In this blog post, you will learn about the Windows Autopilot Device Provisioning process. Utilizing Windows Autopilot enables IT administrators to automate the necessary steps to prepare your Windows 10 and Windows 11 devices for business use.
Windows Autopilot offers a modern device lifecycle management service powered by the cloud, providing a seamless, zero-touch experience for deploying both Windows 10 and Windows 11.
In the next sections of this post, we will cover detailed information about Autopilot and demonstrate the step-by-step process of how this process works.
Table of Contents
What is Windows Autopilot?
Windows Autopilot comprises technologies designed to set up and pre-configure new devices, preparing them for productive use. It can be used for deploying Windows PCs or HoloLens 2 devices.
There are no Infrastructure requirements for using Autopilot as it’s a Cloud-based service offering that is a part of Microsoft Intune.
Windows Autopilot Setup Process Overview
In the days before Autopilot, IT admins had to maintain various versions of custom Windows Gold images for deploying on organization workstations. However, with Windows Autopilot, there’s no need to create custom Windows images and maintain drivers for every device model.
Windows Autopilot utilizes an OEM-optimized version of Windows 10/11, usually pre-installed. Instead of reimaging the device, you can leverage the existing Windows installation to bring it into a ‘business-ready’ state.
Below is a high-level Autopilot Process diagram illustrating the Windows Deployment Lifecycle using Autopilot.
- Purchase: Customer / Organization Purchases the Laptop.
- Device Vendor, OEM, or Reseller then ships the laptop.
- Fulfill and Deliver: Laptop shipment to the end user
- Deploy: End User turns on the laptop and login using organization credentials.
- Ready for Business: Using Self-Service, Out-of-Box Experience (OOBE), laptops join Entra ID and enroll in Intune. Additionally, apps and device configuration policies, along with targeted applications, are installed on the device via Intune.
- Steady State Usage – The laptop is now operational and getting updates from Intune.
- End of Life – Laptop is retired and End of Life.
You can Reset the Laptop at any time from the Business ready state which is similar to resetting the laptop to its factory default settings. [Break-fix scenario].
Benefits of Using Windows Autopilot
There are many benefits of using Windows Autopilot to provision Windows devices. Let’s find some of them below:
- Automatically join devices to Entra ID or Active Directory (Entra Hybrid join).
- Automatic enrollment of devices in Intune (Requires Microsoft Entra ID P1 or Entra ID P2 Subscription License).
- Create and auto-assign devices to configuration groups based on a device’s profile.
- Make the Primary User a Standard User or Administrator User on their device using the Autopilot deployment profile.
- Customize Out-of-Box Experience (OOBE) content specific to the organization.
- Utilize the Windows Autopilot Reset feature to quickly reset the laptop to a factory default, business-ready state. Windows Autopilot Reset is commonly used in the below scenarios:
- Address break/fix scenarios efficiently.
- Quickly prepare existing devices for new users using the Windows Autopilot reset process.
Windows Autopilot Software Requirements
To leverage Windows Autopilot and unlock its features, ensure you are running a supported version of the Windows client. Refer to the list below for the compatible versions:
|Windows 11 Pro
Windows 11 Pro Education
Windows 11 Pro for Workstations
Windows 11 Enterprise
Windows 11 Education
|Windows 10 Pro
Windows 10 Pro Education
Windows 10 Pro for Workstations
Windows 10 Enterprise
Windows 10 Education
Windows Autopilot Licensing Requirements
In addition to the supported Windows Client operating system requirement discussed in the previous section, it is essential to ensure compliance with the necessary licensing requirements to utilize this service. Autopilot capability also necessitates an MDM service, such as Microsoft Intune.
Windows Autopilot requires one of the following subscriptions:
- Microsoft 365 Business Premium subscription
- Microsoft 365 F1 or F3 subscription
- Microsoft 365 Academic A1, A3, or A5 subscription
- Microsoft 365 Enterprise E3 or E5 subscription, which includes all Windows clients, Microsoft 365, and EMS features (Microsoft Entra ID and Intune).
- Enterprise Mobility + Security E3 or E5 subscription, which includes all needed Microsoft Entra ID and Intune features.
- Intune for Education subscription, which includes all needed Microsoft Entra ID and Intune features.
- Microsoft Entra ID P1 or P2 and Microsoft Intune subscription (or an alternative MDM service).
Windows Autopilot Networking Requirements
In most cases, no networking-related actions are necessary when using the Autopilot service. Suppose you send a laptop to a user’s home address, and they set up the laptop using their home broadband. In that case, the Autopilot process will typically function without any issues, as most broadband providers do not block connections to Microsoft.
If you are configuring a laptop in the office using Autopilot, and your internet traffic passes through a managed firewall, ensure that your network can communicate with the following Autopilot Deployment service URLs:
For complete details, refer to Microsoft documentation: Autopilot Networking requirements.
Steps to Setup Windows Autopilot
I will demonstrate the setup of Autopilot from scratch. If you have already configured any of the settings mentioned in the steps, you can skip it and proceed to the next one. I will use a VMWare Workstation Windows 11 virtual machine to showcase the Autopilot process. Let’s check the steps:
Step 1 – Assign License to Users
The first step is to ensure that users have been assigned an Intune license. You can assign any of the licenses given in the previous section, “Windows Autopilot Licensing Requirements“.
Step 2 – Allow Users to Join Devices to Entra ID
If you want the devices to be enrolled in Intune, they need to join Entra ID. Select ‘All‘ to ensure that all users are allowed to join devices to Entra ID. Alternatively, you can choose the ‘Selected‘ option and use existing Entra security groups containing users who are allowed to join devices to Entra ID.
- Sign in to the Entra admin center.
- Go to Devices > All devices > Device settings.
- Set “Users may join devices to Microsoft Entra” to All.
Step 3 – Enable Automatic Enrollment
After a device joins Entra ID and has Automatic Enrollment enabled, the device will also enroll in Intune. To configure Automatic Enrollment, set the MDM user scope to All and the Windows Information Protection (WIP) user scope to None. For more information about automatic enrollment, refer to the link: Configure automatic enrollment.
Please note that you can also select MDM user scope as Some and use Entra security groups to target a specific list of users who can join devices to Entra ID and enroll their device in Intune.
Step 4 – Configure Company Branding
Company branding settings enable you to customize the out-of-box experience (OOBE) for users. You can showcase your company logo and adjust colors to match your organization’s theme. This also assures the end user enrolling the device that they are connected to the correct organization.
- Sign in to the Entra admin center.
- Navigate to User experiences > Company branding.
- Edit the Default sign-in configuration and go through all the tabs to configure the user experience as per your requirement.
Step 5 – Setup Enrollment Status Page (ESP) – Optional
The enrollment status page appears during the initial device setup and the first user sign-in. If enabled, users can view the configuration progress of assigned apps and profiles targeted to their devices.
Most of the configuration options are self-explanatory; you can either use the default configuration options or modify them as per your requirements. Below are the steps to Enable and configure the Enrollment status page (ESP).
- Sign in to the Intune admin center.
- Go to Devices > Windows > Windows enrollment > Enrollment Status Page.
- Click the “All users and all devices” link and go to Properties.
We are going ahead with below default ESP configuration:
- Show app and profile configuration progress – Yes
- Show an error when installation takes longer than specified number of minutes – 60
- Show custom message when time limit or error occurs – Yes
- Turn on log collection and diagnostics page for end users – Yes
- Only show page to devices provisioned by out-of-box experience (OOBE) – Yes
- Block device use until all apps and profiles are installed – Yes
- Allow users to reset device if installation error occurs – No
- Allow users to use device if installation error occurs – No
- Block device use until required apps are installed if they are assigned to the user/device – All
Step 6 – Create an Autopilot Devices Group
Create an Entra Dynamic Security group for Autopilot devices. This group is necessary to automatically assign an Autopilot Deployment Profile to devices that have been joined to Entra ID using the Autopilot process.
To create a new Entra Dynamic Security group for Autopilot, follow the steps below. Please note that you can also use the Intune admin center to create an Entra dynamic security group.
- Sign in to Microsoft Entra admin center.
- Click on Groups > All groups > New group.
- Group type: Security
- Group name: Provide a group Name, for Example Cloudinfra Autopilot Devices.
- Group Description: Provide a group description.
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Dynamic Device
- Under Dynamic device members, click on Add dynamic query. Under Configure Rules tab you will find a Rule syntax box. Use the Edit button on the right-hand side and add the below query:
(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))
An autopilot device physicalIDs starts with [ZTDid]. Autopilot devices that meet these rules are automatically added to the group. This group will be used when we will create an autopilot deployment profile.Note
- Add the Rule and click on OK button.
- Click on Save to save the rule.
- Finally, click on Create to create this Entra dynamic security group for devices.
Step 7 – Create an Autopilot Deployment Profile
The next step is to create an Autopilot deployment profile, which will be used to customize the Out-of-Box Experience (OOBE) and deployment mode for end users. You can create up to 350 deployment profiles in a single Intune tenant.
To create an Autopilot deployment profile, follow the below steps:
- Sign in to the Intune admin center.
- Navigate to Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile > Windows PC.
Provide a Name and Description of the Autopilot deployment profile. For Example:
- Name: CloudInfra Autopilot deployment profile
- Description: Provide a useful description of this profile.
- Convert all targeted devices to Autopilot: No
If you want to convert all Corporate owned Entra registered devices in Autopilot then you can select Convert all targeted devices to Autopilot: Yes. All corporate owned, non-Autopilot devices in assigned groups register with the Autopilot deployment service within 48 hours.Convert all targeted devices to Autopilot
Out-of-box experience (OOBE) Tab
Configure Out-of-box Experience (OOBE) for Autopilot devices.
- Deployment Mode: User-Driven
- Devices configured with this mode are associated with the user enrolling the device. User credentials are required to enroll the device.
- Alternatively, there is the self-deploying mode, where user credentials are not required to enroll the device. However, the User-Driven mode is the more commonly used deployment method in most organizations.
- Join to Microsoft Entra ID as: Microsoft Entra joined
- You also have an option for Microsoft Entra Hybrid Joined, Select it if you have On-prem Active Directory joined windows devices.
- Microsoft Software License Terms: Hide
- Privacy settings: Hide
- Hide change account options: Hide
- This is useful and prevents users from changing account options from corporate to personal account e.g. Microsoft account. To hide these options, you must configure company branding in Microsoft Entra ID.
- User account type: Standard
- Choose whether you want to make the user an Administrator or Standard user after the Autopilot process is complete. I will go for a Standard user account.
- Allow pre-provisioned deployment: No.
- Language (Region): Operating System Default
- You can configure the specific language settings here or leave them as the Operating system default.
- Automatically configure keyboard: If you have configured the Language (Region) setting, then you can skip this option by selecting Yes.
- Apply device name template: This setting requires the Microsoft Entra join type status of the device. You can rename the device during autopilot, based on the template you provide. The device name must be 15 characters or less. For example Cloudinfra-W-%RAND:2%. This will create devices with names like Cloudinfra-W-01, Cloudinfra-W-02, etc.
Assign this Autopilot deployment group to the Entra Dynamic Security Group we created in Step 6. Click on Add groups and select the group to add.
Review + create
Review the Autopilot deployment profile summary and click on Create to create the profile.
Step 8 – Capture Hardware Hash of the Device
The hardware identity of the device also referred to as the hardware hash, is required for registering the device in Windows Autopilot. We will collect this information from the device and upload it to the Intune admin center to complete the registration process.
Normally, this process is handled by your original equipment manufacturer (OEM) reseller, from whom you purchased the device. However, you can also perform the Autopilot registration yourself. Let’s review the steps:
- Login on the Windows 10 or Windows 11 device which you want to register with autopilot.
- Open the Powershell console as an administrator and execute the below commands:
Collect Device Hardware Hash in the AutopilotHWID.csv file
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
You can directly upload the AutopilotHWID.csv file in Intune. This file contains below Information about the device:
- Device Serial Number
- Windows Product ID
- Hardware Hash
Step 9 – Import Device Hardware Hash CSV in Intune
We will now Import the AutopilotHWID.csv file in Intune to complete the Windows Autopilot device registration. Let’s review the steps:
- Sign in to the Intune admin center.
- Navigate to Devices > Windows > Windows enrollment > Devices.
- Click on “Import” and then browse to the AutopilotHWID.csv file, which contains the device hardware hash. Click on “Import” to initiate the import process.
- The device has been imported into Intune, and under the Profile status, it shows as Assigned. This is because we created an Autopilot Entra Dynamic Security Group based on the Autopilot device attribute. Therefore, all Autopilot devices will have the Autopilot Deployment profile assigned automatically.
Reset Windows Device
As the Autopilot setup and configuration have been completed, and the device hardware hash is uploaded in Intune, I will now proceed to reset this device and demonstrate the Autopilot process in action.
- Log in to the Windows device for which we uploaded the hardware hash in Intune.
- Press Windows + I to open the Settings App.
- Navigate to System > Recovery.
- Click on Reset PC button.
- Select the option Remove everything.
- Select the Local reinstall option which is faster than the Cloud download option.
- Click on Next.
- Click on the “Reset” button to initiate the reset process for this device. Please note that this process will remove all applications and is equivalent to factory resetting the device to a clean state.
Autopilot in Action after Device Reset
As you initiate a Windows Device Reset, the system will restart and present you with the Out-of-box experience (OOBE) screens. Depending on the Autopilot deployment profile, you will encounter certain screens, and some may be hidden during the process.
For example, in our Autopilot Deployment profile, we configured it not to show the Privacy terms and Microsoft Software License agreement; therefore, those screens will be hidden. During the setup process, you may notice the company branding, such as the logo and color theme, if you have configured it from the Entra admin center.
- Enter the organization’s email address and password, then click on the ‘Sign In‘ button.
- The Enrollment Status Page (ESP) will be displayed during the Autopilot setup process, showing the device configuration progress. Users won’t be able to access the desktop until all configurations and application deployments are completed. This ensures that the device is business-ready before first use.
- If you don’t configure or enable the Enrollment Status Page (ESP), the below screen won’t appear, and all the configurations and app deployments will occur after users sign in. This means that users will gain access to the desktop quickly and before completing these processes.
- If you have configured Windows Hello for Business, you may be prompted to set it up at this point. Upon receiving the screen confirming that Windows is set up successfully, the next step is to log in to the device using the organization-provided credentials.
- Provide organization-provided user credentials to login on the device.
- It may take a few minutes before you can access the desktop. During this time, the system is finalizing configurations and applying settings to ensure a seamless and secure setup.
- Open the command prompt and type the command
hostname. This will display the system name configured by the Autopilot device template if it was specified in the Autopilot deployment profile. In this case, the system name is showing as “Cloudinfra-W-28“, which adheres to the device naming template “Cloudinfra-W-%RAND:2%“.
- Sign in to the Intune admin center and navigate to Devices > Windows. You can search for your device in the list. Take note of the compliance status and ownership details of the device. The Primary User UPN will be displayed for the user account used to enroll the device during the Autopilot process.
To read more about Windows Autopilot, you can refer to Autopilot Microsoft documentation available at the link: https://learn.microsoft.com/en-us/autopilot/windows-autopilot.