Scenario
Your organisation has a fleet of existing Windows PCs scattered across the office. Traditionally, IT would collect each device, carry it to a build room, reimage it manually and return it to the user, a slow and painful process.
You want a modern, cloud‑based approach that allows you to:
- Remotely onboard existing devices into Autopilot
- Entra join them automatically
- Factory reset them from Intune
- Redeploy them using an Autopilot profile
- Do all of this from a single admin workstation
This lab demonstrates exactly how to achieve that using PowerShell Remoting, provisioning packages, and Intune.
Lab Objectives
By the end of this lab, you will be able to:
- Enable PowerShell remoting across multiple PCs on the local network.
- Collect hardware hashes remotely and upload them to Autopilot.
- Create a dynamic group and Autopilot deployment profile.
- Build a provisioning package to Entra join devices.
- Push the provisioning package to remote PCs using PowerShell.
- Bulk‑reset devices in Intune to trigger Autopilot deployment.
Prerequisites
- Windows 11 admin workstation
- Five Windows PCs on the same local network
- All devices set to Private network profile
- WinRM enabled on all devices
- Microsoft 365 tenant with:
- Intune
- Entra ID
- Autopilot
- Windows Configuration Designer installed
- PowerShell Remoting enabled
Prepare the Admin Workstation
Enable PowerShell remoting so you can manage devices remotely.
- Set the network profile to Private.
Allow connections to all hosts:Code
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
Start the WinRM service:Code
Start-Service WinRM
Verification
WinRM reports as running and TrustedHosts is set to *.
Prepare the Target PCs
Enable remote management on each of the five PCs.
- Set each PC’s network profile to Private.
Enable PowerShell remoting:
Enable-PSRemoting -Force
Verification
Each PC shows WinRM running and firewall rules applied.
Test Remote Connectivity
Confirm you can reach all PCs from the admin workstation.
- Create a text file containing the five PC names (
pcs.txt).
Run:
Invoke-Command -ComputerName (Get-Content .\pcs.txt) -ScriptBlock { hostname }
Verification
Each PC returns its hostname.
Collect Hardware Hashes for Autopilot
Use Microsoft’s script to gather hardware hashes remotely.
- Install the official Autopilot hash collection script
Install-Script -Name Get-WindowsAutoPilotInfo - Store PC names in a variable (
$pcs).
Run the script with a group tag (existing-devices):
.\Get-WindowsAutopilotInfo.ps1 -ComputerName $pcs -GroupTag "existing-devices"
Verification
A CSV file is generated containing all five hardware hashes.
Create a Dynamic Group for Autopilot
Automatically group devices using the group tag.
- In Entra ID, create a Dynamic Device Group.
- Use a rule matching the group tag
existing-devices.
Verification
Devices appear in the group once imported.
Create an Autopilot Deployment Profile
Define how devices will be rebuilt.
- Go to Intune → Devices → Windows → Windows Enrollment → Deployment Profiles.
- Create a new Windows Autopilot profile.
- Configure:
- User‑driven or self‑deploying mode
- Skip privacy and OOBE screens
- Apply naming template
Verification
The profile is assigned to the dynamic group.
Upload the Hardware Hash CSV
Register the devices with Autopilot.
- Go to Windows Enrollment → Devices → Import.
- Upload the CSV file.
- Wait 5–10 minutes for processing.
Verification
Devices appear with the correct group tag and assigned profile.
Create a Service Principal for Provisioning Packages
Required to obtain a bulk token for Entra join.
- Install Azure AD PowerShell module
Install-Module AzureAD -Force. - Connect to your tenant
Connect-AzureAD. - Create a service principal with appropriate permissions
New-AzureADServicePrincipal -AccountEnabled $true -AppId 00000014-0000-0000-c000-000000000000 -AppRoleAssignmentRequired $False -DisplayName Microsoft.Azure.SyncFabric
Verification
The service principal appears in Entra ID.
Build the Provisioning Package
Use Windows Configuration Designer to create a package that Entra joins devices.
- Open Windows Configuration Designer.
- Choose Provision desktop devices.
- Configure:
- Computer name pattern
- Entra join
- Bulk token (authenticate using the admin user)
- Save the provisioning package.
Verification
A .ppkg file is generated.
Push the Provisioning Package to All PCs
Copy and install the package remotely.
- Create PowerShell sessions to all PCs
$ss = New-Session -ComputerName $pcs. - Copy the provisioning package
foreach ($ in $ss) { Copy-Item -Path '.\autopilot.ppkg' -Destination "C:\" -ToSession $s } - Install the package and delete it afterwards for security.
Invoke-Command -Session $ss -ScriptBlock {
Install-ProvisioningPackage -PackagePath "C:\autopilot.ppkg" -QuietInstall; Remove-Item "C:\autopilot.ppkg"
}
Verification
Devices appear in Entra ID and Intune as newly joined.
Bulk Reset the Devices in Intune
Trigger Autopilot deployment remotely.
- In Intune, select all five devices.
- Choose Bulk Device Action → Wipe.
- Confirm the action.
Verification
Devices reboot, factory reset, and begin Autopilot deployment.
Validate Autopilot Deployment
Confirm devices rebuild successfully.
- Watch devices progress through OOBE.
- Verify:
- Autopilot profile applied
- Device naming correct
- Intune enrollment complete
- Apps and policies applied
Verification
All devices complete Autopilot setup and are ready for users.
Conclusion
In this lab, you remotely reprovisioned five standalone Windows PCs using Autopilot, provisioning packages and Intune, all without touching a single device. You collected hardware hashes, created a dynamic Autopilot group, built a provisioning package for Entra join, deployed it remotely using PowerShell, and bulk‑reset the devices so they rebuilt themselves automatically.
This modern approach eliminates build rooms, manual imaging, and physical handling of devices, making it ideal for organisations adopting cloud‑based provisioning at scale.
