This post describes the actions to create a Windows 10 Autopilot Profile via Powershell. I am always trying to automate as much as possible to reduce repeating actions. Now it is time to automate my Windows 10 Autopilot deployment.

Firstly, I need to make a shoutout to Rudy Ooms and his blog (Call4Cloud). I got the idea from him and used a piece of his code. You can find the basis for a full Windows 10 Autopilot deployment in this Github repo. This is for advanced Powershell and Graph API users.

Damien Van Robaeys helped make this script even more efficient. Shoutout to you too!

I explain, in a detailed manner, how you can create your Windows 10 Autopilot Profile via Powershell.

Now there is only 1 step involved. Run the script below.

Create Dynamic Group, an Autopilot Profile and Assign the profile

Firstly, save this code a .ps1 file:

param (

# ***************************************************************************************
# 									Check for module part	
# ***************************************************************************************

#Checking for correct modules and installing them if needed
$InstalledModules = Get-InstalledModule
$Module_Name = "MSAL.PS"
If ($ -notcontains $Module_Name) {
	Write-Host "Installing module $Module_Name"
	Install-Module $Module_Name -Force
Else {
	Write-Host "$Module_Name Module already installed"

#Importing Module
Write-Host "Importing Module $Module_Name"
Import-Module $Module_Name

# ***************************************************************************************
# 									Authentication part	
# ***************************************************************************************

#Connecting to Azure AD to Create the Group
# Write-Host "Connecting to Azure AD, fill the credential prompt"		
$myToken = Get-MsalToken -ClientId d1ddf0e4-d672-4dae-b554-9d5bdfd93547 -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Interactive

# ***************************************************************************************
# 									Create group part	
# ***************************************************************************************
##DynamicGroupRule Properties:
$DynamicGroupRule = "(device.devicePhysicalIds -any _ -eq ""[OrderID]:$OrderID"")"
# Creating group
$Group_URL = ""	
$group = @{
	"displayName" = $DynamicGroupName;
	"description" = "This is used Windows 10 Autopilot Device with the OrderID $OrderID";
	"groupTypes" = @("DynamicMembership");
	"mailEnabled" = $False;
	"mailNickname" = "AutoPilotGroup-$OrderID";
	"membershipRule" = $DynamicGroupRule;
	"membershipRuleProcessingState" = "On";
	"securityEnabled" = $True

$requestBody = $group | ConvertTo-Json #-Depth 5
$Create_group = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" }  -Uri $Group_URL -Method POST -Body $requestBody -ContentType 'application/json'
$Group_ID = $

# Write-Host "Group created! Save this Object ID: $($CreateDynamicGroup.Id) in a notepad for later use" -ForegroundColor Green
Write-Host "Group created: $Group_ID!" -ForegroundColor Green

# ***************************************************************************************
# 									Create profile part	
# ***************************************************************************************
$AutopilotProfileDescription = "$AutopilotProfileName Azure AD Join AutoPilot Profile"
$Profile_Body = @{
	"@odata.type"                          = "#microsoft.graph.azureADWindowsAutopilotDeploymentProfile"
	displayName                            = "$($AutopilotProfileName)"
	description                            = "$($AutopilotProfileDescription)"
	language                               = 'os-default'
	extractHardwareHash                    = $false
	enableWhiteGlove                       = $true
	outOfBoxExperienceSettings             = @{
		"@odata.type"             = "microsoft.graph.outOfBoxExperienceSettings"
		hidePrivacySettings       = $true
		hideEULA                  = $true
		userType                  = 'Standard'
		deviceUsageType           = 'singleuser'
		skipKeyboardSelectionPage = $false
		hideEscapeLink            = $true
	enrollmentStatusScreenSettings         = @{
		'@odata.type'                                    = "microsoft.graph.windowsEnrollmentStatusScreenSettings"
		hideInstallationProgress                         = $true
		allowDeviceUseBeforeProfileAndAppInstallComplete = $true
		blockDeviceSetupRetryByUser                      = $false
		allowLogCollectionOnInstallFailure               = $true
		customErrorMessage                               = "An error has occured. Please contact your IT Administrator"
		installProgressTimeoutInMinutes                  = "45"
		allowDeviceUseOnInstallFailure                   = $true
} | ConvertTo-Json		
$Profile_URL = ""
$Create_Profile = Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" }  -Uri $Profile_URL -Method POST -Body $Profile_Body -ContentType 'application/json'
$Get_Profile_ID = $Create_Profile.ID

# ***************************************************************************************
# 									Assign profile part	
# ***************************************************************************************
$Assignment_Body = @"

$Profile_Assignment_URL = "$Profile_URL/$($Get_Profile_ID)/assignments"
Invoke-RestMethod -Headers @{Authorization = "Bearer $($myToken.AccessToken)" }  -Uri $Profile_Assignment_URL -Method POST -Body $Assignment_Body -ContentType 'application/json'
Write-Host "ProfilE created and assign to the group!" -ForegroundColor Green

After that, use this code to run the file and add the parameters:

.\Function_Create-AutoPilotDynamicGroup.ps1 -DynamicGroupName NielsKokTech_AutoPilot_Dynamic -OrderID NielsKokTech 

As a result, this is shown:

Fill the credential prompt with an account that has the proper permissions:

After that, this is the output and everything is done!

This is the group created by the script:

Furthermore, this script creates an Azure AD joined Windows 10 Autopilot profile. if you want to edit the properties of the profile, please edit the $Body in the file above.

After that, the Windows 10 Autopilot Profile is created according to the $Body in the Powershell Script:

That’s how you create Windows 10 Autopilot profile and assign it via Powershell.

Other posts

Want to create an Autopilot manually? Check out these posts:

Azure AD Joined profile

Hybrid AD Joined profile

5 thoughts on “Create Autopilot Profile via Powershell”
    1. I really would love to use that script but I have a problem with -ClientId d1ddf0e4-d672-4dae-b554-9d5bdfd93547, I replace your ClientID with mine but realize I do not have the proper one so it failed can you help me on that part ? What do I need to do or where do I get the right one..
      Your help is appreciated.

      1. Hi James,

        You don’t need to change the client id. This is a general Intune Powershell App Rep object ID which is the same for each tenant. After that, you should just be able to run the script. Which error are you getting?


Leave a Reply

Your email address will not be published.