Overview
Windows Autopilot transforms device deployment by enabling IT to configure new devices with zero touch. Instead of imaging, Autopilot uses cloud-based configuration to transform devices from factory state to business-ready with minimal user interaction.
Who Should Use This Guide:
- IT administrators deploying new Windows devices
- Organizations transitioning from SCCM/ConfigMgr imaging
- MSPs managing multi-tenant device deployments
- Enterprises implementing modern device management
Autopilot Deployment Scenarios:
| Scenario | Use Case | User Involvement |
|---|---|---|
| User-Driven | Standard deployment for assigned users | User signs in with corporate credentials |
| Self-Deploying | Kiosks, shared devices, digital signage | None - fully automated |
| Pre-Provisioned | White glove for executive devices | IT provisions, user completes |
| Reset | Re-deploy existing enrolled devices | Minimal - retains Autopilot profile |
Requirements
Licensing Requirements:
| Component | Required License |
|---|---|
| Microsoft Intune | M365 E3/E5, EMS E3/E5, or Intune standalone |
| Entra ID Join | Entra ID P1 (included in above) |
| Conditional Access | Entra ID P1 or P2 |
| Windows 11 | Pro, Enterprise, or Education |
Network Requirements:
| Endpoint | Protocol | Purpose |
|---|---|---|
| *.microsoftonline.com | HTTPS/443 | Entra ID authentication |
| enterpriseregistration.windows.net | HTTPS/443 | Device registration |
| *.manage.microsoft.com | HTTPS/443 | Intune enrollment |
| *.windowsupdate.com | HTTPS/443 | Windows Update |
| *.delivery.mp.microsoft.com | HTTPS/443 | Delivery Optimization |
Architecture
┌────────────────────────────────────────────────────────────────┐
│ Windows Autopilot Flow │
├────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Factory │ │ OEM/CSP │ │ Intune │ │
│ │ Device │───▶│ Registers │───▶│ Imports │ │
│ │ │ │ Hardware ID │ │ Device │ │
│ └─────────────┘ └─────────────┘ └──────┬──────┘ │
│ │ │
│ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Device │ │ Autopilot │ │ Deployment │ │
│ │ Unboxed │◀───│ Profile │◀───│ Profile │ │
│ │ by User │ │ Assigned │ │ Created │ │
│ └──────┬──────┘ └─────────────┘ └─────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ OOBE │ │ Entra ID │ │ Intune │ │
│ │ Customized │───▶│ Join & │───▶│ Config │ │
│ │ Branding │ │ MFA │ │ Applied │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
└────────────────────────────────────────────────────────────────┘Process
Step 1: Collect Hardware Hashes
Obtain the hardware hash (device ID) for each device to register with Autopilot.
Method 1: PowerShell Script (Existing Devices)
Run on each device to collect the hardware hash:
# Install required module
Install-Script -Name Get-WindowsAutoPilotInfo -Force
# Collect hash and export to CSV
Get-WindowsAutoPilotInfo -OutputFile "C:\Temp\AutopilotHWID.csv"Method 2: From Windows Settings (Single Device)
- Open Settings → Accounts → Access work or school
- Click Export your management log files
- Navigate to
C:\Users\Public\Documents\MDMDiagnostics - Open
MDMDiagReport.htmland find the Hardware Hash
Method 3: OEM Pre-Registration
Request your hardware vendor (Dell, HP, Lenovo) to register devices during ordering:
| Vendor | Registration Method |
|---|---|
| Dell | TechDirect or reseller |
| HP | Partner Ready Portal |
| Lenovo | Lenovo Device as a Service |
| Microsoft | Surface for Business |
Verification: Hardware hash CSV contains Device Serial Number, Windows Product ID, and Hardware Hash columns.
Step 2: Import Devices to Autopilot
Register devices in Microsoft Intune for Autopilot deployment.
Import via Intune Portal:
- Navigate to Microsoft Intune admin center
- Go to Devices → Enrollment → Windows → Devices
- Click Import
- Upload the CSV file with hardware hashes
- Click Import and wait for processing
Import via Microsoft Graph PowerShell:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "DeviceManagementServiceConfig.ReadWrite.All"
# Import devices from CSV
$devices = Import-Csv "C:\Temp\AutopilotHWID.csv"
foreach ($device in $devices) {
$params = @{
"@odata.type" = "#microsoft.graph.importedWindowsAutopilotDeviceIdentity"
serialNumber = $device.'Device Serial Number'
hardwareIdentifier = [Convert]::FromBase64String($device.'Hardware Hash')
productKey = $device.'Windows Product ID'
}
New-MgDeviceManagementImportedWindowsAutopilotDeviceIdentity -BodyParameter $params
}Verification: Devices appear in Devices → Windows → Windows enrollment → Devices with "Assigning" or "Assigned" status.
Step 3: Create Dynamic Device Group
Create an Entra ID group for Autopilot devices to target with profiles.
Navigate to: Entra admin center → Groups → New group
Create Dynamic Device Group:
Group type: Security
Group name: Autopilot-Devices
Membership type: Dynamic Device
Dynamic query:
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))For Specific Deployment Profile:
(device.enrollmentProfileName -eq "Autopilot-Standard")For Specific Order ID (Vendor Tag):
(device.devicePhysicalIds -any (_ -contains "[OrderId]:YourOrderID"))Verification: Group populates with imported Autopilot devices (may take 15-30 minutes).
Step 4: Configure Company Branding
Customize the OOBE experience with organizational branding.
Navigate to: Entra admin center → User experiences → Company branding
Configure Branding Elements:
| Element | Recommendation |
|---|---|
| Sign-in page background | Company logo or branded image (1920x1080) |
| Banner logo | Square logo (280x60 max) |
| Square logo dark | For dark backgrounds |
| Username hint | "user@company.com" |
| Sign-in page text | Welcome message or support info |
Verification: Visit https://login.microsoftonline.com to preview branding.
Step 5: Create Deployment Profile
Define the Autopilot deployment settings.
Navigate to: Intune → Devices → Enrollment → Deployment Profiles
Create Profile:
- Click Create profile → Windows PC
- Configure basics:
- Name:
Autopilot-Standard-UserDriven - Description:
Standard user-driven deployment
- Name:
Out-of-box experience (OOBE) settings:
| Setting | User-Driven | Self-Deploying |
|---|---|---|
| Deployment mode | User-driven | Self-deploying |
| Join to Entra ID as | Entra ID joined | Entra ID joined |
| Microsoft Software License Terms | Hide | Hide |
| Privacy settings | Hide | Hide |
| Hide change account options | Yes | Yes |
| User account type | Standard | N/A |
| Allow pre-provisioned deployment | Yes | Yes |
| Language (Region) | Operating system default | User select |
| Keyboard | Operating system default | User select |
| Apply device name template | Yes | Yes |
| Device name template | CORP-%SERIAL% | KIOSK-%SERIAL% |
Assignments:
- Assign to Autopilot-Devices dynamic group
CLI Alternative (Microsoft Graph):
$profileParams = @{
"@odata.type" = "#microsoft.graph.azureADWindowsAutopilotDeploymentProfile"
displayName = "Autopilot-Standard-UserDriven"
description = "Standard user-driven deployment"
language = "os-default"
extractHardwareHash = $true
deviceNameTemplate = "CORP-%SERIAL%"
deviceType = "windowsPc"
enableWhiteGlove = $true
outOfBoxExperienceSettings = @{
hidePrivacySettings = $true
hideEULA = $true
userType = "standard"
deviceUsageType = "singleUser"
skipKeyboardSelectionPage = $true
hideEscapeLink = $true
}
}
New-MgDeviceManagementWindowsAutopilotDeploymentProfile -BodyParameter $profileParamsStep 6: Configure Enrollment Status Page (ESP)
Control the deployment experience and ensure apps/policies are installed.
Navigate to: Intune → Devices → Enrollment → Enrollment Status Page
Create ESP Profile:
- Click Create
- Configure:
- Name:
ESP-Standard - Show app and profile configuration progress: Yes
- Show error when installation exceeds time limit: Yes
- Show custom message for time limit errors: Yes
- Error message:
Deployment taking longer than expected. Contact IT at support@company.com
- Name:
Blocking Apps (Wait for installation):
| App Type | Examples |
|---|---|
| Win32 apps | Microsoft 365 Apps, Company Portal |
| LOB apps | Custom business applications |
| Configuration profiles | VPN, Wi-Fi, certificates |
Timeout Settings:
| Setting | Recommended Value |
|---|---|
| Installation time limit | 60 minutes |
| Allow device reset on install failure | Yes |
| Allow device use on install failure | No (for critical apps) |
Assignments:
- Assign to Autopilot-Devices or All Devices
Step 7: Assign Required Applications
Ensure critical apps deploy during Autopilot enrollment.
Recommended Autopilot Apps:
| Application | Deployment Type | Required During ESP |
|---|---|---|
| Microsoft 365 Apps | Win32 | Yes |
| Company Portal | Store app | Yes |
| Microsoft Defender | Built-in | Automatic |
| VPN Client | Win32 | Yes (if required) |
| Line-of-Business Apps | Win32/LOB | Depends |
Assign Apps as Required:
- Navigate to Apps → Windows
- Select application
- Go to Properties → Assignments
- Add Required assignment to Autopilot device group
- Enable Make this app required during ESP if available
Step 8: Test Deployment
Validate the Autopilot experience before production rollout.
Reset Test Device:
# From Windows 11 device
# Settings → System → Recovery → Reset this PC → Remove everything → Cloud download
# Or via command line
systemreset -cleanpcOOBE Testing Checklist:
- Device boots to customized OOBE with company branding
- User enters corporate email, redirected to Entra ID sign-in
- MFA prompt appears (if Conditional Access configured)
- ESP shows app/profile installation progress
- Desktop loads with all required apps installed
- Device appears enrolled in Intune
Monitor Deployment:
Navigate to Intune → Devices → Monitor → Autopilot deployments
| Status | Meaning |
|---|---|
| In progress | OOBE or ESP currently running |
| Completed | Deployment successful |
| Failed | Error during deployment (check logs) |
| Pending | Awaiting user sign-in |
Troubleshooting
Common Issues:
| Symptom | Possible Cause | Solution |
|---|---|---|
| Device not recognized | Hardware hash not imported | Re-import hardware hash; sync Autopilot service |
| "Something went wrong" | Network connectivity | Verify firewall allows required endpoints |
| Profile not applying | Assignment not synced | Wait 15-30 mins; force sync in Intune |
| ESP stuck installing | App installation failure | Check app status in Intune; review logs |
| MFA loop | Conditional Access conflict | Review CA policies; create exclusion for enrollment |
Diagnostic Commands:
# View Autopilot profile on device
Get-Item "HKLM:\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot"
# Check MDM enrollment status
dsregcmd /status
# View Autopilot ETL logs
Get-ChildItem "C:\Windows\Logs\MoSetup\UpdateSetupBox*.log"
# Export MDM diagnostics
mdmdiagnosticstool.exe -area Autopilot -zip "C:\Temp\AutopilotDiag.zip"Collect Logs from Failed Deployment:
- Press Shift+F10 during OOBE to open command prompt
- Run:
mdmdiagnosticstool.exe -area Autopilot -zip C:\Temp\logs.zip - Copy ZIP to USB drive for analysis
Security Considerations
Conditional Access for Enrollment:
Create CA policy to require compliant device for enrollment:
Name: Require Compliant Device - Windows Enrollment
Users: All users (exclude break-glass accounts)
Cloud apps: Microsoft Intune Enrollment
Conditions: Device platforms = Windows
Grant: Require device to be marked as compliantRestrict Who Can Enroll:
Intune → Devices → Enrollment → Device platform restrictions
- Personally owned devices: Block
- Device limit: 5 devices per userDevice Naming Security:
- Avoid including user names in device templates
- Use serial numbers or random identifiers
- Consider
CORP-%RAND:4%-%SERIAL:4%format
Verification Checklist
Autopilot Setup:
- Hardware hashes imported for all devices
- Dynamic device group created and populating
- Company branding configured
- Deployment profile created and assigned
- ESP profile configured with blocking apps
Pre-Deployment Testing:
- Test device resets to OOBE
- Autopilot profile applies automatically
- User-driven flow works with MFA
- Required apps install during ESP
- Device compliant in Intune post-enrollment
Production Readiness:
- Conditional Access policies reviewed
- Help desk trained on user experience
- Documentation updated for users
- Rollback plan documented
Next Steps
After implementing Autopilot:
- Configure Windows Update for Business - Manage update rings
- Deploy Microsoft Defender for Endpoint - Onboard devices for EDR
- Implement Compliance Policies - Enforce security baselines
- Set Up App Protection Policies - Protect corporate data
References
- Windows Autopilot Documentation
- Autopilot Networking Requirements
- Enrollment Status Page
- Autopilot Troubleshooting
Last Updated: February 2026