So I have had quite a few customers ask me about what I set when configuring autopilot profiles and why? For the sake of the post I will focus on Azure AD join mainly because Hybrid is a nightmare of complexity and I have found very few cases where Hybrid was the better choice, I always encourage start with Azure AD join and move back to hybrid if nothing else.

Jump over to Endpoint Manger > Devices > Enroll Devices > Deployment Profiles.

Select + Create profile > Windows PC

Provide a name for your profile and I like to choose yet to "Convert all targeted devices to Autopilot" This gives me the ability to take AADJ devices or Hybrid and covert them to boot to this AP profile the next time they go through OOBE, this was helpful when do a mass AADJ deployment using SCCM, then having them auto enroll into Autopilot so if they need to reset in the field they could do so.

Select Next, and this will bring us to the core of the profile the OOBE configurations.

Deployment mode: User Driven

Two options here User driven meaning a user will be guided through the process and authenticate using unique credentials, or the other which is in preview for over 2 yrs. Self Deploying.

Join to Azure AD as: Azure AD join

If you have read any of my Blog posts in the past I always choose Azure AD Join over hybrid. There are very few reason to actually choose Hybrid. I always recommend build it out in Azure native and if you need it's easy to flip back to the horrible complex and clunky hybrid.

Microsoft Software License Terms: Hide

Always hide I love how clean the user experience is with no EULA, and many organizations will not permit end users to accept any EULA's so this is extremely helpful.

Privacy Settings: Hide

I totally get why privacy is presented during the OOBE with this being such a big deal, even though you get to hid it here doesn't mean you set the default values here you will need to do that in Intune if that is a concern.

Hide change account options: Hide

This should always be set to Hide for autopilot, leaving this as show will give the user the option to build a local profile or join local AD, which can be helpful but at that point why bother with an autopilot profile?

User account type: Administrator

Either option here isn't bad, for piloting I always do administrator when all the kinks are worked out I switch back to standard if that is what the customer wants. Remember with standard you need to ensure your bit locker policies allows standard users to enable bit locker for the auto encrypt to work.

Allow pre-provisioned deployment: No

In the past I would say why not enable this to allow autopilot for pre-provisioned devices. But with the current auth bug if this is invoked the Intune object will need to be completely deleted before you can redeploy, making for a cumbersome process.

Language (Region): Operating system default

I always leave this default, that way if I deploy globally and have OEMs distributing globally then whichever OS is shipped will be picked up, now you can always override this if needed, but typically leaving it is just fine.

Automatically configure keyboard: Yes

This just pull the default keyboard layout for the OS default shipped really nice, required 1903 or higher to work.

Apply device name template:

Now this is always a debate to name or not to name, I'll be honest I'm on the side of naming standards are a waste of time and adds complexity where your users are using so many devices it just inefficient for enforcing names. But many orgs use them, and in this case I always build dynamic groups based on the name and target accordingly.