Windows Autopilot Setup

Introduction

Windows Autopilot is a powerful deployment and provisioning service from Microsoft that can fundamentally change how your business handles new devices. For any SMB, the process of unboxing, configuring, and deploying new computers for your team is a time-consuming and repetitive drain on IT resources. This manual setup not only delays getting new employees up and running but also introduces the risk of configuration inconsistencies and human error. Windows Autopilot solves this by allowing you to deploy new devices directly to your users with a pre-defined, company-specific configuration right out of the box.

What is windows autopilot?

Windows Autopilot is a collection of technologies used to design, deploy, and manage new Windows devices without the need for traditional imaging processes. Instead of your IT staff manually installing an OS image, applying drivers, and installing software on each new machine, Autopilot uses a cloud-based service to automate this process. When a user receives a new device, they simply connect to the internet and sign in with their company credentials; Autopilot then takes over to configure the device according to the policies your organization has set.

Think of it as a personalized out-of-box experience for your business. The goal is to shift from a device-centric deployment model, where IT prepares a physical machine, to a user-centric model, where the user is the trigger for the setup. This means the device transforms from a generic piece of hardware into a fully configured corporate asset tailored to that specific user’s needs and your security requirements, all without your IT team ever touching the hardware after it’s been purchased and registered.

How it works

The magic of Windows Autopilot begins with a unique hardware identity. Each new PC from a participating OEM vendor has a unique hardware hash stored in its firmware. This hash acts like a digital fingerprint for the device. When you purchase a new device, the OEM or your reseller can upload this hash directly to your Autopilot service in Microsoft Intune. Alternatively, you can manually capture the hash from a device yourself and upload it, which registers the device with the Autopilot deployment service and links it to your tenant.

Once registered, you create and assign deployment profiles in Microsoft Intune. These profiles contain all the configuration details for your devices, such as settings to skip the standard Windows consumer setup screens, rename the device according to a naming convention, and join it to your Azure Active Directory. When a user powers on the new device and connects to a network, the device contacts the Autopilot cloud service, which recognizes its hardware hash and delivers the specific deployment profile you created, guiding the user through a simplified, branded setup process that installs necessary apps and enforces your security policies.

Step-by-step guide

Here is a practical step-by-step guide to implementing Windows Autopilot for your organization.

1. Gather Device Hashes You must first collect the hardware hashes for all the new devices you wish to deploy. This can be done by booting a device, running a PowerShell script provided by Microsoft, and exporting the resulting CSV file containing the unique hash.
2. Register Devices Log into the Microsoft Intune admin center, navigate to the Devices > Windows > Windows enrollment > Devices section, and import the CSV file you created. This officially registers each device with its unique hash to your Autopilot service.
3. Create a Deployment Profile In the same Windows enrollment section, create a new deployment profile. Here you will define the core setup experience, naming the profile, choosing between user-driven or self-deploying mode, and configuring how the device joins Azure AD.
4. Configure Enrollment Status Page (ESP) The ESP is a critical component that controls what a user sees during setup. Configure it to block device use until all required apps and policies are installed, ensuring a consistent and complete user experience from the first login.
5. Assign Apps and Policies In Microsoft Intune, create and assign the applications, security policies, and configuration profiles you want applied to these Autopilot devices. These will automatically deploy during the user’s first sign-in.
6. Assign the Profile to Devices Link the deployment profile you created to either a specific Azure AD group containing your registered devices or to a group of all devices. This tells the Autopilot service which configuration to apply to which machines.
7. Deliver to Users Ship the new, unopened devices directly to your end-users. They simply need to turn on the PC, connect to Wi-Fi, and enter their corporate email and password when prompted. Autopilot will handle the rest of the setup automatically.

Comparison table

Best practices

Follow these best practices to ensure a smooth Autopilot deployment.

• Pilot with a Small Group Test your deployment profile and application set with a small pilot group of users and devices before a company-wide rollout.
• Leverage Dynamic Device Groups Use Azure AD dynamic groups based on the Autopilot device attribute to automatically assign policies to newly registered devices.
• Pre-Provision Required Line-of-Business Apps Use the Enrollment Status Page to ensure critical applications are installed before the user reaches the desktop, preventing help desk calls.
• Standardize Your Hardware Working with a limited number of device models simplifies driver management and ensures a more predictable deployment experience.
• Communicate the Process to Users Clearly explain the new setup process to your team so they know what to expect and how simple it will be for them.

FAQ

Does Windows Autopilot require an internet connection? Yes, an active internet connection is absolutely essential for the entire Autopilot process. The device must be able to contact Microsoft’s cloud services to download its assigned profile, enroll in Intune, and receive its apps and policies. A wired Ethernet connection is recommended for the most reliable initial setup.

Can I use Autopilot with existing devices? Yes, you can. While it is ideal for new devices straight from the OEM, you can also register existing devices by capturing their hardware hash and uploading it to the Intune portal. The next time that device is reset, it will go through the Autopilot provisioning process.

What licenses are required for Windows Autopilot? To use the full management capabilities, each user needs a Windows 10/11 Pro or Enterprise license on the device and a Microsoft Intune license. This is often included in subscription suites like Microsoft 365 Business Premium or Enterprise E3/E5, which are common among SMBs.

What happens if something goes wrong during setup? The user can simply restart the device and begin the process again. Autopilot is designed to be resilient. If the problem is persistent, it is likely a configuration error in the Intune profile, which your IT admin can diagnose and correct from the admin center.

Can I still control which apps get installed? Absolutely. Through Microsoft Intune, you have complete control. You can assign required applications to all devices or specific user groups, install available applications through the Company Portal, and block certain apps from being installed, ensuring everyone has the tools they need.

CTA

Streamlining your device deployment with Windows Autopilot can save your team countless hours and ensure a secure, consistent start for every employee. If you are ready to explore how Autopilot can be integrated into your IT strategy or need assistance with the setup process, our experts at Always Beyond are here to help. Contact us today for a consultation.