> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iru.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Windows Autopilot

> Configure Microsoft Entra ID for auto-enrollment of devices to Iru through Autopilot. Complete the Iru Endpoint wizard and assign Blueprints.

<Callout icon="microsoft" color="#4f46e5" iconType="regular">This guide applies to Windows devices</Callout>

Windows Autopilot lets new Windows 11 devices enroll in Iru Endpoint during the out-of-box experience (OOBE). After you connect your Microsoft Entra ID tenant and register Iru as the MDM authority, users sign in with their Microsoft Entra ID credentials and the device completes enrollment without the manual enrollment portal.

### About Windows Autopilot

Autopilot targets corporate devices that are registered with the Windows Autopilot service and assigned an Autopilot deployment profile through Intune. Iru Endpoint supplies the MDM Terms of Use URL, MDM Discovery URL, and enrollment defaults (including Blueprint assignment) in the wizard under **Integrations** → **Windows**. Device registration in Intune and Autopilot deployment profiles are Microsoft-side steps; they determine OOBE behavior before the user reaches the sign-in that triggers management enrollment.

### How It Works

Run the Autopilot configuration wizard in Iru Endpoint to create or bind the Entra app registration and verify an Iru-managed domain. When a registered device comes online, Windows runs OOBE, applies your Autopilot deployment profile from Intune, then continues to Entra sign-in. Successful authentication enrolls the device into Iru Endpoint using the default Blueprint or [Blueprint Routing](/en/endpoint/enrollment/blueprint-routing), depending on what you configured in the final wizard step.

### Prerequisites

* **Windows platform** enabled for your tenant. If it is not on yet, turn it on in **Organization** first. See [Windows Setup](/en/endpoint/getting-started/platform-setup/windows-setup#enable-windows-platform).
* **Microsoft Entra ID permissions**: Ability to add custom domains, configure **Mobility (MDM and WIP)**, and create or edit app registrations (including API permissions and admin consent)
* **[Microsoft Entra admin center](https://entra.microsoft.com)** access for your tenant
* **Microsoft licensing** that covers Windows Autopilot and MDM auto-enrollment for your scenario
* **Windows 11** devices that meet [Iru Endpoint Windows requirements](/en/endpoint/getting-started/platform-setup/windows-setup) (24H2 or 25H2 only; supported editions)
* **Autopilot registration path** in place for your devices (OEM pre-registration, partner/CSP registration, or manual import) and **Intune** access to assign an Autopilot deployment profile

### Create the MDM Application and Enter Credentials

Entra guidance appears on the left of the wizard; credential and flow fields are on the right. Start in **Iru Endpoint**, use the **Microsoft Entra ID** tab for the Microsoft Entra admin center steps, then return to **Iru Endpoint** when the steps below tell you to.

<Tabs>
  <Tab title="Iru Endpoint">
    ### Prepare the Autopilot wizard

    <Steps>
      <Step title="Open Integrations">
        In Iru Endpoint, open **Integrations**.
      </Step>

      <Step title="Select Windows">
        Under **Platform integrations**, select **Windows**.
      </Step>

      <Step title="Configure Autopilot">
        Click the **Configure Autopilot** button.
      </Step>

      <Step title="Copy the MDM URLs from Instructions">
        On the Autopilot wizard page, use **Instructions** to locate **Step 6**, then copy the **MDM Terms of Use URL** and **MDM Discovery URL** shown there. Use the copy control next to each URL in the wizard. Manual typing often breaks enrollment discovery. Keep the values where you can paste them after you switch to the **Microsoft Entra ID** tab.
      </Step>
    </Steps>

    <Note>
      Switch to the **Microsoft Entra ID** tab and continue with [**Creating the MDM application in Entra**](#creating-the-mdm-application-in-entra).
    </Note>

    ### Enter MDM credentials in the Autopilot wizard

    <Note>
      When **Grant admin consent** is done on the **Microsoft Entra ID** tab, return here and paste **Application (client) ID**, **Directory (tenant) ID**, **Secret value**, and **Secret ID** from the Microsoft Entra admin center into the wizard.
    </Note>

    <Steps>
      <Step title="Paste IDs and secret">
        On the right side of the wizard, enter:

        * **Application (client) ID**
        * **Directory (tenant) ID**
        * **Secret value**
        * **Secret ID**

        <Note>
          Use the values you copied while working in the **Microsoft Entra ID** tab. The MDM URLs must already be saved in Entra, and the client secret and Graph permissions must be in place with admin consent granted before **Next** will succeed.
        </Note>
      </Step>

      <Step title="Select Next">
        Select **Next**.
      </Step>

      <Step title="Update pasted values after Entra changes">
        If Entra fields change later, including secret rotation, return to [**Creating the MDM application in Entra**](#creating-the-mdm-application-in-entra) or [**Client secret and Graph permissions for the MDM app**](#client-secret-and-graph-permissions-for-the-mdm-app) to generate new values, then update these fields before continuing.
      </Step>
    </Steps>

    <Note>
      After **Next** succeeds, switch to the **Microsoft Entra ID** tab and complete [**Verify Custom Domain**](#verify-custom-domain).
    </Note>

    ### Blueprint Settings and Finish Setup

    <Note>
      After the Application ID URI is saved in Entra ([**Application ID URI in Entra**](#application-id-uri-in-entra)), use the steps below to set **Default Blueprint** or **Blueprint Routing** for Autopilot enrollments, then **Finish Setup**. If that Entra step is not done yet, switch to the **Microsoft Entra ID** tab first.
    </Note>

    <Steps>
      <Step title="Select Next after Application ID URI">
        Select **Next**.
      </Step>

      <Step title="Choose default Blueprint or Blueprint Routing">
        Select the **Default Blueprint** for Autopilot enrollments, or choose **Blueprint Routing** if you use dynamic Blueprint assignment during enrollment.

        If Blueprint Routing is not set up yet, the wizard shows this warning: **Blueprint Routing has not been set up. Configure to save this setting.** Select **Configure Blueprint Routing** and complete [Blueprint Routing](/en/endpoint/enrollment/blueprint-routing) before you can save.
      </Step>

      <Step title="Finish setup">
        Select **Finish Setup**.
      </Step>
    </Steps>
  </Tab>

  <Tab title="Microsoft Entra ID">
    <Note>
      Before you start in the Microsoft Entra admin center, complete [**Prepare the Autopilot wizard**](#prepare-the-autopilot-wizard) in the **Iru Endpoint** tab. You need the **MDM Terms of Use URL** and **MDM Discovery URL** from **Step 6** in **Instructions** on the Autopilot wizard page.
    </Note>

    ### Creating the MDM application in Entra

    <Steps>
      <Step title="Sign in to the Microsoft Entra admin center">
        Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
      </Step>

      <Step title="Expand the Entra ID section">
        In the left navigation bar, ensure that the **Entra ID** section is expanded.
      </Step>

      <Step title="Open Mobility (MDM and WIP)">
        In the left navigation bar, click **Mobility (MDM and WIP)**.
      </Step>

      <Step title="Add application">
        Click **Add application**.
      </Step>

      <Step title="Create your own application">
        Click **Create your own application**.
      </Step>

      <Step title="Enter the application name">
        Enter **Iru Endpoint Management** as the **Name**.
      </Step>

      <Step title="Create the application">
        Click **Create** (or **Register**, depending on what the admin center shows).
      </Step>

      <Step title="Set MDM user scope">
        Under **MDM user scope**, select **Some** or **All**. Make sure the selected scope includes the users who will sign in during OOBE on Autopilot devices so their devices can auto-enroll.

        <Warning>
          Under **Mobility (MDM and WIP)**, review every **other** MDM application (for example **Microsoft Intune** or another MDM still listed there) that still has **MDM user scope** set to **Some** or **All**. Do not assign the same users or groups to both that application's scope and this custom MDM app. Intune in this article is only for Autopilot device registration and deployment profiles; Iru Endpoint is the MDM enrollment target for the devices. Overlapping MDM user scopes can send OOBE to the wrong provider or prevent enrollment into Iru Endpoint.
        </Warning>
      </Step>

      <Step title="Paste MDM URLs into Entra">
        Paste the **MDM Terms of Use URL** and **MDM Discovery URL** you copied from **Step 6** in **Instructions** on the Iru Autopilot wizard page. Paste them into Entra exactly as shown.
      </Step>

      <Step title="Save Mobility (MDM and WIP) changes">
        Click **Save**.
      </Step>
    </Steps>

    ### Client secret and Graph permissions for the MDM app

    <Steps>
      <Step title="Open Custom MDM application settings">
        Click **Custom MDM application settings**.
      </Step>

      <Step title="Copy application and tenant IDs">
        On **Overview**, copy **Application (client) ID** and **Directory (tenant) ID**. You'll paste them into Iru in [**Enter MDM credentials in the Autopilot wizard**](#enter-mdm-credentials-in-the-autopilot-wizard).
      </Step>

      <Step title="Open Certificates and secrets">
        Under **Manage**, select **Certificates & secrets**.
      </Step>

      <Step title="Start a new client secret">
        Click **New client secret**.
      </Step>

      <Step title="Set client secret description and expiration">
        Enter a **Description** and choose **Expires**.
      </Step>

      <Step title="Add the client secret">
        Click **Add**.
      </Step>

      <Step title="Copy secret Value and Secret ID">
        Copy the secret **Value** and **Secret ID** for Iru Endpoint.
      </Step>

      <Step title="Open API permissions">
        Under **Manage**, select **API permissions**.
      </Step>

      <Step title="Add a permission">
        Click **Add a permission**.
      </Step>

      <Step title="Select Microsoft Graph">
        Click **Microsoft Graph**.
      </Step>

      <Step title="Choose application permissions">
        Select **Application permissions**.
      </Step>

      <Step title="Select Microsoft Graph application permissions">
        In the permissions list, select each of the following:

        * `Application.Read.All`
        * `Domain.Read.All`
        * `Device.ReadWrite.All`
        * `DeviceManagementServiceConfig.ReadWrite.All`
        * `Group.ReadWrite.All`
        * `GroupMember.ReadWrite.All`
      </Step>

      <Step title="Add permissions">
        Click **Add permissions**.
      </Step>

      <Step title="Grant admin consent">
        Click **Grant admin consent for \[your tenant]**.
      </Step>

      <Step title="Confirm admin consent">
        If prompted, click **Yes** to confirm.
      </Step>
    </Steps>

    <Note>
      When the MDM URLs are saved, the secret exists, and admin consent is granted, switch back to the **Iru Endpoint** tab and complete [**Enter MDM credentials in the Autopilot wizard**](#enter-mdm-credentials-in-the-autopilot-wizard). Then select **Next** in the wizard to continue with [**Verify Custom Domain**](#verify-custom-domain) in this tab.
    </Note>

    ### Verify Custom Domain

    <Steps>
      <Step title="Expand the Entra ID section">
        In the [Microsoft Entra admin center](https://entra.microsoft.com), in the left navigation bar, ensure that the **Entra ID** section is expanded.
      </Step>

      <Step title="Open Domain names">
        In the left navigation bar, click **Domain names**.
      </Step>

      <Step title="Click Add custom domain">
        Click **Add custom domain**.
      </Step>

      <Step title="Enter the custom domain">
        Enter the custom domain shown in the Iru wizard into the **Custom domain** field.
      </Step>

      <Step title="Add the domain">
        Click **Add domain**.
      </Step>

      <Step title="Select Next after adding the domain">
        In **Iru Endpoint**, in the Autopilot wizard, select **Next**.

        <Note>
          Iru applies the TXT record from Microsoft for DNS; propagation can take from a few minutes up to 48 hours. You can leave and return; progress is saved.
        </Note>
      </Step>

      <Step title="Expand the Entra ID section for verification">
        In the [Microsoft Entra admin center](https://entra.microsoft.com), in the left navigation bar, ensure that the **Entra ID** section is expanded.
      </Step>

      <Step title="Return to Domain names">
        In the left navigation bar, click **Domain names**.
      </Step>

      <Step title="Open the domain you added">
        In the domain list, open the domain you added.
      </Step>

      <Step title="Verify the domain">
        Click **Verify**.
      </Step>

      <Step title="Select Next after domain verification">
        In **Iru Endpoint**, in the Autopilot wizard, select **Next**. Iru checks verification status with Entra before you continue.
      </Step>
    </Steps>

    ### Application ID URI in Entra

    <Steps>
      <Step title="Expand the Entra ID section for App registrations">
        In the [Microsoft Entra admin center](https://entra.microsoft.com), in the left navigation bar, ensure that the **Entra ID** section is expanded.
      </Step>

      <Step title="Open App registrations">
        In the left navigation bar, click **App registrations**.
      </Step>

      <Step title="Open the All applications tab if needed">
        If the registration does not appear under **Owned applications**, select the **All applications** tab.
      </Step>

      <Step title="Open Iru Endpoint Management">
        Select **Iru Endpoint Management**.
      </Step>

      <Step title="Open Expose an API">
        Under **Manage**, select **Expose an API**.
      </Step>

      <Step title="Edit the Application ID URI">
        Click **Edit** next to **Application ID URI**.
      </Step>

      <Step title="Enter the Application ID URI from Iru">
        Enter the Application ID URI value shown in the Iru wizard.
      </Step>

      <Step title="Save Application ID URI changes">
        Click **Save**.
      </Step>
    </Steps>

    <Note>
      Switch to the **Iru Endpoint** tab and complete [**Blueprint settings and finish setup**](#blueprint-settings-and-finish-setup).
    </Note>
  </Tab>
</Tabs>

### Microsoft Intune: Device Registration and Deployment Profiles

For how these Microsoft-side steps fit the full Autopilot flow with Iru Endpoint, see [**Considerations**](#considerations) → **Microsoft Intune and Autopilot end-to-end**.

#### Register devices with Windows Autopilot

Registration associates the device hardware hash with your tenant so Windows knows to run Autopilot OOBE. When a registered device first connects to the internet, Windows identifies it as an Autopilot device and starts that flow. Depending on how devices are purchased, you may not need to register devices manually at all.

Common registration paths:

* **OEM pre-registration**: Hardware manufacturers can register devices with Autopilot at purchase time.
* **Partner (CSP) registration**: Cloud Solution Providers can register devices for you.
* **Manual registration**: For existing devices, you can capture hardware hashes with PowerShell, export to CSV, and import into Intune.

For procedures, see Microsoft's [Register devices in Windows Autopilot](https://learn.microsoft.com/en-us/autopilot/add-devices).

#### Configure an Autopilot deployment profile

The deployment profile controls which OOBE screens appear, including privacy settings, EULA, Windows Hello, and personal Microsoft account blocking. In Intune, create the profile and assign it to a Microsoft Entra **device** group whose members are your Autopilot-registered devices. The profile must be targeted at **devices**, not at users only, so Windows can apply it during OOBE before Microsoft Entra sign-in. The device does **not** need an active Intune MDM enrollment for Autopilot to hand off to Iru Endpoint as your MDM; the profile shapes OOBE only.

Deployment mode options:

On the **Out-of-box experience (OOBE)** page in Intune, set **Deployment mode** to one of the following values:

* **User-driven**: The device is associated with the user who enrolls it. That user must supply their credentials during OOBE before enrollment can complete.
* **Self-deploying**: The device is not associated with a user for that enrollment path, and user credentials are not required to enroll the device through Autopilot. With no user on the device in that state, user-based compliance policies do not apply; only compliance policies targeted at the device apply.

<Note>
  If **Deployment mode** is **Self-deploying**, the device enrolls through that Microsoft flow into **Microsoft Intune**. It does not enroll into Iru Endpoint with the Autopilot configuration described here.
</Note>

Iru Endpoint does not support Autopilot self-deploying mode. Use **User-driven** deployment mode only: users sign in with Microsoft Entra ID during OOBE before MDM enrollment completes into Iru Endpoint. Microsoft documents each mode in [Windows Autopilot user-driven mode](https://learn.microsoft.com/en-us/autopilot/user-driven) and [Windows Autopilot self-deploying mode](https://learn.microsoft.com/en-us/autopilot/self-deploying). For creating a profile in Intune, including the **Deployment mode** control on the OOBE page, see [Configure Windows Autopilot profiles](https://learn.microsoft.com/en-us/autopilot/profiles).

Common profile options:

* **Privacy settings**: Hide or show the privacy settings page.
* **End user license agreement (EULA)**: Skip the license screen when appropriate for your policy.
* **Account change**: Block switching to a personal Microsoft account during setup.
* **Windows Hello**: Skip or defer Hello setup.
* **OEM registration**: Skip manufacturer-specific prompts.

On the deployment profile **Assignments** tab in Intune, add that Microsoft Entra **device** group as the assignment target, not a user group, so the profile applies during OOBE before Microsoft Entra sign-in and MDM enrollment.

### Considerations

<AccordionGroup>
  <Accordion title="Microsoft Intune and Autopilot end-to-end">
    For Autopilot to work end to end with Iru Endpoint, two Microsoft Intune responsibilities must be satisfied in addition to the Iru wizard:

    * **Autopilot device registration:** Devices are registered with the Windows Autopilot service (for example by an OEM, a partner, or your team in Intune).
    * **Autopilot deployment profile:** A deployment profile exists in Intune and is assigned to a Microsoft Entra **device** group that contains your Autopilot-registered devices. Use **User-driven** deployment mode only; Iru Endpoint does not support Autopilot self-deploying mode (see [**Configure an Autopilot deployment profile**](#configure-an-autopilot-deployment-profile) above).

    Neither step is performed in Iru Endpoint. The Iru Autopilot integration configures Entra and Iru for MDM enrollment; it does not register hardware with Autopilot or replace profile creation and assignment in Intune.

    For procedures and Microsoft Learn links for each task, use the preceding section [**Microsoft Intune: device registration and deployment profiles**](#microsoft-intune-device-registration-and-deployment-profiles).
  </Accordion>

  <Accordion title="Blueprint defaults, routing, and sync">
    * **Default Blueprint**: Applies to new Autopilot enrollments going forward. Changing the default later does not retroactively move devices that already synced.
    * **Blueprint Routing**: Must be fully configured before you can save when Routing is selected as the default. If you cannot save on the last step, complete Routing setup from the warning link first.
  </Accordion>

  <Accordion title="App registration and client secret">
    * **Client secret lifetime**: Secrets expire on the date you choose in Entra. Before expiry, create a new secret and update **Secret value** and **Secret ID** in **Integrations** → **Windows** → Autopilot configuration so enrollment keeps working.
    * **Admin consent**: API permissions need **Grant admin consent for the tenant**. Without consent, Iru cannot complete Graph operations required for the integration.
  </Accordion>

  <Accordion title="Microsoft Entra hybrid join">
    * **Not supported with Autopilot for Iru**: Iru Endpoint does not support **Microsoft Entra hybrid joined** devices enrolling through this Windows Autopilot flow. Plan for **Microsoft Entra joined** devices when using Autopilot with Iru Endpoint.
  </Accordion>
</AccordionGroup>

### Best Practices

<CardGroup cols={2}>
  <Card title="Configure Blueprint Routing early" icon="route">
    If different users or devices should land in different Blueprints, set up [Blueprint Routing](/en/endpoint/enrollment/blueprint-routing) before you finish the wizard.
  </Card>

  <Card title="Track secret expiration" icon="clock">
    Note the client secret expiry when you create it and schedule rotation ahead of time in Entra, then update the secret fields in Iru Endpoint.
  </Card>

  <Card title="Confirm admin consent" icon="shield-check">
    After adding Graph application permissions, grant tenant-wide admin consent so the integration can run unattended.
  </Card>

  <Card title="Validate licensing" icon="rectangle-list">
    Confirm your Microsoft licenses cover Autopilot and MDM auto-enrollment for the accounts that sign in during OOBE.
  </Card>
</CardGroup>

### Troubleshooting

<AccordionGroup>
  <Accordion title="Devices do not enroll after Autopilot completes">
    **Checklist:**

    * Every Autopilot wizard step completed successfully in Iru Endpoint.
    * **MDM Terms of Use URL** and **MDM Discovery URL** in Entra match **Step 6** in **Instructions** on the Iru wizard page (paste exactly).
    * Admin consent is granted for every Graph application permission on the **Iru Endpoint Management** registration.
    * Autopilot registration and deployment profile assignments in Intune cover the device.
    * The Autopilot deployment profile uses **User-driven** mode. Iru Endpoint does not support Autopilot self-deploying mode.
    * Microsoft licensing supports Autopilot and MDM enrollment for the user.
  </Accordion>

  <Accordion title="Autopilot device enrolled in the wrong MDM instead of Iru Endpoint">
    **Deployment mode set to Self-deploying**

    The Autopilot deployment profile for the device has **Deployment mode** set to **Self-deploying**. That path enrolls the device into **Microsoft Intune** for Autopilot; it does not enroll into Iru Endpoint with the configuration in this article (see [**Configure an Autopilot deployment profile**](#configure-an-autopilot-deployment-profile)).

    In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), edit the profile assigned to the Microsoft Entra **device** group that contains the device and set **Deployment mode** to **User-driven**. Confirm the profile shows **Assigned** for the device, then reset the device so OOBE runs again with the updated profile.

    **Overlapping MDM user scope in Entra**

    In the [Microsoft Entra admin center](https://entra.microsoft.com), open **Mobility (MDM and WIP)** and review every **other** MDM application (for example **Microsoft Intune** or another MDM still listed there) alongside this custom MDM app. If two applications both have **MDM user scope** set to **Some** or **All** for the same users or groups, OOBE can send auto-enrollment to the other provider instead of Iru Endpoint.

    Ensure each user or group that should land in Iru Endpoint is in scope for only this custom MDM app, or set **MDM user scope** to **None** on MDM rows you no longer use for Windows enrollment. For the overlap warning and where to set scope, see the **Set MDM user scope** step under [Creating the MDM application in Entra](#creating-the-mdm-application-in-entra).

    **If the device still does not appear in Iru Endpoint**

    After **User-driven** is in effect and MDM scopes do not overlap for the enrolling user, use the checklist in **Devices do not enroll after Autopilot completes** on this page.
  </Accordion>

  <Accordion title="Cannot save on the final wizard step">
    If **Blueprint Routing** is selected but Routing is not configured, the wizard blocks **Finish Setup**. Select **Configure Blueprint Routing** from the banner, complete [Blueprint Routing](/en/endpoint/enrollment/blueprint-routing), then return and finish.
  </Accordion>
</AccordionGroup>

### Related Articles

<CardGroup cols={2}>
  <Card title="Windows Setup" icon="microsoft" href="/en/endpoint/getting-started/platform-setup/windows-setup">
    Platform requirements and enrollment prerequisites for Windows 11 in Iru Endpoint
  </Card>

  <Card title="Configuring Windows Enrollment" icon="microsoft" href="/en/endpoint/enrollment/windows/configuring-windows-enrollment">
    Manual enrollment portal, Enrollment codes, and Blueprint assignment for Windows
  </Card>

  <Card title="Configure Automated Device Enrollment" icon="apple" href="/en/endpoint/settings/apple-integrations/configure-automated-device-enrollment">
    Apple zero-touch enrollment with Apple Business or Apple School Manager
  </Card>

  <Card title="Blueprint Routing" icon="route" href="/en/endpoint/enrollment/blueprint-routing">
    Dynamic Blueprint assignment during enrollment using Assignment Rules
  </Card>
</CardGroup>