Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

The Ultimate Guide to Windows Autopilot

A comprehensive guide to Windows Autopilot deployment modes, prerequisites, and best practices for modern Windows deployment.

By Ali Alame
intuneautopilotwindows-11deploymentoobe

Windows Autopilot has revolutionized how organizations deploy new Windows devices. Gone are the days of building custom images, maintaining driver libraries, and manually imaging machines. Autopilot allows you to ship a device directly from the manufacturer to the user, and have it configure itself automatically.

What is Windows Autopilot?

Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. It leverages the cloud (Entra ID and Intune) to transform a generic Windows installation into a corporate-ready device.

Prerequisites

Before you start, ensure you have:

  1. Licensing: Intune subscription and Entra ID P1/P2.
  2. Network: Internet access for the devices (and access to Microsoft endpoints).
  3. Configuration: Automatic MDM enrollment enabled in Entra ID.

Deployment Modes

Autopilot offers several modes to fit different scenarios:

1. User-Driven Mode

The most common scenario. The user unboxes the device, connects to Wi-Fi, and signs in with their corporate credentials. Autopilot takes over, joins the device to Entra ID (or Hybrid Join), enrolls in Intune, and installs apps and policies.

2. Self-Deploying Mode

Used for kiosks, digital signage, or shared devices. No user authentication is required. The device connects to the network and automatically provisions itself. Requires TPM 2.0.

3. Pre-Provisioning (formerly White Glove)

Allows IT or partners to pre-load apps and policies before shipping to the user. Technicians boot the device, press the Windows key 5 times, and the device provisions. When the user receives it, they only go through a quick final setup.

Setting Up Autopilot

Step 1: Register Devices

You need the Hardware Hash of the devices.

  • New Devices: Ask your OEM/Reseller to register them for you.
  • Existing Devices: Use a PowerShell script to harvest the hash: 
    Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -Online

Step 2: Create Deployment Profile

  1. Go to Intune Admin Center > Devices > Windows > Windows enrollment > Deployment Profiles.
  2. Create Profile > Windows PC.
  3. OOBE Settings:
    • Deployment mode: User-Driven.
    • Join to Entra ID as: Entra ID joined.
    • Microsoft Software License Terms: Hide.
    • Privacy settings: Hide.
    • User account type: Standard (Best practice for security).

Step 3: Configure ESP (Enrollment Status Page)

The ESP blocks device use until critical apps and policies are installed.

  • Block device use until all apps and profiles are installed: Yes.
  • Time limit: 60 minutes.
  • Blocking apps: Select specific critical apps (e.g., Office 365, VPN, Security Agent) to prevent long wait times.

Best Practices

  • Avoid Hybrid Join: If possible, go full Entra ID Join. It's more reliable and simpler to manage.
  • Targeting: Assign Autopilot profiles to a dynamic group containing all Autopilot devices (using the ZTDId property).
  • App Mixing: Don't mix LOB (MSI) and Win32 apps during ESP if possible, as it can cause conflicts. Win32 apps are generally preferred.

Conclusion

Windows Autopilot simplifies the lifecycle of Windows devices, reducing IT overhead and providing a modern, seamless onboarding experience for users. By moving to Autopilot, you embrace the modern management vision of Microsoft Endpoint Manager.