Windows Autopilot: Complete Setup Guide for IT Admins

Introduction

Windows Autopilot is a cloud-based device provisioning solution from Microsoft that allows IT administrators to deploy, configure, and manage new Windows devices without touching them physically. It eliminates the need for custom OS images by using the existing Windows installation already loaded on a device at the factory. By connecting devices directly to Azure Active Directory and Microsoft Intune during first boot, Autopilot dramatically reduces the time and effort required to get employees up and running. This guide walks IT admins through everything they need to know to implement Windows Autopilot successfully.

What Is Windows Autopilot?

Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, making them ready for productive use right out of the box. Rather than requiring IT staff to manually install operating systems, apply group policies, and configure applications one machine at a time, Autopilot handles all of that automatically through policies defined in Microsoft Intune. The device connects to Microsoft's cloud services during the Out-of-Box Experience (OOBE) and applies the organization's configuration profile before the end user ever logs in. This means a new laptop can be shipped directly from a vendor to an employee's home or office, and it will self-configure with the correct settings, apps, and security policies.

Microsoft introduced Windows Autopilot as part of a broader shift toward modern device management, moving away from legacy on-premises infrastructure toward cloud-first IT operations. It supports several deployment modes including User-Driven, Self-Deploying, Pre-Provisioning (formerly White Glove), and Reset modes, giving organizations flexibility depending on their use case. User-Driven mode is the most common and allows employees to complete setup themselves using their corporate credentials. Self-Deploying mode is ideal for shared devices, kiosks, or digital signage where no user affiliation is needed. Understanding which deployment mode fits your environment is the first step toward a successful rollout.

How Windows Autopilot Works

At its core, Windows Autopilot works by registering a device's hardware hash — a unique identifier generated from the device's hardware components — with your organization's Microsoft tenant. This registration can be done by the original equipment manufacturer (OEM), a Microsoft Cloud Solution Provider (CSP) partner, or manually by IT staff using PowerShell scripts or tools like the Microsoft Deployment Toolkit. Once a device's hardware hash is uploaded to Intune or the Microsoft 365 admin center, it becomes associated with your tenant. When that device is powered on for the first time and connects to the internet, Windows contacts Microsoft's Autopilot service, recognizes the hardware hash, and automatically applies the assigned deployment profile. The device then joins Azure Active Directory, enrolls in Intune, and downloads all assigned configuration policies and applications without any IT intervention.

The Enrollment Status Page (ESP) plays a critical role in the Autopilot experience by displaying real-time provisioning progress to both the device and the user. Admins can configure the ESP to block device use until all required apps and policies are installed, ensuring that employees receive a fully configured machine rather than one that is still downloading software in the background. Behind the scenes, Intune pushes compliance policies, security baselines, VPN configurations, Wi-Fi profiles, and app assignments all in a single automated workflow. The entire process typically takes between 20 and 60 minutes depending on the number of apps assigned, the speed of the internet connection, and the complexity of the configuration profile. When everything is set up correctly, the end user experience is seamless — they enter their credentials, wait for provisioning to complete, and arrive at a fully ready desktop.

Step-by-Step Setup Guide

1. Verify Licensing Requirements: Before configuring anything, confirm that your organization has the appropriate Microsoft 365 or Intune licenses, as Windows Autopilot requires Microsoft Intune and Azure Active Directory Premium P1 at minimum. These licenses are included in Microsoft 365 Business Premium, Microsoft 365 E3, and Microsoft 365 E5 plans, so check your current subscription in the Microsoft 365 admin center before proceeding.
2. Configure Microsoft Intune and Azure AD: Log in to the Microsoft Endpoint Manager admin center at endpoint.microsoft.com and ensure that automatic enrollment is enabled for your Azure Active Directory tenant. Navigate to Azure Active Directory, then Mobility (MDM and MAM), and set the MDM user scope to "All" or a targeted group to allow devices to automatically enroll in Intune during the Autopilot process.
3. Collect and Upload Device Hardware Hashes: Gather the hardware hash for each device you want to register by running the PowerShell script Get-WindowsAutopilotInfo on each machine, or by requesting the hardware hash CSV file directly from your OEM or CSP partner. Once you have the CSV file, upload it to the Microsoft Endpoint Manager admin center by navigating to Devices, then Windows, then Windows Enrollment, and finally Devices under the Windows Autopilot section.
4. Create a Deployment Profile: In the Microsoft Endpoint Manager admin center, navigate to Devices, then Windows Enrollment, then Deployment Profiles, and click Create Profile to define how the device will be configured during OOBE. Set options such as deployment mode (User-Driven or Self-Deploying), join type (Azure AD Joined or Hybrid Azure AD Joined), and OOBE settings like skipping privacy settings, license agreements, and keyboard layout screens to streamline the end user experience.
5. Assign the Deployment Profile to Devices or Groups: After creating your deployment profile, assign it to the specific devices or Azure AD device groups that you uploaded in the previous step. You can assign profiles directly to individual devices or use dynamic device groups in Azure AD to automatically include devices based on attributes like enrollment profile name, making management more scalable as your organization grows.
6. Configure the Enrollment Status Page: In the Microsoft Endpoint Manager admin center, go to Devices, then Windows Enrollment, then Enrollment Status Page to create and assign an ESP profile to your Autopilot devices. Configure the ESP to show app and profile installation progress, block device use until all required apps are installed, and set a timeout value so that provisioning does not run indefinitely if an issue occurs.
7. Test the Deployment and Monitor Results: Before rolling out to your entire organization, test the Autopilot process on a single device by resetting it using the Windows Reset option or unboxing a newly registered device and walking through the full OOBE experience. Monitor the deployment results in the Microsoft Endpoint Manager admin center under Devices, then Monitor, then Autopilot Deployments, where you can review success rates, failure codes, and step-by-step provisioning logs to troubleshoot any issues before a wider rollout.

Windows Autopilot vs. Traditional Imaging

Best Practices for Windows Autopilot

• Use Dynamic Azure AD Groups: Create dynamic device groups based on Autopilot enrollment profile attributes so that newly registered devices automatically receive the correct policies and apps without manual group assignment.
• Test in a Pilot Group First: Always validate new Autopilot profiles and ESP configurations on a small group of test devices before deploying to the entire organization to catch configuration errors early.
• Keep App Assignments Lean for ESP: Only mark business-critical applications as required during the Enrollment Status Page phase to prevent unnecessarily long provisioning times that frustrate end users during first login.
• Document Your Hardware Hash Process: Establish a clear, repeatable process for collecting and uploading hardware hashes — whether through your OEM, CSP, or internal scripts — so that new device onboarding is consistent and auditable.
• Monitor Deployment Reports Regularly: Review the Autopilot deployment reports in Microsoft Endpoint Manager on a regular basis to identify recurring failures, track provisioning times, and proactively address issues before they affect a large number of users.

Frequently Asked Questions

What Devices Are Compatible with Windows Autopilot?

Windows Autopilot is compatible with devices running Windows 10 version 1703 or later and Windows 11, provided they meet the hardware requirements for those operating systems. Most modern business-class PCs, laptops, and Surface devices sold by major OEMs are Autopilot-ready and can have their hardware hashes registered directly by the manufacturer. Devices must have internet connectivity during OOBE to contact Microsoft's Autopilot service and retrieve their assigned deployment profile. It is always a good idea to verify compatibility with your specific hardware models before committing to a large-scale Autopilot rollout.

Can Windows Autopilot Work with Hybrid Azure AD Join?

Yes, Windows Autopilot supports Hybrid Azure AD Join, which allows devices to be joined to both an on-premises Active Directory domain and Azure Active Directory simultaneously. This deployment scenario requires a domain controller that is reachable during provisioning, either on the local network or via VPN, and the Intune Connector for Active Directory must be installed on a server in your on-premises environment. Hybrid Azure AD Join is useful for organizations that still rely on on-premises Group Policy, legacy applications, or file shares that require traditional domain membership. However, for organizations moving toward a fully cloud-managed environment, Azure AD Join without the hybrid component is generally simpler and easier to maintain.

What Happens If an Autopilot Deployment Fails?

If an Autopilot deployment fails, Windows will display an error code on the Enrollment Status Page along with a description of which phase — device preparation, device setup, or account setup — encountered the problem. IT admins can investigate failures by reviewing the Autopilot deployment report in Microsoft Endpoint Manager, which provides detailed step-by-step logs for each provisioning attempt. Common causes of failure include network connectivity issues, misconfigured deployment profiles, apps that fail to install within the ESP timeout window, and licensing problems. In most cases, the device can be reset and the Autopilot process restarted once the underlying configuration issue has been resolved.

Does Windows Autopilot Replace Microsoft Intune?

No, Windows Autopilot does not replace Microsoft Intune — the two technologies work together as complementary parts of Microsoft's modern device management ecosystem. Autopilot handles the initial provisioning and enrollment process, getting a device from factory state to a fully configured, corporate-ready machine, while Intune handles ongoing device management including policy enforcement, app deployment, compliance monitoring, and remote actions. Think of Autopilot as the onboarding mechanism and Intune as the long-term management platform. Both are required for a complete modern endpoint management solution, and both are included in Microsoft 365 Business Premium and Enterprise plans.

How Long Does the Windows Autopilot Provisioning Process Take?

The duration of the Autopilot provisioning process depends on several factors including the number and size of applications assigned, the speed of the device's internet connection, and the complexity of the configuration policies being applied. For a typical business device with a standard set of Microsoft 365 apps and security policies, provisioning usually takes between 30 and 60 minutes from first boot to a fully ready desktop. Organizations can reduce provisioning time by using the Pre-Provisioning (White Glove) mode, which allows IT staff or OEM partners to complete the device setup phase before the device is shipped to the end user, leaving only the user-specific account setup to be completed on arrival. Keeping the list of required apps in the Enrollment Status Page as short as possible also helps minimize provisioning time.

Implementing Windows Autopilot correctly requires careful planning, the right licensing, and a solid understanding of Microsoft Intune and Azure Active Directory — and that is exactly where Always Beyond can help. As a managed IT services provider, Always Beyond has extensive experience designing and deploying Autopilot environments for businesses of all sizes, from initial hardware hash registration through deployment profile configuration, ESP setup, and ongoing monitoring. Whether you are starting from scratch or looking to optimize an existing Autopilot deployment, our team can guide you through every step of the process and ensure your devices are provisioned securely and efficiently. To get started, contact Always Beyond today.