Configure Default Windows Profile for Autopilot enrollment

Learn how to configure a default Windows profile in the MDM server that can be deployed to Windows endpoints on enrollment.

About this task

A Policy Group is a collection of MDM policies and applications that can apply to MDM endpoints at enrollment time.

The following is the workflow to create a policy group that will apply a set of policies at enrollment time for Autopilot devices:

Procedure

  1. Prestage applications: The applications pre-staged on the MDM server are listed here. For information on how to pre-stage applications, see Prestage an Application.
  2. Upload Custom Policy. Upload the .xml file that contains custom policy code as required.
    Note: Optionally you can upload a Custom policy to restrict device users from unenrolling fully-managed (company-owned) devices
  3. Create other MDM policy types as required such as Passcode policy, Restrictions Policy, Certificates Policy, and save the policies.
    Note: Disk Encryption policies for Windows are not allowed to be part of policy groups for now.
  4. Create a policy group
    1. Select OS: Select the operating system as Windows
    2. Add Policy: Click the + button and add the required custom policies and other MDM policies into the policy group.
      Note: Only one passcode or restriction policy is available at any given time, but multiple certificate policies are allowed.
    3. Add Application: Add the required pre-staged applications to the policy group.
    4. Add BigFix Agent
    5. Assign To Group: Select Autopilot Enrollment to deploy this policy group to all the Autopilot enrolled Windows 10 and Windows 11 devices on enrollment by default.
    6. Save the policy group.
  5. Select the policy group and Deploy the Policy Group on MDM Server.

Results

The default policy group is created and deployed on the MDM server. When Windows files are enrolled through Autopilot enrollment, the policies and applications added into this policy group are deployed onto the enrolled devices.
Custom policy to restrict device users from unenrolling fully-managed (company-owned) devices
To restrict the Windows device users from unenrolling the fully-managed (company-owned) device from MDM, upload a custom policy .xml file with the following code and add it to the policy group to be deployed onto the MDM server.
<Replace>
<CmdID>20</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment</LocURI>
</Target>
<Meta>
<Format>int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Replace>