Menu

Home
Account
About the Auther
Buy me a Coffee
Blog
  1. Home
  2. Blog
  3. Windows Autopilot: A Comprehensive Beginner’s Step-by-Step Guide

Windows Autopilot: A Comprehensive Beginner’s Step-by-Step Guide

23 Mar 2025

Deploying new devices at scale can be a challenge, especially if your organization relies on customized images, manual configurations, or time-consuming deployments. Windows Autopilot streamlines this process by automating device provisioning from the moment a device is powered on. Whether you’re dealing with new devices, bring-your-own-device (BYOD) scenarios, or re-provisioning existing machines, this guide will help you set up and maintain Windows Autopilot effectively.

In this article, we’ll cover:

This guide references official Microsoft documentation extensively. For more in-depth details, always refer to the Microsoft Learn portal:

1. Introduction to Windows Autopilot

Windows Autopilot is Microsoft’s cloud-based solution to simplify and automate the setup and configuration of Windows 10 and Windows 11 devices. Once a device is enrolled in Autopilot, the Out-of-Box Experience (OOBE) prompts the user to sign in with organisational credentials, at which point the device is automatically:

1.1 Key Benefits

  1. Hands-Off Deployment
    IT administrators do not need to touch individual devices; they can be shipped directly from the manufacturer to the end user.

  2. Consistent Configuration
    Every device receives the same policies, security settings, and applications, ensuring organisational compliance and standardisation.

  3. Reduced Imaging Efforts
    No more creating and maintaining multiple custom Windows images. Windows Autopilot leverages factory-shipped Windows operating systems directly.

  4. Seamless Integration
    Works with Microsoft Intune, Azure AD, and other Microsoft 365 services. This simplifies the entire life cycle of device management.

  5. Security and Compliance
    You can enforce security baselines (e.g., Microsoft Defender, BitLocker) and compliance settings during or immediately after enrolment.

  6. User-Driven Experience
    End users can perform the initial setup themselves by simply turning on the device and signing in. This eliminates on-site IT overhead.

Note: Windows Autopilot supports both Windows 10 and Windows 11. For the most current details, consult the official Microsoft documentation:
Microsoft Docs: Windows Autopilot Overview

2. Prerequisites

Before configuring Windows Autopilot, ensure you meet the following requirements in terms of licensing, operating system, network connectivity, and MDM enrolment.

2.1 Licensing Requirements

You must have at least one of the following licenses for each device or user:

For a detailed list of licensing and subscription requirements, see:
Microsoft Docs: Autopilot Requirements

2.2 Operating System Requirements

If your devices are running Windows Home, you must upgrade them to Pro, Enterprise, or Education before using Windows Autopilot. This is commonly handled by requesting that your OEM ships devices with Windows Pro or higher.

2.3 Network Requirements

Windows Autopilot relies heavily on internet connectivity to reach Microsoft cloud services. Make sure the following ports are open:

Additionally, you need access to these endpoints:

Tip: If you have a firewall or proxy, ensure it does not block these URLs or perform SSL interception that might break secure communication.

2.4 MDM Enrollment Configuration

You need to configure Automatic Enrolment in Intune:

  1. In the Microsoft Intune admin centre, navigate to:

    • Tenant administration > Enrolment > Automatic Enrolment.

  2. Set MDM user scope to All.
    This ensures that any device registered through Windows Autopilot will automatically be enrolled into Intune.

Reference: Configure automatic enrollment for Intune

3. Step 1 – Register Devices with Autopilot

To deploy a device using Windows Autopilot, it must first be registered with your Azure AD tenant. Registration can be done automatically by an OEM or manually by exporting device hardware information.

3.1 Option 1: Automatic Registration (Recommended)

If you purchase devices from major OEMs such as Dell, HP, or Lenovo, they can handle Autopilot registration for you:

  1. Obtain your Azure AD Tenant ID from the Azure portal or Microsoft 365 Admin Centre.

  2. Contact the OEM and provide this Tenant ID. Request that they register your devices for Windows Autopilot before shipping.

  3. Authorise the vendor in Intune:

    • In Microsoft Intune: go to Devices > Windows > Windows Enrolment > Windows Autopilot.

    • Look for an OEM registration or Partner registration option.

    • Approve the vendor, granting them permission to upload device IDs on your behalf.

After approval, newly purchased devices from that OEM will appear in your Autopilot device list automatically. This approach is the least time-consuming and reduces manual tasks for your IT team.

Reference: Register devices for Autopilot from OEMs

3.2 Option 2: Manual Registration (Backup Option)

If your devices are not automatically registered or you have existing inventory, you can manually capture and upload the hardware hash:

  1. On the device, open PowerShell as Administrator.

  2. Run these commands:

     
    Set-ExecutionPolicy RemoteSigned -Force Install-Script -Name Get-WindowsAutopilotInfo -Force Get-WindowsAutopilotInfo.ps1 -OutputFile C:\AutopilotHWID.csv

    This script creates a CSV file (C:\AutopilotHWID.csv) containing the device’s hardware ID or hardware hash.

  3. Upload the file to Intune:

    • In Microsoft Intune: go to Devices > Windows > Windows Enrolment > Windows Autopilot.

    • Select Import and upload the CSV file.

    • Once imported, the device will appear under the Windows Autopilot Devices list.

Note: The manual process is also useful if you’re re-provisioning older devices that were not purchased under an Autopilot agreement.

4. Step 2 – Create an Autopilot Deployment Profile

A Deployment Profile defines how the device behaves during the Out-of-Box Experience (OOBE). It includes options like whether the device is joined to Azure AD or a local domain (Hybrid AD join), whether privacy settings are skipped, and whether the user has local administrator rights.

  1. In Intune, navigate to:
    Devices > Windows > Windows Enrolment > Deployment Profiles.

  2. Select + Create ProfileWindows PC.

  3. Configure the profile:

    • Deployment Mode: Choose User-Driven for standard scenarios where a user logs in during OOBE. (Self-Deploying and Pre-Provisioning modes exist for more advanced workflows.)

    • Join Azure AD as: Select Azure AD Joined for a pure cloud environment. If you still need on-premises domain join, consider Hybrid Azure AD Join (requires additional setup).

    • Skip Privacy Settings, Skip License Terms, Skip Cortana: Set to Yes to streamline the OOBE.

    • User Account Type: Choose Standard if you want to limit local administrative rights, or Administrator if end users require administrative privileges.

    • Device Name Template: For example, COMP-%SERIAL% or PC-%RAND:6% to auto-generate names.
      (You can also rename devices post-deployment in Intune.)

  4. Assign and Save the profile. You can assign it to specific groups, such as a “Windows Autopilot Devices” group.

Reference: Create and manage Autopilot profiles

5. Step 3 – Assign the Deployment Profile to Devices

Once your profile is created, you need to ensure each device is associated with the correct deployment profile. In many organizations, you might have different profiles for different departments or roles (e.g., Sales, Finance, or IT).

  1. In the Intune console, go to Devices > Windows > Windows Enrollment > Windows Autopilot.

  2. Find the imported devices you registered in Step 1.

  3. Assign each device to the desired profile:

    • Select the device(s).

    • Click Assign Profile.

    • Choose the Deployment Profile you created.

The status should change to Assigned, indicating the device has been linked to the designated Autopilot profile.

Note: If devices were automatically registered by an OEM, you can set a default profile to automatically assign. Alternatively, you can manually assign profiles to newly registered devices.

6. Step 4 – Deploy the Device (Out-of-Box Experience)

Now that your devices are registered and assigned a profile, you’re ready for actual deployment. In a user-driven scenario:

  1. Provide the device to the user (or start it yourself if you’re doing an IT-led installation).

  2. Upon first power-on, the device goes through OOBE:

    • The user is prompted to select a language, locale, and keyboard layout (unless you’ve configured these to be skipped).

    • The user connects to Wi-Fi or a wired network.

    • The user is then asked to sign in with Azure AD credentials (e.g., user@company.com).

  3. Windows Autopilot does the following automatically:

    • Verifies the device’s registration with your tenant.

    • Joins the device to Azure AD (or Hybrid AD, depending on your deployment profile).

    • Enrolls the device in Intune.

    • Downloads and applies apps, policies, and security configurations specified in Intune.

  4. The Enrollment Status Page (ESP) appears to show progress. This ensures the device is fully configured before the user reaches the desktop.

Tip: You can customize the ESP to display corporate branding or control whether the user can access the desktop before all apps/policies are installed.

7. Step 5 – Monitor and Complete Deployment

As soon as a device is deployed via Autopilot, you can track its status in Microsoft Intune:

  1. In Intune, go to Devices > Windows > Windows Enrollment > Windows Autopilot.

  2. Verify the device’s:

    • Profile Status: Should say Assigned or Succeeded.

    • Join Status: Should say Azure AD Joined (or Hybrid if that’s the chosen method).

    • Management Status: “Managed by Intune” confirms the device is properly enrolled.

Once complete, the user is ready to use the device with all corporate configurations, policies, and applications in place. If you have additional post-deployment checks or tasks (e.g., assigning a Microsoft Defender for Endpoint security baseline), those can be done within Intune using the standard device management workflows.

8. Additional Scenarios

8.1 BYOD – Personal Devices

Windows Autopilot is primarily designed for corporate-owned hardware. However, if you have a Bring Your Own Device (BYOD) policy, users can enroll their personal devices into Intune (though this process is not technically Autopilot). Here’s how:

  1. User’s personal device:

    • Go to Settings > Accounts > Access work or school.

    • Click Connect and sign in using Azure AD credentials.

  2. The device will be registered in Azure AD as personal.

    • Intune policies for personally owned devices can be assigned (e.g., enforcing password complexity, conditional access).

    • Corporate applications can be delivered from Intune Company Portal.

While this is not a typical Autopilot scenario (as the device isn’t part of the corporate device inventory), it’s important to mention how personal devices differ in management scope.

8.2 Re-Provisioning Existing Devices

If you have an existing fleet of devices that need to be re-purposed or handed to new employees, Windows Autopilot can handle that too. There are two common methods:

  1. Windows Reset

    • Open Settings > System > Recovery > Reset this PC.

    • Choose Remove everything and fully reset.

    • After the reset, the device will re-run OOBE and go through Autopilot again.

  2. Autopilot Reset (via Intune)

    • In Intune, select the device and choose Autopilot Reset.

    • The device is wiped remotely and re-provisioned.

    • This is convenient for remote employees or large-scale re-provisioning.

Reference: Autopilot Reset feature

9. FAQs

Q1. What if I assign the wrong profile to a device?
Ans1: You can reassign the profile in Intune. Simply unassign the wrong profile and select the correct one, then reboot or reset the device to trigger the new profile.

Q2. How do I confirm a device is registered for Autopilot?
Ans2: In Intune, go to Devices → Windows → Windows Enrollment → Windows Autopilot and check if the device appears in the list.

Q3. Why might a device be stuck on the Enrollment Status Page (ESP)?
Ans3: Possible reasons include missing or unreachable apps, poor network connectivity, or large application packages. Ensure the device has a stable internet connection and verify that required apps are properly assigned.

Q4. Do I need to reinstall Windows after a failed Autopilot deployment?
Ans4: Generally, no. You can use Autopilot Reset or Windows Reset to initiate a fresh start without the need to re-image the device.

Q5. Can I use Autopilot for personal devices?
Ans5: Windows Autopilot is intended for corporate-owned devices. For personal devices (BYOD), register via MDM enrolment in Settings.

Q6. How long does an Autopilot setup take?
Ans6: Times vary based on network speed, number of assigned apps/policies, and device performance. Expect 20–30 minutes on average.

Q7. Can I cancel Autopilot setup once it starts?
Ans7: Yes. Press Shift + F10 to open a command prompt during OOBE, then initiate a reset or close the process.

Q8. How do I check device compliance post-deployment?
Ans8: In Intune, go to Devices → Monitor → Device Compliance. You can see whether the device is compliant with assigned policies.

Q9. What’s the difference between Hybrid Join and Azure AD Join?
Ans9:

Q10. How do I reset an Autopilot-registered device?
Ans10: Use Autopilot Reset from Intune if you need a clean start without manually reimaging the machine.

10. Troubleshooting

Below is a quick reference to common issues and their resolutions:

Problem Possible Cause Solution
Device not showing in Intune Incorrect CSV file or import error Re-check your hardware ID CSV and re-import
Profile not applied Profile not assigned Verify profile assignment in Intune and re-assign
Device stuck on ESP Network issue or large app installs Check internet access, reduce or delay large app packages
Failed MDM enrollment Enrollment scope not set Confirm MDM user scope is set to All in Intune
Device not joining Azure AD Credentials or connectivity issue Ensure user has the correct credentials and stable network

Best Practice: Establish a test lab with a few devices to pilot Autopilot changes or new configurations. This way, you can identify issues before mass deployment.

11. Summary

Windows Autopilot delivers a streamlined, scalable, and user-friendly approach to device deployment. By integrating with Microsoft Intune and Azure AD, it covers every aspect of the device life cycle, from procurement and OOBE to eventual re-provisioning or decommissioning.

Quick Recap

If you follow the steps above, you’ll drastically reduce the time, complexity, and variability in deploying Windows devices. Administrators can focus on higher-level tasks, while end users receive a fast, consistent, and secure experience.

Official Microsoft Documentation & Next Steps

To delve even deeper, consult these links:

Final Thoughts

Migrating to a modern, cloud-based device management model using Windows Autopilot can significantly optimize your IT operations. The reduction in manual labor, paired with consistent and secure device configurations, makes it a powerful solution for organizations of all sizes. By aligning your process with the official Microsoft documentation and testing thoroughly, you can ensure smooth rollouts, happier end users, and a more efficient use of your IT resources.

Pro Tip: Keep an eye on feature updates and enhancements. Windows Autopilot evolves continually, with Microsoft often adding new deployment scenarios, improved diagnostics, and refined user experiences.