered with the Windows Autopilot service (for example by an OEM, a partner, or your team in Intune).
  • Autopilot deployment profile: A deployment profile exists in Intune and is assigned to a Microsoft Entra device group that contains your Autopilot-registered devices. Use User-driven deployment mode only; Iru Endpoint does not support Autopilot self-deploying mode (see Configure an Autopilot deployment profile above).
Neither step is performed in Iru Endpoint. The Iru Autopilot integration configures Entra and Iru for MDM enrollment; it does not register hardware with Autopilot or replace profile creation and assignment in Intune.For procedures and Microsoft Learn links for each task, use the preceding section Microsoft Intune: device registration and deployment profiles.
  • Default Blueprint: Applies to new Autopilot enrollments going forward. Changing the default later does not retroactively move devices that already synced.
  • Blueprint Routing: Must be fully configured before you can save when Routing is selected as the default. If you cannot save on the last step, complete Routing setup from the warning link first.
  • Client secret lifetime: Secrets expire on the date you choose in Entra. Before expiry, create a new secret and update Secret value and Secret ID in IntegrationsWindows → Autopilot configuration so enrollment keeps working.
  • Admin consent: API permissions need Grant admin consent for the tenant. Without consent, Iru cannot complete Graph operations required for the integration.
  • Not supported with Autopilot for Iru: Iru Endpoint does not support Microsoft Entra hybrid joined devices enrolling through this Windows Autopilot flow. Plan for Microsoft Entra joined devices when using Autopilot with Iru Endpoint.

Best practices

Configure Blueprint Routing early

If different users or devices should land in different Blueprints, set up Blueprint Routing before you finish the wizard.

Track secret expiration

Note the client secret expiry when you create it and schedule rotation ahead of time in Entra, then update the secret fields in Iru Endpoint.

Confirm admin consent

After adding Graph application permissions, grant tenant-wide admin consent so the integration can run unattended.

Validate licensing

Confirm your Microsoft licenses cover Autopilot and MDM auto-enrollment for the accounts that sign in during OOBE.

Troubleshooting

Checklist:
  • Every Autopilot wizard step completed successfully in Iru Endpoint.
  • MDM Terms of Use URL and MDM Discovery URL in Entra match Step 6 in Instructions on the Iru wizard page (paste exactly).
  • Admin consent is granted for every Graph application permission on the Iru Endpoint Management registration.
  • Autopilot registration and deployment profile assignments in Intune cover the device.
  • The Autopilot deployment profile uses User-driven mode. Iru Endpoint does not support Autopilot self-deploying mode.
  • Microsoft licensing supports Autopilot and MDM enrollment for the user.
Deployment mode set to Self-deployingThe Autopilot deployment profile for the device has Deployment mode set to Self-deploying. That path enrolls the device into Microsoft Intune for Autopilot; it does not enroll into Iru Endpoint with the configuration in this article (see Configure an Autopilot deployment profile).In the Microsoft Intune admin center, edit the profile assigned to the Microsoft Entra device group that contains the device and set Deployment mode to User-driven. Confirm the profile shows Assigned for the device, then reset the device so OOBE runs again with the updated profile.Overlapping MDM user scope in EntraIn the Microsoft Entra admin center, open Mobility (MDM and WIP) and review every other MDM application (for example Microsoft Intune or another MDM still listed there) alongside this custom MDM app. If two applications both have MDM user scope set to Some or All for the same users or groups, OOBE can send auto-enrollment to the other provider instead of Iru Endpoint.Ensure each user or group that should land in Iru Endpoint is in scope for only this custom MDM app, or set MDM user scope to None on MDM rows you no longer use for Windows enrollment. For the overlap warning and where to set scope, see the Set MDM user scope step under Creating the MDM application in Entra.If the device still does not appear in Iru EndpointAfter User-driven is in effect and MDM scopes do not overlap for the enrolling user, use the checklist in Devices do not enroll after Autopilot completes on this page.
If Blueprint Routing is selected but Routing is not configured, the wizard blocks Finish Setup. Select Configure Blueprint Routing from the banner, complete Blueprint Routing, then return and finish.

Windows Setup

Platform requirements and enrollment prerequisites for Windows 11 in Iru Endpoint

Configuring Windows Enrollment

Manual enrollment portal, Enrollment codes, and Blueprint assignment for Windows

Configure Automated Device Enrollment

Apple zero-touch enrollment with Apple Business or Apple School Manager

Blueprint Routing

Dynamic Blueprint assignment during enrollment using Assignment Rules